Slashdot Mirror
Cursor Software Tracks You On Web
fabrini writes "That cute little animated Comet Cursor, that some websites try to send you when you visit their site, is actually doing more than impressing the kids. It's also tracking your activity on over 60,000 websites using a unique serial number -- and all without asking.
"
When will these people learn? I hope they are expecting a HUGE backlash from the community!
For any lawyers out there, is there a reasonable basis for legal action if these accusations are true? Maybe it's time we did more than just complain and flame about it?
"as plurdled gabbleblotchits on a lurgid bee" - Prostetnic Vogon Jeltz. (One man's humorous is another mans flamebait)
I honestly believe that they think everyone is a complete and total moron and just won't find out about crap like this.
Either that, or they really WANT people to hate them.
Fish! LipHo
We really need to get a group together that specialized in detecting this kind of activity. You know that it's going to get harder to detect this kind of activity as the network evolves.
Airgap baby. It's the only way we can be sure.
"a powerful and unexpected ally..."
They say they don't use it,
So why do they waste bandwidth/storage space collecting it?
Slowly closed source software is shooting itself in the foot with all these "trojans" that they add, but that they "don't use for any purpose". They'll soon not be able to use the security through obscurity catch phrase.
Maybe Open source software should use "Privacy though visibility" as a counterattack.
iain
IMHO, this is yet another of those cases were someone implemented a nifty feature without thinking it through. What we have here is a company that can, with some effort, find out what a person is doing. at the moment, all they know is that someone, somewhere, visited a certain number of sites.
There's be the inevitable massive calls for boycotting, and (as tends to be the case), this will be an overreaction. I'm happy with Comet's response, and I don't think this is a reason to hang them out to dry.
Then again, there is a practical use for this: I'd love to know the sites that people with Garfield cursors hang out at, just so I can avoid them.
---
---
Book(n): Utensil used to pass time while waiting for the TV repairman
Do we need to update the old saying
"you shouldn't take candy from strangers?"
to apply to the net?
-Too Lazy to register
Or we have to plug a sniffer in every IP-stack we use, or we have to move to software (and companies) we can trust.
I believe choosing for open-source software gives you (and the providing company) a trust relationship. You trust the software because you can check it, because you get the actual code.
Do you want big brother to watch you? Do you want the tiny little bros. watching your every step? I don't think so...
StarTrek.org Free Webmail
i have always hated that stupid thing . i neber really understood the point of it .
....... evile !! track my internet usage how dare they .
well now i have a real reason not to like it .
cause it is evile !! i say
i wonder what they learn from all this information ?? i mean how can www.tommysbookmarks.net be of any use to these people ???
music the paint
dancefloor the canvas
Music the Paint dancefloor the canvas your body the brush
Am I the only person who has never heard of this software before?
Comment ended due to lack of information.
to have programs that install but do not inform
;)
the person that the program they are installing
will be sending *anything* over the network
that might entail privacy and/or security?
this way, when we DO find out that these morons
are using their fun little programs to track us,
they get a nice stiff fine from the gov't ?
( start conspiracy_theory )
or *maybe* the gov't is using companies like this as a smokescreen to watch all of us
( end conspiracy theory )
A year spent in artificial intelligence is enough to make one believe in God.
I erase all "unauthorized" cookies every few days. That should keep the comet from collecting information on me.
As for what they are doing: it doesn't seem all that bad. Slashdot appears to have gone into a paranoid they're-watching-us mode at the moment (i.e., loads of articles about tracking, NSA, encryption, privacy.... I'm not saying they're not important, just that some are seemingly redundant and the same arguments get trolled out over n over again. Why don't they just allow users to have a list of articles on eff.org or whoever deals with privacy issues, like you can do with bbc/science etc in the custom boxes).
Just my £0.02
Fact of the matter is, the only thing this company needs is exactly what they gather: your Web habits.
They're trying to defend themselves by saying they're not actually collecting your name or address, but that's not like this information matters to them.
Working for an e-commerce company, I can tell you what they want: they want list of clients. They want to know exactly what kind of people use their software. They want to target their publicity more closely.
If you ask me, it's BS when they say they're not actually using the info they collect. This information is invaluable to advertising companies, and knowing where everyone goes from your site on is the Holy Grail of target advertising on the Web. Many companies focus solely on providing companies with 'client lists'.
So it's BS when the PR guys say it's harmless. Fact of the matter is, they're doing it without asking permission.
Here's a little gem from the article:
Wow. I know people tend to pick on Gore for that misquoted bit about inventing the Internet, but that's very fair of him. I thought we were the only ones (we being geeks) throwing a temper tantrum about privacy on the net. Way to go. Too bad I'm Canadian, eh? :)
is why people who use this software are not infuriated by it. now maybe they just dont know, but personaly if i knew that some company was making money by selling my browsing patterns i would want a cut of their profits. After all i never did sign up for this. I am not sure about the laws regarding telemarketing but dont telemarketers have to at least let the people know that they are taking part in a survey or whatever? I believe they do, and i think this company should be held to the same standards. Is it too much to ask for a little pop-up that briefly explains the products purpose?
"The importance of using technology in the right way has never been more clear."
"There's not a lot of reason to crunch that data because I don't see that it's in anyone's economic interests. We're stating for the record that we don't do that and we never will.''
Not in anyone's economic interests? Let's see: Joe X (referenced distinctly by his serial number) goes to this Britney Spears site, then the Disney site, then Yahoo, then CNN, etc. I'm sure many companies would be interested to know where people are actually visiting for advertising and marketing purposes, let alone for forming "strategic partnerships" with related sites. Although I know Yahoo, CNN, etc. don't use Comet, the potential does exist for the plugin to be used for these purposes.
Not knowing anything about the face behind the serial number isn't anything detrimental, in fact it's important because it's with that anonymity they claim they aren't doing anything wrong. Whether or not you know who I am doesn't make a lick of difference, you're still taking my information (essentially, my web browser history in progress).
Pablo Nevares, "the freshmaker".
Pablo Nevares, "the freshmaker".
I wouldn't be surprised if Slashdot stores our IP address in our user profile.
This is common practice, but I've never heard of people getting upset about this. Why?
Looking for political forums? Check out "The World Forum".
Why are the colours piss yellow?
After the (imo) stupid outcry about id's vid card monitoring, I hope that those who complained will realise that there are far more worrying things out there.
-Yarn - Rio Karma: Excellent
I feel like I have been reading alot about this type of thing lately. It seems like everything is trojened: realplayer and even quake (although in this case it was disclosed) and others that I likely don't remember. I think it is the time for grassroots action.
Does anyone know of some organizations already set-up to address these issues?
2^5
What laws are they breaking?
For starters, there's the Data Protection Act (amended 1998). This requires all databases to be registered, along with a list of their structure, so that people upon whom information is held can serve a data disclosure notice on the database owners and find out what is being said about them. I believe there's also a requirement to notify the subjects that information about them is being stored.
(Violation: up to two years in prison and a honking great fine, although it's very rare for infractions to get as far as a prosecution.)
Next: Computer Misuse Act (1994). This act has teeth -- it was introduced as an anti-hacking measure and it would seem that if they're tampering with or using a computer in the UK for any purpose without the consent of the owner they could be liable for five years as a guest in one of Her Majesty's hotels. It is a criminal offense to run software on a computer without the owner's permission, or to cause software to be run (ditto), or indeed to do anything with a computer without permission from its owner. Oh, and you can be guilty even if you're not in the UK (but meddling with a UK-based computer), or if the computer's not in the UK (but you are).
Finally there's the EU declaration of human rights which, implemented in law, has an explicit right of privacy. The EU recently disseminated some directives on data security -- specifically banning the export of personal information from jurisdictions with strict privacy laws to other jurisdictions with weaker protection -- that means this company is violating the law, right across the EU.
Class action lawsuit, anybody?
You get what you pay for in most cases. [Open Source not included. I don't want to don an abestos suit today.] I'm pretty sure they would have to have had something in their EULA. Simply put, almost no company gives away a product without getting something out of it. All in all, if the only place Comet mentioned their real purpose was in the EULA, that was pretty sneaky. I bet they have piled up a ton of data. Considering about 80% of the people who downloaded these cursors probably don't read tech news, they will probably be able to continue reaping the data.
You get what you pay for in most cases. [Open Source not included. I don't want to don an abestos suit today.] I'm pretty sure they would have to have had something in their EULA. Simply put, almost no company gives away a product wihout getting something out of it. All in all, if the only place Comet mentioned their real purpose was in the EULA, that was pretty sneaky. I bet they have piled up a ton of data. Considering about 80% of the people who downloaded these cursors probably don't read tech news, they will probably be able to continue reaping the data.
Comment removed based on user account deletion
I year or few ago I saw some report on TV or read somewhere about this Comet Cursor startup company. They made it out as if the idea of having a custom cursor was some sort of amazing and ingenious thing, and that it was cool. I didn't really see the point and thought it was just plain stupid (yeah, I'm Mr. Joe consumer, I am SO impressed that your site made my cursor into some stupid animation...yay, let me buy your product).
It's 10 PM. Do you know if you're un-American?
why don't these companies just ask permission up front? I find it really tiresome to listen to them say that it's justifiable to discretely get any information from me they want because it makes their jobs easier or increases the potential profit they can make.
Probably the best thing going for Open Source right now is that the "normal" software companies are shooting themselves in the foot with all this nonsense. I mean really... I *like* certain Microsoft products (flame away), and can't really be considered an advocate of Open Source at all.
But the more of these kinds of cases pile up, they slowly change my mind. I look down at my System Tray right now and wonder just how many of those programs are sending information back to the company about what I do. I wonder what else they're doing. This was never a problem a couple of years ago.
Can we really trust anything that big software companies put out at this point? Time and time again they have proven that self-regulation doesn't work. They've proven they can't be trusted to make software with privacy or security in mind. For that matter, it seems that many of them can't even be trusted to make high quality software at all. (all the bug laiden games out there come to mind... most notably SiN and the 18MB patch required to make it run at all straight out of the box)
If we have any software developers and/or PR people who work for software companies, can you please explain to me how anyone can ever trust anything you put out ever again? Please don't use the "well we don't use the information we collect" lame execuse, I'm not falling for it. Why would you collect it at all if you don't intend to use it? You shouldn't be collecing it at all, you don't have any right to. I want an audio player that *gasp* plays audio! I don't want it monitoring me, if I wanted that I'd install a monitoring program.
-- "So they told me that using the download page to download something was not something they anticipated." - Bill Gates
1.) There is no such thing as unsupectible and harmless software.
2.) Never underestimate the creativeness of professional data-collectors.
3.) Don't let your kids use your computer unsupervised or at last make sure they are not able to install anything.
Ciao, Peter
I use Slashdot as my tech news source, and this sort of issue is very important to me.
My problem with it was they they were using machine hardware as part of the ID.
companies, subscription magazines, and the like. They routinely track everything we buy, and sell this info to who-ever wants it.
At least these guys are admiting they do it, and setting limits to what they will and will not gleen from our machines; to the point of even promicing to remove data that they were collecting (though I doubt they *had no idea* of it).
And as for making it illegal... don't think so boys. The FBI/CIA/ATF already use credit histories to track people down. I don't see them trying to stop this. Not if they can potentially suppina other companies to cough up stats on an indevidual.
Secondly, the information they're collecting seems to be fairly harmless. I don't know how malicious they could be with it if they want.
Frankly, the thing that worries me is the fact that I have a static IP and hostname. Every site I visit no doubt stores that. I suppose that, in a way, that's less dangerous, because they don't get any sort of picture of what I'm doing, just that I've visited them. But still, it kind of makes my skin crawl.
And now I'll prepare to get flamed. I don't think that comments about the "closed source community" are incredibly appropriate here. Since I haven't seen any sort of open source competition for the comet cursor (which is slightly nifty, in a really dorky way), I don't think that there is any reason to use this as an opportunity to rip on closed source.
Consider what you get if you buy the access logs for a bunch of web sites (some with login ids that can be tracked to house addresses, maybe from shipping information) and then add user tracker data like Comet that can identify a user between web sites. You can now track the user's access patterns across all the web sites, even those where he was anonymous.
This isn't anything too new, the banner ad companies do this already.
Now where have I seen this software before.. .. Oh, right! It's on RealPlayer's list of software updates. RealNetworks strikes out again, eh?
From what I understand, this silly cursor is just a Trojan horse aimed at user's privacy. What would be the point of the company otherwise? Their business is just based on this invasion of privacy. And BTW, their claim that they can't link to a single user is ridiculous: it just takes one filled up form asking for your email address in any of the 60'000 using, et voilà! you are tracked, welcome to big brother!!!
Any web developer can undertand that. It's so fucking simple to do, just the fact that they claim it 'impossible' is an insult.
http://www.oneofthesites.com/subscribe.cgi?email=IF DEFINED(id) THEN
INSERT INTO bigbrother (email,sexual_orientation, age, crimescommitted, numberofpornbannerclickthrough, hasreceivednicescientologyleaflet)
VALUES ( -- edited for brievety
ELSE IF sexual_orientation = 'perverthomo' THEN
send_blackmail_asking_for_money()
ENDIF
ENDIF
--
I just attempted to load cometzone's web site and it doesn't allow you to unless you allow cookies. God I love junkbuster. The sad thing is I find this to be more and more of an issue. Why do they need to store a cookie for me to load the page? Admittedly they can do whatever they want with the website but I find this just plain stupid.
On a positive note,
I recently went to Axent's site to do some research on their products and foudn that I couldn't view any product information unless I allowed cookies. I thought this was plain stupid and I emailed the webmaster regarding it. Below is the QUICK response from the webmaster at Axent. He was honest and shared more information than he needed to share ( he didn't even have to redspond ). I wish more companies had this attitude. My response back was that since I couldn't find a privacy statement, I wasn't planning on allowing the cookies because I wasn't sure of their purpose. He was a nice guy none the less.
Here's the email:
Subject:
RE: Feedback
Date:
Mon, 29 Nov 1999 11:03:48 -0500
From:
Tony Stephens
To:
"'jvincent@qa.butler.com'"
You will not receive any unsolicited information from us. Thanks for the
heads-up on the feedback page. You are right, it shouldn't say "Submit
Registration". As for the cookies, we have moved to a dynamic, data-driven
site powered by Mainspan. I'm not 100% sure what the cookies are for (I'm
real new at this job, still learning the site...no excuse, but a minor
explanation for my lack of a real explanation) but I'm assuming that they
are to allow the server to track (during the session only) your documents
and allow faster access to the ones you access. It's a variable called
"DocsActiveForUser". Again, I believe that this is what it is for. I will
look into this further. I agree with you in the fact that for the public
site, it shouldn't be cookies, but rather session variables. But I'm sure
it's for the purpose of providing you the information you want
faster...allowing you to kind-of 'keep track' of the documents you have
accessed. I assure you its not for any tracking or informational gathering
uses of ours.
Thanks.
Tony Stephens
Webmaster
AXENT Technologies, Inc.
2400 Research Blvd. #200
p: 301.670.3644
e: tstephens@axent.com
e: webmaster@axent.com
w: www.axent.com
-----Original Message-----
From: jvincent@qa.butler.com [mailto:jvincent@qa.butler.com]
Sent: Monday, November 29, 1999 9:09 AM
To: webmaster@axent.com
Subject: Feedback
Name: John E. Vincent
Phone:
Email: jvincent@qa.butler.com
PageLocation: Products
Feedback: I was browsing your site and noticed that to get information, my
browser has to accept cookies. Please provide me with a good reason that a
security company requires a cookie with an invalid expiration date to allow
me access to the most basic of information about your products. I notice
your submit button says "Submit Registrion". This also serves to say that I
am not registering for anything. I don not want any unsolicited email from
your company other than a response to my question. John E. Vincent Network
Administrator BTSQA
"Fighting the underpants gnomes since 1998!" "Bruce Schneier knows the state of schroedinger's cat"
I am unconcerned by Slashdot (or anyone else, for that matter) recording my IP address because that information does not snoop my browsing habits, nor invade my privacy.
Think of IP logging as analogous to Caller ID: If I call your telephone, you have, IMHO, an inherent right to know who I am.
However, if you twiddle my phone so that when I call YOU it tells you about everyone ELSE I have called, that's invading my privacy. The critical distinction here is the collection of data on my interactions with third parties.
Of course, if a million Web site operators all pooled their IP logs, that would achieve the same result as Comet's dirty trick, but then the public at large would perceive a massive, evil conspiracy, it would make the 6 o'clock news, and they'd be stomped on by the law and public ire.
Hmmm, perhaps not such a bad idea here, either...
"My strength is as the strength of ten men, for I am wired to the eyeballs on espresso."
When I buy something on my credit card, I am aware that someone is probably warehousing this information. If I wanted to keep this information private, I would use cash. When I use my "Airmiles" card, it is with the knowledge that companies are giving me something (airmiles) in return for the consumer tracking info. This isn't hidden. I can bypass this tracking by not getting an Airmiles card, or by not using it.
The companies that have been found to send info without your permission (RealJukebox, ID, Comet) are only admitting that they do this AFTER the fact. I suspect that there are many other programs out there doing the same thing, only nobody has discovered what is happening yet. I doubt very much that most people downloading cute cursor software would even consider the fact that using the software might yield data for consumer tracking. If people were aware of this (perhaps soon they will be!) they might think twice about downloading it.
YS
"Arrr! The laws of science be a harsh mistress." -- Bender
Thing is, it would be easy to achieve their stated goals (count of unique visitors to a site) without raising the same privacy concerns.
Certainly each customer (that is, website with the cursor-changing support) has a serial number as well. Call this number "C", and call the serial number of the user whose cursor is changed "U". Instead of reporting the pair (C,U) to headquarters, simply report the pair (C,f(C,U)), where f is some one-way hash function. (e.g. MD5)
The information they (say they) want to collect is still collected, and yet it is impossible to do the correlation activity that privacy people are concerned about.
I agree, though, that it seems like someone just didn't think it through. Much as programmers need to be re-educated to think intelligently about security, it appears that privacy concerns need to be addressed similarly.
They do use it. They just don't use it to track people. From what I gather from the article, the Comet people use this serial number to charge it's customers (some of the people that use the software on their site). It's one of their methods for efficiently and accurately tracking this particular stream of revenue.
:) No one is safe.
In addition they imght use some of it to do marketing research (although it is neither mentioned nor implied which means they might or they might not). The same things all those banner ads do. You want to worry about privacy? There's the motherlode of your personal viewing habits being sent across the internet - all corresponding nicely to your machine (IP), your e-mail (if your browser sends it - unlikely but possible), uniquely identifying your machine (via cookies unless you delete/disable them), and much more.
However most of this doesn't bother me. Quake 3 sending my GL_RENDERER string? *shrug* Mr Comet Cursor thingy senging a list of websites I visit that use the cursor (considering I've seen that cursor maybe once - EVER)? *shrug* All of this is benign information. Do I care that Carmack knows that someone out there (at IP # blah - if he even stores that data) is running version 1.09 and has a TNT2 Ultra? Or that Sir Cursor Changer knows someone (again, possible from my IP if they
bother to store it) visited some web site?
Now: Send my SSN or CCN or Home Phone across the web without my permission?! Thats in the interest of 'My Rights Online.'
Here's what SHOULD be done: Any app or web site that sends data back to its creators should register with a security watchdog organization such as TRUSTe. They should document their procedures and what they store and what could potentially be stored with out a change on the client end (i.e. modifying the server to collect IP addresses). People can then get full disclosure on issues. Random and directed (in case of dispute) audits can be performed at the watchdog ageny's discretion. If you think that Carmack is privately planning world domination based on the distribution of 3dfx chips in the world, you can complain to the appropriate agency.
Most of the 'Your Rights Online' articles have been, IMO, non-issues, this one included. People say "If we let them do this then they will keep going until they send our entire lives back!" No. If someone starts sending back e-mail addresses without permission or other very private information THEN we start boycotting and raising hell. Until then just relax, vote with your dollar, send polite e-mails if you don't agree with something and just deal with the larger issues.
And just think how much information CmdrTaco has collected from you.
Also, virtually every AOL user browses the Web through AOL's proxy
--
Could these people be charged with spreading a virus? Does it depend on the definition?
TRUSTe? Are you serious, or is this a joke of some kind? If, by chance, you do mean this seriously, I suggest that you read the news of this past year, with especial attention to articles featuring TRUSTe. And privacy violations.
I think we've pushed this "anyone can grow up to be president" thing too far.
banner ads can be turned off
very easily.
And at least with banner ads we know that they're tracking us.
I don't care if I'm being tracked, so long as I'm told "You're being tracked".
I'll go download that cursor thingie right now... With luck, the tracking info will allow them to rescue me when I get lost in Microsoft's web site trying to find what I want!
"No remote images"
/. that use another server for images.
Hmmm.. So much for all the sites like
Technical solutions are rarely suitable to these kinds of problems. The only reason that this sort of thing happens is because of the inherent openness and flexibility of the net. That flexibility makes it very hard to pin down a weakness and plug it. There is no design weakness here - merely an unfortunate usage.
Personally I'd far rather have an Internet that provided no technological means for me to stop this sort of thing, than an Internet that was restrictive and full of rules and regulations.
-----
They explain the information they collect, which is good (and probably makes it legal even in the UK) but they also explain that the code might auto-update with bugfixes or new functionality without any notification at all.
This is dangerous, as someone forging an address could conceivably deposit executable code on your computer and callit however they wanted to. While some other software (MacOS 9 and Quicktime 4 come to mind) have this functionality, they always ask you before downloading new code, and you can turn the feature off, while here it's just an invisible process.
Also, as a side note, they claim their data-collection doesn't violate the user's privacy because their GUIDs have never been correlated to any user-identifiable data. It's not to say that they couldn't though. Cross-referencing their logs with a site's logs (with the site's own guid that is correlated to a profile) could open the door for tracking where else that person's gone.
On the brighter side, they have a link for a 'cleaner' program that will wipe Comet Cursor off your computer.
Share and Enjoy,
Kevin
www.fury.com
Kevin Fox
Ok... After reading some of the comments here...
I have one question. What is the big deal???
Like cripes folks. Take a pill. So what. So what
if it tallies up the amount of web sites you go
to that use their software. I think they have
the right to know if you ask me. They're not
taking down credit card numbers, or people's names
or the names of your kids, the schools they go to or anything thats relevant to anyone but them.
I think the big problem here is that people are so
dammned paranoid about "big brother" watching you.
Like get a grip. I mean, sure. I'm concerned about
my privacy on the internet but I think this is
absurd.
I've seen dozens of articles about privacy on
the internet and people being concerned about
if they are being tracked or watched. Like the whole Real Networks thing. So what if they want
to know what music you listen to. If they're using
that information to send me information on
stuff that I might like, do it.
CDNow keeps track of the CD's you've bought from
them and brings up selections that it thinks I
might like. Is that an invasion of my privacy?
No. It's quality service if you ask me.
I think people should stop being so paranoid and realize that not everyone is out to try and get them. I read these comments and that's what it sounds like. Everyone is so scared that somewhere out there, someone knows that you went to the Comedy Central Homepage to look up stuff on South Park. Why do you care? If you walk into a store and pick up a south park magazine, are you scared to death of the cashier who's looking at you?
I know I'll be flamed because there's not a direct connection between the examples I gave and this comet issue. So what. It all goes around the same thing. People hear so many things about the internet and how it's "so insecure" and how "you're being watched", and you have to be careful about what you say and who you talk to. Man, get over it. I've been using the net for years, before the web even existed and I have never had any issues with privacy. I'm not a tool. I know there's stuff going on behind my back thaqt I don't know about but I take precautions. I know what to do and what not to do but I do it from what I believe is within reason. Not paranoia.
Those of you who are scared to death because a web site puts a cookie on your machine, or a website that asks you for an email address should realize if you stopped thinking about how everything is "against" you, you might see how these things work for you.
And the funny thing is, people who are geeks like us know all about all of this stuff, and get paranoid and scared or whatever. But the people who don't know any better, never hear anything and never get bothered by it. My mom uses the internet and she's about as net-literate as my goldfish and SHE never has problems.
Ignorance is bliss sometimes...
No matter how fast computers get, you'll always be waiting - Matt Klem
Hello,
we would like to develop a cursor changer software something like Comet Cursor but without trojans. Open source and possibly cross platform. We're looking for help and even legal advice. Email me or lsw@emaze.net (my business address).
Good karma to anyone who will help us. It's time to protect the end user's privacy.
the Lord Snow White
Ironclad Security only exists when you have Chuck Norris on the shift. Do we really have to discuss this? (Plutonite)
http://www.cometsystems.com/
And here's a link to help get rid of the Comet Cursor program. It's from the Comet Cursor people, but it probably does what it claims to. I think this is just a case of stupidity, not eeevil.
http://www.cometsystems.com/down load/cleaner.shtml
Why choose white shoes?
Companies keeping track of of your web usage in cookies gets all that much worse if there's an easy way to hack cookies. As a site designer thinking about storing session variables and user passwords in encrypted cookies, I'm worrying about whether they really are secure.
lf.o
as far as i know we have what seems like a similar law to the first one charlie is refering to. only exceptions would be medical records.
You can't look at all the source, and (if you
still have Win machines on your net) you can't
even get at all the source. But you can keep
a damn close eye on your lan and your internet
connection. We found a couple of things that
were dialing up every hour running on some Win
machines and promptly shut them off. Some sort
of real networks thing. It's gone.
Learn to use your firewalling software, and
apply French Justice -- "Guilty until proven
innocent". Shut down everything, and then only
open up things when people complain. This won't
stop everything (i.e. cookies), but things
like the Quake notification would be detected.
-- cary
I said 'such as TRUSTe.' I am by no means up on the list of privacy watchdog agencies, nor do I necessarily care to be educated right now. And quite frankly I don't pay much attention to current events past what scrolls by on my MSN stock ticker. I read Slashdot purely for amusement, I leave my comment ticker at 3 or above (I let the moderators weed out the chaffe like your post). If TRUSTe sucks then I'm sure there are other agencies out there that can do the task better, and they can be used. I'll let a working group decide that. BTW, a lesson for the Slashdot comment posting crowd. You will get a much better reaction if you say something along the lines of: "TRUSTe? I am not sure if you are up on the latest news but according to several news articles TRUSTe is not the best privacy watchdog agency out there. I would suggest some other agency such as . Your post was otherwise exemplery and I believe it will get moderated up highly." This attacking the other posters just doesn't appeal to me.
One simple way for software companies to convince me that they are not doing anything stupid is putting "This program in no way communicates any information to any third party other than list-of-functions-goes-here, (like "tells id your GL_RENDERER, sends request for listing of available q3 servers, sends packets to server containing gameplay information") or something of that sort. It'd be real easy for a lawyer to write something like that up, and after the programmers took all the trojans out, then it's fine. After that, if a company gets caught, they face criminal charges about lies lies lies, and have to pay the users of their software through the nose.
-S
The developers were probably doing this to avoid someone mucking up their billing scheme. If they bill some of the sites based on how many hits they got from users with their software, they needed a way to count unique hits. what's better than a unique id for each user? Any better idea?
My guess (and just a guess!) would be that the marketing department didn't even know this data was available.
.plan!! what plan?
With more and more overt intrusion into the realm of personal privacy, why not address the issue with congress. A simple solution would be to allocate a range of ports (say 50000-59999) that are available for vendors to obtain feedback. Make all other ports require explicit user notification prior to passing on information. Then, if you don't wish to have a vendor obtain information anonymously you can block ports 50000-59999.
Since when has an SSN been private? I seem to remember a website on which the US Army posted the SSNs of all of its members... :-)
Quake 3 sending my GL_RENDERER string? *shrug* Mr Comet Cursor thingy senging a list of websites I visit that use the cursor (considering I've seen that cursor maybe once - EVER)? *shrug*
Quake3's GL_RENDERER is a non-issue. They don't know more about you by getting this information -- they just know what video card and driver you are using and that's all.
However the cursor thing is a different matter. Why? Well they say that they have 60,000 sites using it. Imagine the following scenario:
And now ... data mine that (really, it's just a simple table join!), et voilà! Company X has all the information it needs to happily black mail you.
(Someone knocks at your door, some day as the night just fell, 2 men dressed in black and wearing shades and bicolor shoes smile at you as you open your door)
(They turn around and you close the door as your knee start feel weak)
--
I did read somewhere, that part of this was due to the CIA realizing that corporations had done a better job of collecting user information much easier than any of intelligence agency could, and therefore it would need to cooperate to extract information from these companies, and/or come up with software to process the millions of pieces of information and tie them together.
Quake3's breach of privacy was bad enough!
It's sometimes so frustrating to think there's a freakin' large percentage of people who don't know and don't care! Worse is that a lot of these people occupy government offices, and our the policy makers of this country. So come next election, and Microsoft+others+CIA/NSA, might just get a bozo up for president, and before you know it, customer data acquisition via embedded client-side code will be granted.
Or, maybe they'll sell this angle: Government cracks down on companies developing "crashable" software, in the name of consumer rights. Software companies insist that they require knowing the configuration of customer's machines. Which of the 90%+ of Internet newbies will not readily agree to give away personal info, just so he/she can run an auto-diagnosing-and-fixing version of Windows 2000!
But on the bright side, I do know for a fact when I have my own multi-billion dollar organization, the CIA will come knocking at my door, to share secrets on beating any international competitor on foreign contracts. Ofcourse, then my whole attitude would change, and kudos to the Echelon system.
Hi people. I don't know what kind of medication this Grits Boy guy is on, but I don't really care because I just poured a bowl of hot grits down my pants!!!!
Read old Slashdot on cookies and banner ads.
Cookie "security" relies on cookies not being shared between servers. For a simple site, this works fine. When banner ad companies sell banners to many sites, then a loophole has opened whereby they can see cookies that were placed there by many sites that share the same banner servers. As banner servers are near monopoly industries, then that's a big source of cross-tracking data.
The fix is obvious, but it needs to be done in the browsers (or by a filter near to the browser).
Hacking obscure browser loopholes just isn't worth it for commercially honest (sic) data capture. There's not enough good data to be had that way(If you still use Mosaic on an Amiga with an unpatched ActiveX hole, then I doubt that you'd buy my product anyway). Illegal cracking (stealing credit card info etc.) is maybe worth looking for obscure browser holes, but market research is by its very nature a mass-market task.
Personally, I don't think that the "feature" they put in their software is a great sin. It collects information which they need to get paid for their efforts (even if /I/ don't think it's worth a penny, obviously they have customers who do). Yes, it can potentially be cross-referenced with legal identities. Of course, there are a lot of ways to do that now (cookies, web logs, etc).
What is deplorable is that they did not release such information to the people who downloaded the software.
If a company wants to produce software that monitors every keystroke I ever type on my computer, fine. If I want to use it, fine. However, I should be told before installing the software that such information will be collected.
If we are going to condem their actions, then let us condem them for their real crime. Collecting this information was not a crime. Collecting this information without the consent of their users is a crime, if not in a legal since, then certainly in a moral since.
I would expect the people here to understand this better than most. Software is never the issue, it's what's done with the software and in what manner that is the issue. The government wants to regulate crypto because it can be used for illegal purposes. The music and vidio industry want software and hardware that can reverse engineer/defeat copy protection to be illegal because it can be used for pirating. Yet, crypto allows private communication, e-commerce, and user identification that is desperately needed in a world that is rapidly becoming dependant on computer communications. And the same software and hardware that can be used to defeat copy protection can be used to help debug programs, burn CD archives of our work, and play DVD's on our linux boxes.
A tool is just that. A tool. However, someone who uses a crowbar to break into people's homes is a far cry from someone who uses a crowbar in the process of construction.
Please. Remember their crime. It's not the software, it's the lack of consent.
All operating systems suck. Some just suck less than others. (and some are virtual black holes)
There was actually a time once when i thought I could trust a cursor. This is absolutely ridiculous... I dont care if they say they're not using the information, the fact is that someday it COULD be used. God only knows what they're actually doing with it...
Does anyplace use Comet Cursors these days anyway? The only place I've seen that uses it is Garfield.com
I tried their software once. The cursors were harder to use than the ones I usually use, and they were annoying. Fortunately, I've reformatted the computer since then...
Id's response, "Here's how to turn it off" Comet's response, "Really, we know it pisses you off, but it's OK that we're doing this!"
BTW: Did you know many quake servers track your stats? Hours played, frags et. There's even a web site where you can view your profile, set up a home page and so on. Does THAT piss you off?
"Live Free or Die." Don't like it? Then keep out of the USA
Do you think its lynx comptaible? :)
OFTC: By the community, for the community
Even with open source you cannot be completely secure. For example, http://www.acm.org/classics/sep95/ describes a method in which you can dynamically create trojan horses by modifying the compiler to match certain portions of code and recompile it into your trojan horse, and also to match certain portions of your compiler code and insert the trojan horse generator code into the compiler code. Thus you have a bugged compiler, and all future compile compiled with your newly redefined compiler will have the same infectious capacity as the original compiler. Thus there IS NO NEED for trojan code, since your new compiler and any compilers compiled from it will insert trojans for you.
It's things just like this which give the open source movement legs.
The P-III has a "Seiral number" in the chip that leaves it's number everywhere it goes. This is also a possibility for web tracking, and marketing purposes. Try www.bigbrotherinside.org
Don't call my crazy, that's what they called me back in the home!
What won't stop invasion of privacy is so-called disclosure in license agreements and readme files. First, nobody reads those, and second, they're too vague. I think that the info that ID gathered was perfectly acceptable, while what RealJukebox did was definitely not, and yet one generic disclosure statement would cover both.
I think that what we need is something similar to anti-virus software that sits between applications and the TCP/IP stack, and limits what different applications can do, putting up warnings and confirmation dialogs as necessary. I expect that my web browser will connect to internet sites. I don't expect that of most other software, and I want to be warned whenever that happens.
This should be similar in concept to some virus protection software. I expect FORMAT.EXE to format disks. I don't expect any other program to do so, and if anything else calls the INT13h or whatever it is (apologies for the DOS-isms), I want to know about it.
Of course, clever programmers could code around anything, just as virus writers avoid detection, but if any company employed such tricks, they'd really have a lot of explaining to do.
There is a story on MSNBC which seems to say that Comet is logging MAC addresses as well as IP:
http://www.msnbc.com/news/340594.asp
The company's technology officer, Tom Schmitter, acknowledged Monday that part of the identifier harvested by Comet includes the serial number for each computer's network connection hardware.
That seems quite Evil to me...
I just attempted to load Cometzone's website and it doesn't allow you to unless you allow cookies. God, I love Junkbuster. [...] Why do they need to store a cookie for me to load the page?
I know all you Linux/Apache hippies are going laugh or something at this...
After CometZone's website struggles with your browser, it ends up at the page cookie.asp. Notice the extension-- asp. That stands for Active Server Page, referring to Active Server Pages, a server-side scripting technology from Microsoft. ASP normally runs on NT Servers running IIS3.0 and above.
When you visit an ASP site, it may send a session-level cookie to your browser, to identify you while you are on the site. Session-level means it lasts only as long as your browser is open. It is never stored on your hard drive in any cookie file. The cookie name usually starts with ASPSESSION followed by a bunch of randon letters.
The reason this is sent is because some ASP sites use session variables-- global variables for all the scripts in the site that pertain to the current site visitor. The server stores these variables in its memory and uses the cookie it sent you to tell your session variables from everyone else's.
Now, as an ASP programmer, I can say that using session variables is a bad idea. Firstly, most users don't like cookies, and will disable or refuse them, meaning that the website will not be able to retain session information for the website users. Secondly, they use up server memory! If you have 400 users on your site, that's 400 copies of every session variable! (No jokes about NT Servers' load capacity, please.) Thankfully, it's possible to disable them and stick with only application variables (of which there is only one copy of, regardless of the user load). There are also other ways of maintaining state information, too.
--- Linux and grits down my pants. Does it get any better?
...my search for a bumper sticker slogan has ended.
So they've found the grits down your pants, are they still searching for diamonds on Uranus?
Tell me, how would you feel if your girlfriend were to see your click trail
http://www.lolitasluts.com/members/14yo/rape/cute
http://www.lolitasluts.com/members/14yo/rape/nice
http://www.lolitasluts.com/members/zoo/schoolgirl
--
Just curious:
BlackICE Defender -- the "firewall" software from Network ICE -- also logs MAC and IP addresses of all of the so-called "intruders" that it catches.
How, exactly, is this different than what's going on here? I mean, is it just because that logs of the intrusions are kept on the client machines instead of a central server?
--
Correct me if I am wrong, but once people start
moving to DSL solutions they will have a unique
(read permanent) IP address? That is when it
will get scarey.
The damage is what ever you define it as. There is value to your personal information. If there was not, then why would they collect it? Some number can be determined. It is the same type of problem in a slander or libel suit. But in this case, you can disgourge them of the money that they have made in this manner.
Injured geek wins against Mattel, Mattel continues to retaliate!
DAMMIT!! WHEN WILL THEY LEARN
- A.P.
--
"One World, one Web, one Program" - Microsoft promotional ad
"Remember when the U.S. had a drug problem, and then we declared a War On Drugs, and now you can't buy drugs anymore?"
Well, nobody cared when John Carmack did this with Quake. This is just the next logical step.
Well, if they aren't using the information, then they should have no problem with someone reverse engineering their protocol and sending millions of bogus "hits" on random sites to their servers.
:-)
Any takers?
This isn't about Yahoo. Its about the Comet Systems Inc. Yahoo carried the story from AP. Stop knee jerking and actually read the topic!
I've been wanting one of these since I found out what cookies were and what they did.
Someone make me one!
Look I even came up with a name for it. =)
Only one question - not coming from the US, I don't know what 'grits' are. Could you enlighten me?
-- Help Digitise the Public Domain at DP.
and prosecuted accordingly?
apparently if you are running IE4.0 (dont know about other versions) and you dont have the "security settings" set to the higest possible level, the cometcursor app. will AUTOMATICALLY download and install itself without even a notification!!
... is if this is installed on a developer/tester's workstation in an e-commerce/web design shop.
What kind of information could be gleamed from them by the record of all thier internal urls?
In certain circumstances, this could be espionage.
(note : I know that now all sysadmins everywhere are banning this software, and they shouldn't have run it in the first place, but up until now, it's just been a harmless desktop toy. Who would have cared about it?)
For any IE user who doesn't trust the cleaner provided by the company:
Tools->Internet Options
Temporary Internet Files - Settings
View Objects to see all ActiveX controls that have been downloaded
Right-click the Comet Cursor->Remove
I did this in NT4. Dunno about 9x or 2k.
Rather hard to find... ehehe... I tried the link labeled "Privacy Agreement" on the main page, which links back to the main page. Convienent misshap. I tried the link in the liscence agreement which is incidently labeled, "8. Privacy -- See our Privacy Statement"... this links back to the liscence agreement. So I tried "http://cometzone.cometsystems.com/privacy.asp#".. . this worked. Here's what I found:
"Registration
Comet Systems gathers information about our Cometeers that allows us to offer compelling services in a manner that provides personal privacy protection as well. When you join CometZone, we ask you to provide us with some required information such as your email address and home page URL, and some optional information such as your name and address."
"Account Activity Logs
As a result of joining CometZone, a Cometeer account is set up for you on our system that contains your user settings and preferences, e.g., which Comet Cursor you've selected for each of your Cometeer web pages. Every time you login to CometZone, or change your CometZone settings or preferences, your Cometeer Activity Log ("Activity Log") is updated to reflect this activity. Comet Systems uses Activity Logs as a means for better understanding our Cometeers and their interests."
"...Any information you provide to Comet Systems when registering for CometZone is maintained and is accessible only by Comet Systems and a few of Comet Systems's content sponsors. We use the information collected during registration to better understand your interests, and to provide you with the best products and services on the web... "
Anyway... I'm a little appalled that they appear to have tried to hide their privacy agreement, and furthermore, that the CEO's explaination seems incompatible with this information.
Sincerely,
Ryan Taylor
---
Just when you think you've invented something idiot proof, someone goes and invents a better idiot.
ActiveX is built-in insecurity. Various corollaries suggest themselves.
then you are doing the cyberspace equivelent of having unprotected group sex with heroin addicted prostitutes.
That still does not excuse Comet doing this, however.
P.S. I could have posted this at 2, but chose to do so at 1.
www.eFax.com are spammers
Try Freedom . Looks like an interesting system. They've got a beta out for free I think.
"We're sorry, but the website you're trying to reach has been disconnected."
To claim that no business will collect data illeagaly for fear of being caught is like claiming no business will break environmental laws for fear of being caught by environmental watchgroups. It happens all the time. Some are caught - even some well-known names. Many others are not.
Our only defense is to make examples of those who are caught in the hopes that fewer will be willing to risk such business practices. It won't put a utopian end to such behavior, but it might help to prevent abusing privacy from becoming a standard business practice.
Why should I care about this? Because some unknown person might know what sites I go to? I don't care about that. I don't understand why I should.
Should I care because I don't have the option to opt out? Maybe. Should I care because the software developer does have a big warning about the tracking? Maybe.
So may of the posts I've read seem to be missing the point No one cares that this info is being collected. Really. It no different than the phone company tracking my calls or credit card companies tracking my spending. The information being gathered is valuable. It shouldn't be stepped on. It should be sanctioned and then monitored. I would rather see marketers told they can track visits all they want, but they can only record xyz and only use it in such-and-such a manner. Bitch slapping marketers will never get you what you want. Try to encourage them to do the right thing. They're going to track anyway.
Personally I would prefer that sites knew my habits and could customize content for me. This would be a cool thing.
Jon Sullivan
www.jonsullivan.com
It's the same point that has been made in countless action movies and cartoons: Some good things are very bad because they can be easily adapted to do very bad things. Whether it was originally designed for good or bad from the beginning doesn't matter.
what community? oh yeah all the kiddies (that's what this stuff is directed at anyway) will drop their pokemon and polly pockets and join the linux revolution!!!
---
They have stopped accepting beta testers.
See web page if you don't believe me
Remove the NOSPAM to spam me...
Well, this should take the heat off of cookies...
We at Comet Cursors take very seriously our commitment to track every click on the web.
To further extend and embrace the lynx using market, we are designing a revolutionary new set of cursors for the text browser market.
When this proprietary code is invoked by lynx, it will automatically change your cursor as follows.
Movement:
Blink
fast Blink
no Blink
Color:
16 colors!
Size:
Regular
pinpoint
Mammoth
We hope that these cursors will greatly enhance the text browsing experience, and signficicantly increase our market share.
-- perl -e'print pack"H*","6e656d6f406d38792e6f7267"'
People who snoop on other people deserve drastic actions.
If we let corporate America decide what privacy rights we have, then we will become (and are) second-class citizens in the World Net, behind the first-class citizens of the EU who can stop this kind of thing.
Who amended the US Constitution on me when I wasn't looking?
Will in Seattle
-- BEGIN OFF-TOPIC -- (this does not last the entire post)
Sorry, can't help you there. But have you every seen the Japanese animation series My Dear Marie? That would be cool-- build your own girlfriend. There's no sense in wasting time, energy, money, and tears trying to appease real-life girls. They're too unpredictable, they never behave logically, and they always patronize you and tell you to get lost. Or, they "already have a boyfriend." (Grrr...)
Anyway...
I don't exactly want to encourage cyberstalking, but since many novice users regularly run executable email attachments without thinking, it might be possible that the cute girl in high school you lusted after is a novice user...heh heh heh... Maybe you should send her a "message"... It's a rather interesting way to find out more about her, isn't it? She probably uses Microsoft products, too, which make your job a little easier.
-- END OFF-TOPIC --
I am really having a hard time trusting anything I download or get from anyone. In the past, I just had to worry about real viruses. Now, I have a lot more to worry about.
I recently upgraded my computer. I've got an old motherboard, case, CPU, hard drive, and old memory left over. Maybe I should cobble that stuff together and build a Linux-powered firewall to catch these little messages.
A friend of mine recently did just that, and on his Windows98 box (which is behind the Linux firewall), he found that a lot of "updates" for commercial software don't quite work anymore, especially "active" updates like for Windows and Netscape...
Another idea is to have two computers, or two bootable hard drives. Have one computer or HD that you'll keep "clean," and the other you can install anything you want on. Don't keep anything personal or incriminating (warez, MP3s) on the second one.
I think I got this damn thing from comedy central's site. How does one go about getting rid of it???
Yikes. Does anyone know how much of the URL is being sent to Comet? Is it possible that they are getting entire get strings? What if Comet is getting something like:
x p=0902
http://blah.com/post.cgi?uid=eyeball&password=xxx
or even worse:
http://blah.com/post.cgi?ccnum=4111111111111111&e
_______
2B1ASK1
THey don't know who I am, they have no way of getting personal information about me except my IP. Most of the time people expect that huge companies are going to use the info they _do_ have for some horrendous evil... but in reality, all they do is tailor the banner ads that show up to stuff that you might like. I don't find anything wrong with that. And what about cookies? Beeing a web developer, cookies can REALLY be useful sometimes. Sure, you can do it other ways. You can also walk from san francisco to new york instead of flying... which one do YOU think is easier?
I think paranoia is good, but too much is unhealthy. Lighten up a little, jeez... they're not listening to your brainwaves.
It was unknown software. YOU chose to install it. It's YOUR fault. I've seen it, didn't know exactly what it did or who wrote it, so I chose NOT to install it. Active X is secure. You people who installed it are morons.
Hmmm... But it also means that my computer will BOOT FASTER! I only use Real about once out of every 10 times I fire up my computer, so it sounds like a winning situation to not have to waste the time loading the "Start Center" whatever the fuck that is supposed to do...
So does anyone know what that little intruder is doing while sitting in the tray?
Some tricky peice of software must have installed it for me. The applications I've recently installed are Real Jukebox (registered version), and Real Player 7(registered version). These MAY not be the culprits but they look really suspicous.
Can anyone else confirm that Comet Cursor got 'secretly' installed on their system or as part of a bundle with other software.
the point is only *your* compiler will trojanise code. everyone who compiles the software with their own compiler will *not* have a trojanned version. so you want to trojan your own machine ? fine.
I doubt highly that most users of open source examine all the source code before running anything. For any linux distro, replete with oodles of open source software, it's not even humanly possible. However... with open source, if there is a chunk of trojan code, security bug, or some back door in an OSS program, you can bet someone, somewhere will find it and will bring the bright light of the internet and OSS community to shine upon it. A patch and/or a fixed version will be out in no time. This is not possible with closed source software. So OSS benefits me even though I know nothing of writing code and is whi I will always use OSS exclusively. Are you listening Microsoft, et. al.? Even non-programmers like me are switching to OSS. It's simply a matter of trust.
> here is what it contains:
/., you'll know it's time to download an updated database.
What we need is for some enterprising network programmer to provide us with an emulator app that will let us generate bogus messages of the right format and directed to the proper destination. Have it create a message with random content, or perhaps read strings from a user customization file that will allow insertion of fake but plausible text.
Better yet, have it read a database of known snoopers, so that a new program doesn't have to be written every time a new snooper is discovered: just have a cron job pick a random known snooper once per hour, and send out a bogus message. Then whenever you see a "Your Rights On-Line" post to
Don't generate enough messages to rate as a DOS attack, mind you: just enough to make sure their "sucker databases" are useless due to pollution with bogus messages.
--
It's October 6th. Where's W2K? Over the horizon again, eh?
Sheesh, evil *and* a jerk. -- Jade
Breakfast food, predominantly found in the southern portions of the US. Finely milled corn boiled in water, ends up looking a lot like cream of wheat. Kind of bland tasting. Usually eaten with butter, NOT poured down one's pants :)
jsdkl
It's different because anyone with a dozen working neurons should be able to see the credit card tracking hazard, and can then use the card accordingly. (This is why I only use my Interac card at the ATM!) Who would guess what the Real Purpose behind these cute little cursors was? These were Trojan horses pure and simple.
Yup, and this is only the beginning.
Look at a piece of software by ThinkingMedia called ActiveTrack. Basically, this software is a really nice way of making banners (or other forms of media) more interactive. It's becoming quite popular by New Media companies lately because you can do things like make an animated banner that contains a form.
It's nice stuff.
But go and look through some of the other things it can do. You can see where this is headed.
"In contrast to server-side methods, ActiveTrack's Client-Side Tracking method places a tiny Java applet (about 1/2 kilobyte) into an ad or page, which acts like a "radio transmitter." As soon as the ad or page loads into a browser, this transmitter starts sending real-time data on where the ad is running and how surfers are interacting with it back to the ActiveTrack database, bypassing server-based reporting entirely."
"This alleviates virtually all the drawbacks of server-side tracking, and gives ActiveTrack powerful new capabilities."I have nothing against software of this type, but only if it is used for it's intention - gathering marketing information on banner ad clickthroughs etc. As soon as it starts 'monitoring my habits' i'll be looking for it's .class file thankyou very much ...
Personally I think all stable releases should be signed by the public key of the maintainer. Then each of us can verify that we have the same version as everyone else, not one with an extra little bit added. Downloading a daily build still leaves some vulnerability but you're probably doing that on a test system anyway.
I got it from dilbert.com and it runs under Netscape (dunno about IE4). How do I remove it completely from the system?
From the article: ... part of the identifier harvested by Comet includes the serial number for each computer's network connection hardware. Scheisse! I'm glad I use a robust OS and an external modem.
How is this any different from agencies like doubleclick that gather the same sort of information through cookies? Yes, I know there are some differences in the methods which are used to retrieve the information, but how is the actual information being gathered any different? And how is this illegal in the UK while doubleclick isn't (or is it?)?
-----
Free P2P Backup, Windows & Linux
What the hell would these guys actually SELL here? A list saying "Cursor UserID 12345 visited sites http://abc.com and http://xyz.org"? How REMOTELY USEFUL is that information going to be to any potential marketer? At MOST, they'll be able to determine web site "genres" ("People visiting abc.com also seem to frequently visit xyz.org"). There is NO WAY to correlate this information with any other bit of information without all of the member web sites being in on the conspiracy and coughing up their access logs in real time, and even then, proxy servers and dynamic IP addressing would render this data virtually unusable (and nearly impossible to effectively mine, given the volume of data, and the low percentage of useful information).
Stop trying to break apart their statements and look for hidden sinister intentions here. It's clear they know what we're objecting to, and his statement was meant to try and remove those fears from our minds. There is NO reason to assume that they have, are or ever intend to use the information they've collected for any purpose other than what they've stated.
And I'd be very interested to know what sort of login ID you can gleam from a URL that allows you to discover private information like a name or address. That sounds like a pretty piss-poor implementation of something and the maintainers need to be e-mailed.
Your identity is totally meaningless to these people. Your name serves no purpose in their efforts to bill their customers for use of their software. It makes no sense at all for them to ever want to record it, and even if they DID, and managed to sell your identity with a long list of rather questionable web sites (and userID's, whatever else you want to add to the conspiracy theory), SOMEONE WILL FIND OUT ABOUT IT. Things like this don't go undiscovered (look at the long line of YRO articles if you don't believe me). They will be caught and the PR shitstorm that results would leave the company penniless, perhaps even with their owners behind bars. Think about it.
If there were laws to support bonding of visiting software (I mean laws with consequences that can (really, really) NOT be absorbed by the unscrupulous as cost of doing business), then users could choose to lower their risks in a way backed with predictable legal recourse.
Big commercial operations could afford to provide this kind of assurance (assuming they aren't dependent on deception), but there ought to be a way for a small contributor to give assurances too. Open source is great, but I am not sure I have time to inspect all the code myself, especially if you include OS and libraries (;-), so it would be nice to have versions signed by trusted reviewers. Anybody have a list of trusted reviewers? Should they be bonded ?? Paid?
I've only been reading slahdot for a couple of months now (this is really most first post here) but it seems to me that there have been more than a few privacy / free speech issues that warrant some serious action. I don't think the issue is detection but taking action against the offenders. I'd start by writing your elected officials and letting them know your concerns. If you don't happen to know who they are (don't be embarassed I'd didn't either until a few years ago) and where you can write to them there's a lookup feature somewhere on the ACLU website (www.ACLU.Org). I think only one out of my three has an email address, the others you've got to use snail mail. On free speach issues it could be worthwile to get together as a group and petition the ACLU to step in and do something in the cases of free speach infrinegment like that instance of the Scientology people getting that anti Scientology web site shut down.
This is missing the point completely.
Sad truth is that nobody has ever made money trying to protect privacy. There is no economic incentive for developing safeguards against the abuse of information. Not even open-source software could change that. Any software with privacy enhancing features would be at a disadvantage. In fact the response from websites would be undisguised hostility. This is a zero-sum game where your loss of privacy is the sites gain in focused and targetted advertising. (solving the "dont-sell- diapers-to-bachelors" problem) A web server could conceivably discriminate against clients using privacy-protecting software: assigning lower priority, degrade the level of service or completely ignore requests. You are costing them in lost revenues; how dare you expect getting decent web pages?
There is some short-lived favorable publicity in taking the higher ground or paying tribute to the sacred cow of respecting the consumer privacy. There are press releases written in religious overtones, conferences where the CEO criticizes "other" companies who have not pledged loyalty to the cause of privacy and proud declarations on the web site stamped with the eTrust logo. After the dust settles everything is back to usual: consumer privacy is subordinates to the overriding need for advertising revenues and effective marketing strategies. (Anyone holding their breath for the *next* Real Networks scandal?)
Given that there is so much to gain by collecting and distributing user information (and very little to lose unless you are caught red handed) it is not surprising that applicaitons will evolve in this direction. Consumers are uninformed. The law is extremely liberal, unlike Europe where privacy is taken very seriously and violations are prosecuted aggresively. Isolating the breach of privacy into one spot and pointing the finger at one company alone is very difficult when there are so many companies competing for that purpose.
Companies are not even trying to be apologetic about their behavior. Betting on consumer ignorance and the elusive promise of "customized content" (eg the more we know about you the more enjoyable your web experience will be) they forge ahead completely ignoring privacy concerns unless these have substantial impact to the bottom line-- eg loss of money.
Given the odds open-source is no silver bullet. By virtue of being open-source it is even easier to fork and build an "improved" version with even more flagrant privacy violations. The realistic viewpoint is that the future will see more blatant privacy violations happening more frequently.
BP
Huh?
When I visited the page I was presented with a dialog asking if I wanted to install the component. I explicitely indicated my desire to do so.
Even if it didn't ask me, it would still not be considered illegal. Nobody forced you to visit that web site, and the component is part of the content rendered on that site. If you don't want your browser automatically loading and displaying images or applets, DISABLE THEM. You can do that, you know. You are implicitely allowing them to run as part of your browser's normal operation. To say that this even remotely violates any law is absurd and unfounded. Consult a lawyer before you go off saying something is a criminal offense.
It's like saying, "I only authorized this web page to deliver one paragraph of text to be rendered in my browser, but instead, it caused my browser to render THREE paragraphs of text. Those two paragraphs are UNAUTHORIZED uses of my browser and computer's resources! I want to sue!"
You do realize your web browser itself is guilty of delivering far more trackable information than this little applet, yes? Why aren't you jumping up and down asking for web browsers to be banned?
Please explain what devious acts this company will commit with your (impersonal, non-specific) web usage? Tailor ads to suit your interests? OH THE HORROR! Are you unable to control yourself? If you see an advert for something that is suited to you perfectly, you're just going to have to buy it? Anyone that uses these stupid cursors is getting a "free service." In return, they might make money off of selling information on web usage to ad companies. YRO over-reacts yet again... -thomas
Now if there was just a way to auto-refuse the nags that pop up now...
I love this kind of thinking. Let's take it to
its logical conclusion, shall we?
Just what dastardly deeds can a company commit
with non-personal web usage information? Tailor
ads to better suit you? BIG DEAL! So I get to
look at computer and movie ads (things I'm interested in), rather than pantyhose and flower
ads.
You see, I have what's called WILL POWER, and I
can actually choose not to click on a banner ad,
whether I'm interested in the product or not.
Really. Try it sometime.
-thomas
Are you actualy saying, on slashdot, that there is nothing free? what about linux or perl? Even in the windows world, there's lots of free, closed source software (such as the origional winamp and mIRC, they went shareware when it became aperant that millions of people were using it and even if only 1% registerd...)
I might be likely to run a little app if it looked intresting, and I certanly wouldn't exspect it to actively track my web surfing
--
"Subtle mind control? Why do all these HTML buttons say 'Submit' ?"
ReadThe ReflectionEngine, a cyberpunk style n
From the page:
http://www.cometsystems.com/conta ct/privacy.shtml
What personally identifiable (non-anonymous) information is collected about users of the Comet Cursor?
None. Surfers who download our Comet Cursor software are not asked to provide their email address, name, credit card number, or any other personally identifiable information. Our goal is to make installing our software as quick and easy as possible; personal information is not useful or necessary for us. As a result, you can use the software without telling us who you are or ever revealing any information about yourself.
This says it all for me. All they have is a bunch of tracking numbers that are a glorified "hit counter". There is no "privacy problem" when you have no private information in the first place.
Plus, the Comet Cursor is only available for Win95/NT. No Linux, Unix, or Mac versions at all.
If Slashdot.org is a bastion of Linux users, we have nothing to worry about except protecting Windows users!
I tried the link labeled "Privacy Agreement" on the main page, which links back to the main page. Convienent misshap.
Why does everything have to be a conspiracy theory with you guys? When something doesn't work is it always because the company responsible is being evil and trying to hide something from you?
Did it ever occur to you that they might have been using a form of JavaScript to load the privacy page? It seems that you're either using an obsolete browser or you've disabled JavaScript for some reason (which is pretty typical of YRO posters I bet).
The privacy policy loaded up just fine for me.
Enough with the lame conspiracy theories.
Anyway... I'm a little appalled that they appear to have tried to hide their privacy agreement, and furthermore, that the CEO's explaination seems incompatible with this information.
The information you quoted was relevant to the information they collect as part of their member signup process. When you sign up to use their software on your web page, you have to give them enough information to create an account from which you can do things like specify settings for their application on your web page. It sounds perfectly logical and reasonable to me.
Thus, it has nothing at all to do with the data sent by their software client.
Web site privacy policies deal with the web sites only, not software delivered or advertised on those sites. That's why they call them "Web site privacy policies."
but, the internet already alows you to do this, just block the host that this commet thing is sending to. you could simply kill acess to adfu.blockstakers.com, or whatever slashdot is using now to get rid of the ads.
surely, you're not saying that individuals shouldn't have the ability to block out information they don't want to see. I wouldn't want an internet where I didn't have (however theoreticaly) control over my packets
--
"Subtle mind control? Why do all these HTML buttons say 'Submit' ?"
ReadThe ReflectionEngine, a cyberpunk style n
You're making the classic YRO assumption here, that all of the companies this Cursor group does business with are in on the conspiracy together. The only way they would be able to make the link you're suggesting is if they had the cooperation of all of their customers.
Large multi-corporate conspiracies to ruin the lives of CUSTOMERS not only sounds silly, but it doesn't sound like it's in the best interests of the companies themselves.
Think about this for a bit. If a company did started handing your personal information over (going against their posted privacy policies and likely breaking laws in the process), this would almost *certainly* be discovered. The resulting PR shitstorm would put both companies out of business, and depending on what they did with this information, the owners/CEO's would likely be in prison.
I'm not saying companies don't break the law occasionally, but you'll find few companies that are willing to risk felony convictions, bankruptcy, a tremendous amount of negative PR, and alienating and destroying the lives of the very customers that are giving them money in the first place. All for a marginal amount of marketing revenue.
It just doesn't make good business sense.
xoxo,
Andy
There's more salesdroids from hell who sell a closed-source API for Windoze developers to add banner ads to their apps, and get some ad revenue out of shareware users.
p Server.dll p Server.dll
Conducent is "Creating Internet Opportunities in Software" by integrating dynamic Internet functionality and advertising solutions in PC software applications. Proudly awarded the Computerworld Smithsonian Award, Conducent's proprietary technology delivers dynamic advertising in a variety of industry standard formats to the desktop for display within Windows 95 and 98 and Windows NT software.
How do I know this? A windoze 98 box, which had had the entire download.com top 500 installed on it, was taking a long time to start up, and I was called in to see what the problem was.
I fired up tcpdump on a nearby Linux machine, and watched the usual SMB sessions starting up, all within the LAN, then it started reaching out to the Internet...
It pings 149.1.1.1 a few times, then goes through the local proxy server, and does some really suspicious things:
GET http://bootstraps.conducent.com//scripts/Bootstra
POST http://updates.conducent.com/cgi-bin/vcp.cgi
GET http://bootstraps.conducent.com//scripts/Bootstra
POST http://contents.conducent.com:8080/BeginSession
GET http://adsdl.conducent.com//ads/1068/
POST http://216.33.199.84:8080/Ready
POST http://216.33.199.84:8080/EndSession
First it pings home (ooh, stealth!), then it goes and talks to its web server. It's doing more than just downloading fresh ads!
As the trainee who had installed all this crud wasn't around to answer questions, I don't know if there was any warnings that this app would steal your CPU and bandwidth to do some marketroid's job; does anyone else know?
storms-168-12.res.iastate.edu. That's always me (exsept when I'm running linux, atwitch the 12 changes to a 92 or somthing), and I can't imagen that it would be hard for a search site to corolate my IP with other information
Exsept I hardly ever use search engens any more, Just Yahoo, if I'm looking for a particular topic. Maybe altavista in the rare case I need a particular string. With this, though *one* company knows *all* your surfing habits, not just that you looked up x86 assembly coding on Yahoo last june, or you looked for the string 'netbus 17' on altavista.
I suppose it might matter for those that use searches a lot, But I do think that this is a little diffrent. esp since they tried to do it covertly (unlike the q3a thing)
--
"Subtle mind control? Why do all these HTML buttons say 'Submit' ?"
ReadThe ReflectionEngine, a cyberpunk style n
While, yes an individual website will know more about what you did at *there site*, this little bugger tracks you over the entire web, or at least would like to (right now, it has only 60,000).
In other words, CmndrTaco knows everything I do on slashdot, but he dosn't know what I do elsewhere. With this software, the 'commet' people know what you do on over 60k sites. (although, this isn't really that diffrent that what doubleclick is capable of)
--
"Subtle mind control? Why do all these HTML buttons say 'Submit' ?"
ReadThe ReflectionEngine, a cyberpunk style n
puhlease!
big software companies are not the enemy, and open source is not the cure. open source would only be helpful in this regard if some organization, like TrustE had source review privileges, that ordinary consumers could recognize. (and you can imagine what a nightmare creating such a body would be for anyone but open source companies) the bottom line is that you would have to trust some organization or proxy other than your two eyes. and the people who are most likely to be vicitimized by software scallywags are not programmers, nor are they likely to know an open source TrustE review board from clipper initiatives.
smart folks who download junk software ought to know better, especially software from no-name, no-reputation companies. the rest of us have to trust *somebody*. smaller does not mean safer.
btw. if these comet guys were publicly held, where do you think the stock price would be today? somewhere between the toilet and the sewer. it's the dinky little companies with no assets to lose who are most likely to be unscrupulous.
fault-tolerant
Shrinkwrapped products are a separate issue, but as for things you had to go find for yourself, downloaded from the 'Net for yourself, and installed for yourself, stop bitching.
Real player does that, because it is a piece of bloatware and every time it starts up it takes ages. So this little StartCenter keeps important parts loaded in memory so that your Real Player starts faster when you need it. The new Real Player takes like 40 megs when installed. I think it has a full msie5 browser subsystem to render all those cool (but pointless) things when you go to Top 5 picks and stuff like that. That is why when I can I use Windows Media player.
This is more like something you should sue over, not the version string of your openGL being reported. Big Brother is watching.
Hi folks,
:)
:)
I'm removing the comet cursor because I don't think the gimmick of having my cursor turn into dilbert's head every morning is worth the price of allowing you to collect information about my browsing habits.
You might sell them to my employer
But seriously, although sometimes it may seem that we are already living in a world controlled by marketing people and spin doctors, I think personal statements as a "consumer" (I am actually also a person) that I don't like it and I am going to go out of my way to avoid it. At least I can occasionally feel like I am in control of my destiny.
Bye
Did it ever occur to you that they might have been using a form of JavaScript to load the privacy page?
"Privacy Statement"
*shrug* Earlier today, that line either didn't exist, or their asp server wasn't properly functioning. Seeing as how they have recieved press about this from a number of different sources, it seems reasonable that the privacy agreement had possibly been taken off-line for updating.
Why does everything have to be a conspiracy theory with you guys?
I ardently resent the association you draw between me and "you guys". I don't personally support "conspiracy theory" and I don't believe I have any of my own. I do however despise spam with all my heart and soul. This company appears to make money through "direct marketing", or spamming people. This offends me.
I don't care how good-natured their motives are, or how legitimate their business is. You sign up with them, they mail you about things you probably don't need or want. I realize there is an opt-out policy, as well as a means to have yourself removed from their lists. I frankly don't care. Their business's whole principal offends me.
You seem angry in your responce to me. If you aren't angry yourself, perhaps you should reread your message, and listen to the tone? I'm angry because you've chosen to associate me with the conspiracy theorists. At least I have an excuse.
Sincerely,
Ryan Taylor
You would've thought that this kind of thing would be limited to sites hosted on the members.aol.com domain, but I have also read that many major, and wortwhile site use this annoying thing!
When you went to some newbie webpage with the tacky "Always under construction" animated gif, scrolling status area javascript, and various HTML errors, and you had the "this site uses something called Comet Cursor as silly eye candy -- click to download" popup come up... how many of you actually got the damned thing?
There's not Linux version, so only people who are on Win9x or Mac were affected. Under Win9x, I've never seen one of these popups in the browser I use (Opera), although I get them in Linux (using Netscape). But even not having been directly affected by this, it makes you wonder. What exactly was that flash of the modem/NIC tx/rx lights for? Was it some closed-source app that is designed to work with an internet connection (IE 5.0, Real Player, Comet Cursor, etc) that can just go ahead and give away privacy information?
Don't use closed source if possible. If you have to, limit it, and make sure you have a firewall that blocks things going in and things going out.
---
--
Internet Explorer (n): Another bug -- that is, a feature that can't be turned off -- in Windows.
The president, Jamie Rosen, said he was quite surprised with all the fuss since no user information was solicited.
FIRST POST!!!!!!!!!!!!!!!!!!!
first of all, what id did was not secret, it was clearly described in most of the readmes, and they *didn't* have any identifying information (such as mac address, or somthing)
there is a huge diffrence between what Id did, and what these people did, if you cant see that, then there is really somthing wrong with you. Is there a diffrence between a guy who grows pot in his back yard for him and a few frends, and a guy who runs a Crystal Meth lab, and poisons hundreds of people? well, yes.
--
"Subtle mind control? Why do all these HTML buttons say 'Submit' ?"
ReadThe ReflectionEngine, a cyberpunk style n
What line?
The source code for the privacy link is as follows:
<a href="#" onClick='window.open("privacy.asp","","width=600,
If you had JavaScript disabled or were using a browser that didn't support it, the above would be equivalent to <a href="#">, which is simply a no-op link (perhaps reloading the same page).
In any event, this is the same link that's been there all day. I read the privacy statement some 10 minutes before you wrote your comment, and I tried it again when I read your comment, and it functioned the same both times.
If your browser is normal and the link didn't work for you one moment, but did the next, then I don't know what to tell you. Either your browser is buggy or you're right in that they were having problems with their site. I can't imagine any reason they would want to hide their privacy statement from people, though. There was nothing about it that put them in a bad light at all.
I do however despise spam with all my heart and soul. This company appears to make money through "direct marketing", or spamming people.
They make their money by putting a little advertising banner on web sites that use their Cursor code. Spam? Hardly. They do send out e-mails, however. Their privacy policy has this to say about it:
This seems like a fairly standard way for a company to act with respects to your e-mail address. I don't think this qualifies as spam in the least. They make you completely aware of what they're doing and always give you the option to refuse. What is the big deal here?
I'm angry because you've chosen to associate me with the conspiracy theorists.
I was annoyed that you jumped to the conclusion that they were Yet Another Evil Company based on the fact that it *looked* like they were trying to hide their privacy policies from everyone, which simply doesn't make any sense. Just because 'malice' is one possible explanation doesn't mean it's the correct one. In this case, it isn't even the logical explanation.
I'm sorry if my post came out sounding bitter -- I've written a dozen or two messages in this thread trying to combat the conspiracy theories that permeate most every YRO article, and some of these posts just get really moronic and I lose my patience. Sorry if that was the case here.
As a lawyer, I'd recommend pouring a hot bowl of grits down your pants. That would definitely show them.
Could this be considered a Trojon Horse program?
...with this kind of security. Anybody listening out there?
Well, the part where you said "even a portal can't run on thin air" didn't make much sense, when you changed the words.
But really, you're *obviously* uninformed. Not only did you not read the story, you didn't even read the little blurb fully! And yet, when someone calls you on it, you instult them!
That's classic. And by the way, anyone reading your post will think your an idiot, wether or not the ideas are valid or not. If you don't even know who the story's about, how can we exspect you to have any clue as to the impleplications of whats going on?
--
"Subtle mind control? Why do all these HTML buttons say 'Submit' ?"
ReadThe ReflectionEngine, a cyberpunk style n
ug, id WAS NOT sending the data without any warning. all of the readme files up to the 1.09 demotest contained the info, and how to disable it. aperantly the readme for 1.09 was cut down qute a bit, and thats one of the things that was removed
--
"Subtle mind control? Why do all these HTML buttons say 'Submit' ?"
ReadThe ReflectionEngine, a cyberpunk style n
I DO wish these companies would stop hatching all these conspiracies... it's getting impossible to keep track of them. :-)
WHERE IS THE CURRENT VERSION OF THE SLASHDOT SOURCE CODE??? IT HASNT BEEN AVAILABLE SINCE THE IPO!!
--- Just focus on scrapping Windows, 'kay?
> company needs is exactly what they gather:
> your Web habits.
Suppose that you've visited some web sites that you wouldn't like other people to know about. (I know, you have never visited this kind of site, but just imagine if you had...) Now, suppose that someone, in the future, wants to harm you. Say, you want to be the next president of the USA. People would pay anything for this kind of information. Well, if someone collected a lot of information from different sources (commet, hotmail, linkexchange --- can you name others?), they could cross data and sell this information to your enemies. If this company was in another country, what could you do against it? NOTHING (Unless you're the next president... :)). Just think about that...
TRUSTe is a farce! Haven't you been paying attention?
test
I'm not one to ask for any intervention when it comes to information trading, but I'm starting to feel that there needs to be more laws in favor of the consumer. I don't think that this type of data collecting needs to be put to an end. But what should be done is make it required that the user is informed that information is being collected.
FIRST
/dev/random ! >:-)) gihihihHAHAHAH. :)
:))
:)
We need information about
what software sends data to
- what IPs
- what ports
- what protocols
- what GUID formats
- are there checksums?
THEN we write a platform independend program
(say a perlscript)
- that generates unique user ids faster than you
can say
- well, there are some words noone here would say
loud, but they also would be perfect GUIDs
THEN
we donate it as a Christmas gift to everyone who wants it and make much noise about it, so everyone
uses it, because it's much cooler that seti@home
FINALLY
the GUID-Collecting sites must shut down the service, because they get 10 times as much GUIDs as there are Lifeforms on earth
if anyone knows some
data about sites collecting guids and what
format they are using, please feel free to
send it to me. i'll try to make such a program
but i have no idea what the data looks like and
what protocols "they" are using.
mfg
nuts
Never make anything simple and efficient when a way can be found to make it complex and wonderful.
Most of the 'Your Rights Online' articles have been, IMO, non-issues, this one included. People say "If we let them do this then they will keep going until they send our entire lives back!" No. If someone starts sending back e-mail addresses without permission or other very private information THEN we start boycotting and raising hell. Until then just relax, vote with your dollar, send polite e-mails if you don't agree with something and just deal with the larger issues.
I'm reminded of a quotation by Benjamin Franklin: "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety."
If we value our rights, then those rights must be vigorously and unyieldingly defended. If we give in a little now, then we have eroded the foundation on which our liberty stands, and it becomes easier to give in again tommorow, and the day after tommorow.
History has shown, again and again, that little injustices if tolerated, lead to greater and greater injustices. Take World War II as an extreme example.
What we've seen so far is only the start. Without vigorous resistance now to violations of privacy, our right to privacy may disappear overnight. In this case, the line is very clear: software must not covertly send back data to their companies. Anything else is unacceptable.
--
Comet has issued a statement about the privacy concern. They have also formalized their privacy statement.
You can also download a patch from Comet that will remove the unique download ID from your installation of the Comet Cursor. Without an ID associated with your instance of the software, all they can track is that the cursor is being used and where, so they can charge clients, like Foxtrot, for the advertising. They can't track who is visiting that page (your surfing habits). So go download the patch now.
Does this alleviate any/all concerns? In my mind it seems to be OK again. My cursor-using sites will link to the patch DL page, though.
CT
Constitutionally Correct
I already sell this information to @PCData, and I don't like the idea of someone putting me in a position where I'm selling it to someone, and giving it away for free to another. Heck, this might even put me in some kind of compromised position with them. I'll have to read the User Aggrement and see. (I doubt it, but then again, I shouldn't HAVE to be worried about this in the first place... I don't appreciate it.)
Nipok_Nek
Why choose white shoes?
even better than "He's dead, Jim."?
"Christ, he's dead!"