Slashdot Mirror
Cursor Software Tracks You On Web
fabrini writes "That cute little animated Comet Cursor, that some websites try to send you when you visit their site, is actually doing more than impressing the kids. It's also tracking your activity on over 60,000 websites using a unique serial number -- and all without asking.
"
For any lawyers out there, is there a reasonable basis for legal action if these accusations are true? Maybe it's time we did more than just complain and flame about it?
"as plurdled gabbleblotchits on a lurgid bee" - Prostetnic Vogon Jeltz. (One man's humorous is another mans flamebait)
I honestly believe that they think everyone is a complete and total moron and just won't find out about crap like this.
Either that, or they really WANT people to hate them.
Fish! LipHo
We really need to get a group together that specialized in detecting this kind of activity. You know that it's going to get harder to detect this kind of activity as the network evolves.
Airgap baby. It's the only way we can be sure.
"a powerful and unexpected ally..."
They say they don't use it,
So why do they waste bandwidth/storage space collecting it?
Slowly closed source software is shooting itself in the foot with all these "trojans" that they add, but that they "don't use for any purpose". They'll soon not be able to use the security through obscurity catch phrase.
Maybe Open source software should use "Privacy though visibility" as a counterattack.
iain
IMHO, this is yet another of those cases were someone implemented a nifty feature without thinking it through. What we have here is a company that can, with some effort, find out what a person is doing. at the moment, all they know is that someone, somewhere, visited a certain number of sites.
There's be the inevitable massive calls for boycotting, and (as tends to be the case), this will be an overreaction. I'm happy with Comet's response, and I don't think this is a reason to hang them out to dry.
Fact of the matter is, the only thing this company needs is exactly what they gather: your Web habits.
They're trying to defend themselves by saying they're not actually collecting your name or address, but that's not like this information matters to them.
Working for an e-commerce company, I can tell you what they want: they want list of clients. They want to know exactly what kind of people use their software. They want to target their publicity more closely.
If you ask me, it's BS when they say they're not actually using the info they collect. This information is invaluable to advertising companies, and knowing where everyone goes from your site on is the Holy Grail of target advertising on the Web. Many companies focus solely on providing companies with 'client lists'.
So it's BS when the PR guys say it's harmless. Fact of the matter is, they're doing it without asking permission.
Here's a little gem from the article:
Wow. I know people tend to pick on Gore for that misquoted bit about inventing the Internet, but that's very fair of him. I thought we were the only ones (we being geeks) throwing a temper tantrum about privacy on the net. Way to go. Too bad I'm Canadian, eh? :)
is why people who use this software are not infuriated by it. now maybe they just dont know, but personaly if i knew that some company was making money by selling my browsing patterns i would want a cut of their profits. After all i never did sign up for this. I am not sure about the laws regarding telemarketing but dont telemarketers have to at least let the people know that they are taking part in a survey or whatever? I believe they do, and i think this company should be held to the same standards. Is it too much to ask for a little pop-up that briefly explains the products purpose?
"The importance of using technology in the right way has never been more clear."
"There's not a lot of reason to crunch that data because I don't see that it's in anyone's economic interests. We're stating for the record that we don't do that and we never will.''
Not in anyone's economic interests? Let's see: Joe X (referenced distinctly by his serial number) goes to this Britney Spears site, then the Disney site, then Yahoo, then CNN, etc. I'm sure many companies would be interested to know where people are actually visiting for advertising and marketing purposes, let alone for forming "strategic partnerships" with related sites. Although I know Yahoo, CNN, etc. don't use Comet, the potential does exist for the plugin to be used for these purposes.
Not knowing anything about the face behind the serial number isn't anything detrimental, in fact it's important because it's with that anonymity they claim they aren't doing anything wrong. Whether or not you know who I am doesn't make a lick of difference, you're still taking my information (essentially, my web browser history in progress).
Pablo Nevares, "the freshmaker".
Pablo Nevares, "the freshmaker".
What laws are they breaking?
For starters, there's the Data Protection Act (amended 1998). This requires all databases to be registered, along with a list of their structure, so that people upon whom information is held can serve a data disclosure notice on the database owners and find out what is being said about them. I believe there's also a requirement to notify the subjects that information about them is being stored.
(Violation: up to two years in prison and a honking great fine, although it's very rare for infractions to get as far as a prosecution.)
Next: Computer Misuse Act (1994). This act has teeth -- it was introduced as an anti-hacking measure and it would seem that if they're tampering with or using a computer in the UK for any purpose without the consent of the owner they could be liable for five years as a guest in one of Her Majesty's hotels. It is a criminal offense to run software on a computer without the owner's permission, or to cause software to be run (ditto), or indeed to do anything with a computer without permission from its owner. Oh, and you can be guilty even if you're not in the UK (but meddling with a UK-based computer), or if the computer's not in the UK (but you are).
Finally there's the EU declaration of human rights which, implemented in law, has an explicit right of privacy. The EU recently disseminated some directives on data security -- specifically banning the export of personal information from jurisdictions with strict privacy laws to other jurisdictions with weaker protection -- that means this company is violating the law, right across the EU.
Class action lawsuit, anybody?
Comment removed based on user account deletion
I year or few ago I saw some report on TV or read somewhere about this Comet Cursor startup company. They made it out as if the idea of having a custom cursor was some sort of amazing and ingenious thing, and that it was cool. I didn't really see the point and thought it was just plain stupid (yeah, I'm Mr. Joe consumer, I am SO impressed that your site made my cursor into some stupid animation...yay, let me buy your product).
It's 10 PM. Do you know if you're un-American?
Probably the best thing going for Open Source right now is that the "normal" software companies are shooting themselves in the foot with all this nonsense. I mean really... I *like* certain Microsoft products (flame away), and can't really be considered an advocate of Open Source at all.
But the more of these kinds of cases pile up, they slowly change my mind. I look down at my System Tray right now and wonder just how many of those programs are sending information back to the company about what I do. I wonder what else they're doing. This was never a problem a couple of years ago.
Can we really trust anything that big software companies put out at this point? Time and time again they have proven that self-regulation doesn't work. They've proven they can't be trusted to make software with privacy or security in mind. For that matter, it seems that many of them can't even be trusted to make high quality software at all. (all the bug laiden games out there come to mind... most notably SiN and the 18MB patch required to make it run at all straight out of the box)
If we have any software developers and/or PR people who work for software companies, can you please explain to me how anyone can ever trust anything you put out ever again? Please don't use the "well we don't use the information we collect" lame execuse, I'm not falling for it. Why would you collect it at all if you don't intend to use it? You shouldn't be collecing it at all, you don't have any right to. I want an audio player that *gasp* plays audio! I don't want it monitoring me, if I wanted that I'd install a monitoring program.
-- "So they told me that using the download page to download something was not something they anticipated." - Bill Gates
Consider what you get if you buy the access logs for a bunch of web sites (some with login ids that can be tracked to house addresses, maybe from shipping information) and then add user tracker data like Comet that can identify a user between web sites. You can now track the user's access patterns across all the web sites, even those where he was anonymous.
This isn't anything too new, the banner ad companies do this already.
From what I understand, this silly cursor is just a Trojan horse aimed at user's privacy. What would be the point of the company otherwise? Their business is just based on this invasion of privacy. And BTW, their claim that they can't link to a single user is ridiculous: it just takes one filled up form asking for your email address in any of the 60'000 using, et voilà! you are tracked, welcome to big brother!!!
Any web developer can undertand that. It's so fucking simple to do, just the fact that they claim it 'impossible' is an insult.
http://www.oneofthesites.com/subscribe.cgi?email=IF DEFINED(id) THEN
INSERT INTO bigbrother (email,sexual_orientation, age, crimescommitted, numberofpornbannerclickthrough, hasreceivednicescientologyleaflet)
VALUES ( -- edited for brievety
ELSE IF sexual_orientation = 'perverthomo' THEN
send_blackmail_asking_for_money()
ENDIF
ENDIF
--
I just attempted to load cometzone's web site and it doesn't allow you to unless you allow cookies. God I love junkbuster. The sad thing is I find this to be more and more of an issue. Why do they need to store a cookie for me to load the page? Admittedly they can do whatever they want with the website but I find this just plain stupid.
On a positive note,
I recently went to Axent's site to do some research on their products and foudn that I couldn't view any product information unless I allowed cookies. I thought this was plain stupid and I emailed the webmaster regarding it. Below is the QUICK response from the webmaster at Axent. He was honest and shared more information than he needed to share ( he didn't even have to redspond ). I wish more companies had this attitude. My response back was that since I couldn't find a privacy statement, I wasn't planning on allowing the cookies because I wasn't sure of their purpose. He was a nice guy none the less.
Here's the email:
Subject:
RE: Feedback
Date:
Mon, 29 Nov 1999 11:03:48 -0500
From:
Tony Stephens
To:
"'jvincent@qa.butler.com'"
You will not receive any unsolicited information from us. Thanks for the
heads-up on the feedback page. You are right, it shouldn't say "Submit
Registration". As for the cookies, we have moved to a dynamic, data-driven
site powered by Mainspan. I'm not 100% sure what the cookies are for (I'm
real new at this job, still learning the site...no excuse, but a minor
explanation for my lack of a real explanation) but I'm assuming that they
are to allow the server to track (during the session only) your documents
and allow faster access to the ones you access. It's a variable called
"DocsActiveForUser". Again, I believe that this is what it is for. I will
look into this further. I agree with you in the fact that for the public
site, it shouldn't be cookies, but rather session variables. But I'm sure
it's for the purpose of providing you the information you want
faster...allowing you to kind-of 'keep track' of the documents you have
accessed. I assure you its not for any tracking or informational gathering
uses of ours.
Thanks.
Tony Stephens
Webmaster
AXENT Technologies, Inc.
2400 Research Blvd. #200
p: 301.670.3644
e: tstephens@axent.com
e: webmaster@axent.com
w: www.axent.com
-----Original Message-----
From: jvincent@qa.butler.com [mailto:jvincent@qa.butler.com]
Sent: Monday, November 29, 1999 9:09 AM
To: webmaster@axent.com
Subject: Feedback
Name: John E. Vincent
Phone:
Email: jvincent@qa.butler.com
PageLocation: Products
Feedback: I was browsing your site and noticed that to get information, my
browser has to accept cookies. Please provide me with a good reason that a
security company requires a cookie with an invalid expiration date to allow
me access to the most basic of information about your products. I notice
your submit button says "Submit Registrion". This also serves to say that I
am not registering for anything. I don not want any unsolicited email from
your company other than a response to my question. John E. Vincent Network
Administrator BTSQA
"Fighting the underpants gnomes since 1998!" "Bruce Schneier knows the state of schroedinger's cat"
I am unconcerned by Slashdot (or anyone else, for that matter) recording my IP address because that information does not snoop my browsing habits, nor invade my privacy.
Think of IP logging as analogous to Caller ID: If I call your telephone, you have, IMHO, an inherent right to know who I am.
However, if you twiddle my phone so that when I call YOU it tells you about everyone ELSE I have called, that's invading my privacy. The critical distinction here is the collection of data on my interactions with third parties.
Of course, if a million Web site operators all pooled their IP logs, that would achieve the same result as Comet's dirty trick, but then the public at large would perceive a massive, evil conspiracy, it would make the 6 o'clock news, and they'd be stomped on by the law and public ire.
Hmmm, perhaps not such a bad idea here, either...
"My strength is as the strength of ten men, for I am wired to the eyeballs on espresso."
Hahahah notice the "Security Info" button as well.
"we value your security and privacy" =P BS
"Fighting the underpants gnomes since 1998!" "Bruce Schneier knows the state of schroedinger's cat"
Thing is, it would be easy to achieve their stated goals (count of unique visitors to a site) without raising the same privacy concerns.
Certainly each customer (that is, website with the cursor-changing support) has a serial number as well. Call this number "C", and call the serial number of the user whose cursor is changed "U". Instead of reporting the pair (C,U) to headquarters, simply report the pair (C,f(C,U)), where f is some one-way hash function. (e.g. MD5)
The information they (say they) want to collect is still collected, and yet it is impossible to do the correlation activity that privacy people are concerned about.
I agree, though, that it seems like someone just didn't think it through. Much as programmers need to be re-educated to think intelligently about security, it appears that privacy concerns need to be addressed similarly.
With the current, disturbing trends towards the invasion of privacy by companies, I think I will never ever use anything but Open Source software anymore. This is really getting too far -- OK, fine, so this software "only" transmits a log of your web surfing to Comet, under the guise of displaying a cute cursor. How do you know one day somebody won't come up with something malicious?! How do you know that the next cute-cursor software you got from somewhere doesn't start transmitting files on your hard drive to some company? This may be paranoid, but I see this as a very likely possibility, given the current trend of increasing infringement of privacy by corporate entities. Gives a totally new meaning to "trojan horse".
At least if you only use Open Source software, there is always source code for you to double-check, to make sure that this piece of code you're going to run isn't going to transmit private files from your home directory to some company out there.
But, to go one step further, I'd say that even Open Source in itself may not be sufficient to prevent such kinds of exploits. Take any typical Linux system, for example. How many of us actually read the source code for all the software that we run?? How many sources can we read before exhausting our patience, and just say "forget it, let's just run this thing."? Of course, the redeeming thing is that if the source base is polluted with some bad code, the maintainer of the code would find out about it pretty quickly. But still, when Open Source becomes more and more widely adopted, there's a possibility that such things get overlooked.
Sounds like privacy is over. Would we just sit here and allow this to happen?
mikre he sophia he tou Mikrosophou.
Sure, but do you stop persecuting thieves because there are murderers?
They do use it. They just don't use it to track people. From what I gather from the article, the Comet people use this serial number to charge it's customers (some of the people that use the software on their site). It's one of their methods for efficiently and accurately tracking this particular stream of revenue.
:) No one is safe.
In addition they imght use some of it to do marketing research (although it is neither mentioned nor implied which means they might or they might not). The same things all those banner ads do. You want to worry about privacy? There's the motherlode of your personal viewing habits being sent across the internet - all corresponding nicely to your machine (IP), your e-mail (if your browser sends it - unlikely but possible), uniquely identifying your machine (via cookies unless you delete/disable them), and much more.
However most of this doesn't bother me. Quake 3 sending my GL_RENDERER string? *shrug* Mr Comet Cursor thingy senging a list of websites I visit that use the cursor (considering I've seen that cursor maybe once - EVER)? *shrug* All of this is benign information. Do I care that Carmack knows that someone out there (at IP # blah - if he even stores that data) is running version 1.09 and has a TNT2 Ultra? Or that Sir Cursor Changer knows someone (again, possible from my IP if they
bother to store it) visited some web site?
Now: Send my SSN or CCN or Home Phone across the web without my permission?! Thats in the interest of 'My Rights Online.'
Here's what SHOULD be done: Any app or web site that sends data back to its creators should register with a security watchdog organization such as TRUSTe. They should document their procedures and what they store and what could potentially be stored with out a change on the client end (i.e. modifying the server to collect IP addresses). People can then get full disclosure on issues. Random and directed (in case of dispute) audits can be performed at the watchdog ageny's discretion. If you think that Carmack is privately planning world domination based on the distribution of 3dfx chips in the world, you can complain to the appropriate agency.
Most of the 'Your Rights Online' articles have been, IMO, non-issues, this one included. People say "If we let them do this then they will keep going until they send our entire lives back!" No. If someone starts sending back e-mail addresses without permission or other very private information THEN we start boycotting and raising hell. Until then just relax, vote with your dollar, send polite e-mails if you don't agree with something and just deal with the larger issues.
And just think how much information CmdrTaco has collected from you.
"No remote images"
/. that use another server for images.
Hmmm.. So much for all the sites like
Technical solutions are rarely suitable to these kinds of problems. The only reason that this sort of thing happens is because of the inherent openness and flexibility of the net. That flexibility makes it very hard to pin down a weakness and plug it. There is no design weakness here - merely an unfortunate usage.
Personally I'd far rather have an Internet that provided no technological means for me to stop this sort of thing, than an Internet that was restrictive and full of rules and regulations.
-----
http://www.cometsystems.com/
And here's a link to help get rid of the Comet Cursor program. It's from the Comet Cursor people, but it probably does what it claims to. I think this is just a case of stupidity, not eeevil.
http://www.cometsystems.com/down load/cleaner.shtml
Why choose white shoes?
Thanks. Another site to add to the 'absolutely forbidden' list in my firewall.
...phil
...phil
"For a list of the ways which technology has failed to improve our quality of life, press 3."
Read old Slashdot on cookies and banner ads.
Cookie "security" relies on cookies not being shared between servers. For a simple site, this works fine. When banner ad companies sell banners to many sites, then a loophole has opened whereby they can see cookies that were placed there by many sites that share the same banner servers. As banner servers are near monopoly industries, then that's a big source of cross-tracking data.
The fix is obvious, but it needs to be done in the browsers (or by a filter near to the browser).
Hacking obscure browser loopholes just isn't worth it for commercially honest (sic) data capture. There's not enough good data to be had that way(If you still use Mosaic on an Amiga with an unpatched ActiveX hole, then I doubt that you'd buy my product anyway). Illegal cracking (stealing credit card info etc.) is maybe worth looking for obscure browser holes, but market research is by its very nature a mass-market task.
Personally, I don't think that the "feature" they put in their software is a great sin. It collects information which they need to get paid for their efforts (even if /I/ don't think it's worth a penny, obviously they have customers who do). Yes, it can potentially be cross-referenced with legal identities. Of course, there are a lot of ways to do that now (cookies, web logs, etc).
What is deplorable is that they did not release such information to the people who downloaded the software.
If a company wants to produce software that monitors every keystroke I ever type on my computer, fine. If I want to use it, fine. However, I should be told before installing the software that such information will be collected.
If we are going to condem their actions, then let us condem them for their real crime. Collecting this information was not a crime. Collecting this information without the consent of their users is a crime, if not in a legal since, then certainly in a moral since.
I would expect the people here to understand this better than most. Software is never the issue, it's what's done with the software and in what manner that is the issue. The government wants to regulate crypto because it can be used for illegal purposes. The music and vidio industry want software and hardware that can reverse engineer/defeat copy protection to be illegal because it can be used for pirating. Yet, crypto allows private communication, e-commerce, and user identification that is desperately needed in a world that is rapidly becoming dependant on computer communications. And the same software and hardware that can be used to defeat copy protection can be used to help debug programs, burn CD archives of our work, and play DVD's on our linux boxes.
A tool is just that. A tool. However, someone who uses a crowbar to break into people's homes is a far cry from someone who uses a crowbar in the process of construction.
Please. Remember their crime. It's not the software, it's the lack of consent.
All operating systems suck. Some just suck less than others. (and some are virtual black holes)
What won't stop invasion of privacy is so-called disclosure in license agreements and readme files. First, nobody reads those, and second, they're too vague. I think that the info that ID gathered was perfectly acceptable, while what RealJukebox did was definitely not, and yet one generic disclosure statement would cover both.
I think that what we need is something similar to anti-virus software that sits between applications and the TCP/IP stack, and limits what different applications can do, putting up warnings and confirmation dialogs as necessary. I expect that my web browser will connect to internet sites. I don't expect that of most other software, and I want to be warned whenever that happens.
This should be similar in concept to some virus protection software. I expect FORMAT.EXE to format disks. I don't expect any other program to do so, and if anything else calls the INT13h or whatever it is (apologies for the DOS-isms), I want to know about it.
Of course, clever programmers could code around anything, just as virus writers avoid detection, but if any company employed such tricks, they'd really have a lot of explaining to do.
I just attempted to load Cometzone's website and it doesn't allow you to unless you allow cookies. God, I love Junkbuster. [...] Why do they need to store a cookie for me to load the page?
I know all you Linux/Apache hippies are going laugh or something at this...
After CometZone's website struggles with your browser, it ends up at the page cookie.asp. Notice the extension-- asp. That stands for Active Server Page, referring to Active Server Pages, a server-side scripting technology from Microsoft. ASP normally runs on NT Servers running IIS3.0 and above.
When you visit an ASP site, it may send a session-level cookie to your browser, to identify you while you are on the site. Session-level means it lasts only as long as your browser is open. It is never stored on your hard drive in any cookie file. The cookie name usually starts with ASPSESSION followed by a bunch of randon letters.
The reason this is sent is because some ASP sites use session variables-- global variables for all the scripts in the site that pertain to the current site visitor. The server stores these variables in its memory and uses the cookie it sent you to tell your session variables from everyone else's.
Now, as an ASP programmer, I can say that using session variables is a bad idea. Firstly, most users don't like cookies, and will disable or refuse them, meaning that the website will not be able to retain session information for the website users. Secondly, they use up server memory! If you have 400 users on your site, that's 400 copies of every session variable! (No jokes about NT Servers' load capacity, please.) Thankfully, it's possible to disable them and stick with only application variables (of which there is only one copy of, regardless of the user load). There are also other ways of maintaining state information, too.
They.... You mean the people who expect something for nothing by putting links to their software on their website?
They, the people that go "hmmm, let me run that useless software just for the hell of it".
Or they, that allow users to use the software they developed for free, and just happened to forget to mention thewy wanted something in return?
Too me, it would seem fairly obvious that somethings amiss about their offering. So little in the world is free. On the internet, almost all the free stuff comes at the cost of personal information. It doesn't excuse them for not attempting to tell users about the tracking functions. But why wasn't anyone asking?
Id secretly monitored people because they hadn't really thought about it at all. It just seemed natural and beneficial and, hey, who expects privacy and we're not matching up names...
It's this lax attitude that leads to another company saying "Hey, why not take this to the next level and completely track the user".
I got spammed recently by Barbes & Noble and they had a hidden img tag in the HTML version of their spam. The hidden image contained a unique number so that B&N new exactly when I looked at their crap. (See Privacy Digest for more).
B&N thinks there's nothing wrong with this. Comet thinks there's nothing wrong. Id thinks there's nothing wrong. They all think they haven't crossed the line yet. If we keep allowing them to push this line, you can bet that people will keep pushing this line.
If you weren't mad at id, then where exactly do you draw the line? Comet isn't tracking names (yet). Sure, kids use Comet's Cursors... but kids also play video games. If you accept what id did, then you set yourself up for Comet.
-- Don't Tase me, bro!
Well, if they aren't using the information, then they should have no problem with someone reverse engineering their protocol and sending millions of bogus "hits" on random sites to their servers.
:-)
Any takers?
... is if this is installed on a developer/tester's workstation in an e-commerce/web design shop.
What kind of information could be gleamed from them by the record of all thier internal urls?
In certain circumstances, this could be espionage.
(note : I know that now all sysadmins everywhere are banning this software, and they shouldn't have run it in the first place, but up until now, it's just been a harmless desktop toy. Who would have cared about it?)
For any IE user who doesn't trust the cleaner provided by the company:
Tools->Internet Options
Temporary Internet Files - Settings
View Objects to see all ActiveX controls that have been downloaded
Right-click the Comet Cursor->Remove
I did this in NT4. Dunno about 9x or 2k.
Rather hard to find... ehehe... I tried the link labeled "Privacy Agreement" on the main page, which links back to the main page. Convienent misshap. I tried the link in the liscence agreement which is incidently labeled, "8. Privacy -- See our Privacy Statement"... this links back to the liscence agreement. So I tried "http://cometzone.cometsystems.com/privacy.asp#".. . this worked. Here's what I found:
"Registration
Comet Systems gathers information about our Cometeers that allows us to offer compelling services in a manner that provides personal privacy protection as well. When you join CometZone, we ask you to provide us with some required information such as your email address and home page URL, and some optional information such as your name and address."
"Account Activity Logs
As a result of joining CometZone, a Cometeer account is set up for you on our system that contains your user settings and preferences, e.g., which Comet Cursor you've selected for each of your Cometeer web pages. Every time you login to CometZone, or change your CometZone settings or preferences, your Cometeer Activity Log ("Activity Log") is updated to reflect this activity. Comet Systems uses Activity Logs as a means for better understanding our Cometeers and their interests."
"...Any information you provide to Comet Systems when registering for CometZone is maintained and is accessible only by Comet Systems and a few of Comet Systems's content sponsors. We use the information collected during registration to better understand your interests, and to provide you with the best products and services on the web... "
Anyway... I'm a little appalled that they appear to have tried to hide their privacy agreement, and furthermore, that the CEO's explaination seems incompatible with this information.
Sincerely,
Ryan Taylor
---
Just when you think you've invented something idiot proof, someone goes and invents a better idiot.
To claim that no business will collect data illeagaly for fear of being caught is like claiming no business will break environmental laws for fear of being caught by environmental watchgroups. It happens all the time. Some are caught - even some well-known names. Many others are not.
Our only defense is to make examples of those who are caught in the hopes that fewer will be willing to risk such business practices. It won't put a utopian end to such behavior, but it might help to prevent abusing privacy from becoming a standard business practice.
If you worry more about whether I got a name right or not, and ignore the contents of what I wrote, it's no wonder you're an AC. If you accuse me of posting without reading, you might want to look up a word in the dictionary. Hypocrite.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
> here is what it contains:
/., you'll know it's time to download an updated database.
What we need is for some enterprising network programmer to provide us with an emulator app that will let us generate bogus messages of the right format and directed to the proper destination. Have it create a message with random content, or perhaps read strings from a user customization file that will allow insertion of fake but plausible text.
Better yet, have it read a database of known snoopers, so that a new program doesn't have to be written every time a new snooper is discovered: just have a cron job pick a random known snooper once per hour, and send out a bogus message. Then whenever you see a "Your Rights On-Line" post to
Don't generate enough messages to rate as a DOS attack, mind you: just enough to make sure their "sucker databases" are useless due to pollution with bogus messages.
--
It's October 6th. Where's W2K? Over the horizon again, eh?
Sheesh, evil *and* a jerk. -- Jade
PS: You might also want to search for impression.log, and then examine every file with a similar creation date.
What the hell would these guys actually SELL here? A list saying "Cursor UserID 12345 visited sites http://abc.com and http://xyz.org"? How REMOTELY USEFUL is that information going to be to any potential marketer? At MOST, they'll be able to determine web site "genres" ("People visiting abc.com also seem to frequently visit xyz.org"). There is NO WAY to correlate this information with any other bit of information without all of the member web sites being in on the conspiracy and coughing up their access logs in real time, and even then, proxy servers and dynamic IP addressing would render this data virtually unusable (and nearly impossible to effectively mine, given the volume of data, and the low percentage of useful information).
Stop trying to break apart their statements and look for hidden sinister intentions here. It's clear they know what we're objecting to, and his statement was meant to try and remove those fears from our minds. There is NO reason to assume that they have, are or ever intend to use the information they've collected for any purpose other than what they've stated.
And I'd be very interested to know what sort of login ID you can gleam from a URL that allows you to discover private information like a name or address. That sounds like a pretty piss-poor implementation of something and the maintainers need to be e-mailed.
Your identity is totally meaningless to these people. Your name serves no purpose in their efforts to bill their customers for use of their software. It makes no sense at all for them to ever want to record it, and even if they DID, and managed to sell your identity with a long list of rather questionable web sites (and userID's, whatever else you want to add to the conspiracy theory), SOMEONE WILL FIND OUT ABOUT IT. Things like this don't go undiscovered (look at the long line of YRO articles if you don't believe me). They will be caught and the PR shitstorm that results would leave the company penniless, perhaps even with their owners behind bars. Think about it.
If there were laws to support bonding of visiting software (I mean laws with consequences that can (really, really) NOT be absorbed by the unscrupulous as cost of doing business), then users could choose to lower their risks in a way backed with predictable legal recourse.
Big commercial operations could afford to provide this kind of assurance (assuming they aren't dependent on deception), but there ought to be a way for a small contributor to give assurances too. Open source is great, but I am not sure I have time to inspect all the code myself, especially if you include OS and libraries (;-), so it would be nice to have versions signed by trusted reviewers. Anybody have a list of trusted reviewers? Should they be bonded ?? Paid?
Huh?
When I visited the page I was presented with a dialog asking if I wanted to install the component. I explicitely indicated my desire to do so.
Even if it didn't ask me, it would still not be considered illegal. Nobody forced you to visit that web site, and the component is part of the content rendered on that site. If you don't want your browser automatically loading and displaying images or applets, DISABLE THEM. You can do that, you know. You are implicitely allowing them to run as part of your browser's normal operation. To say that this even remotely violates any law is absurd and unfounded. Consult a lawyer before you go off saying something is a criminal offense.
It's like saying, "I only authorized this web page to deliver one paragraph of text to be rendered in my browser, but instead, it caused my browser to render THREE paragraphs of text. Those two paragraphs are UNAUTHORIZED uses of my browser and computer's resources! I want to sue!"
You do realize your web browser itself is guilty of delivering far more trackable information than this little applet, yes? Why aren't you jumping up and down asking for web browsers to be banned?
as regards this cursor software thing, i'm amazed to see people saying that "logging someone's list of visited sites" is harmless!
They aren't being trojaned.
If they really were, they'd be breaking laws and they would have been prosecuted and convicted. This hasn't happened, nor will it, because they aren't breaking any laws.
If you really find the idea of sending an objective ID back to an application's source morally offensive, don't do business with that company. Vote with your pocketbook.
I personally don't see what the fuss is about. Things like this are rather benign and are FAR more numerous than you folks seem to think. The only impact these companies are ever going to have on my life is the continued presence of these YRO articles, since there will never be a shortage of topic material for them if every one of these instances is worthy of a daily YRO red alert.
Are you actualy saying, on slashdot, that there is nothing free? what about linux or perl? Even in the windows world, there's lots of free, closed source software (such as the origional winamp and mIRC, they went shareware when it became aperant that millions of people were using it and even if only 1% registerd...)
I might be likely to run a little app if it looked intresting, and I certanly wouldn't exspect it to actively track my web surfing
--
"Subtle mind control? Why do all these HTML buttons say 'Submit' ?"
ReadThe ReflectionEngine, a cyberpunk style n
I tried the link labeled "Privacy Agreement" on the main page, which links back to the main page. Convienent misshap.
Why does everything have to be a conspiracy theory with you guys? When something doesn't work is it always because the company responsible is being evil and trying to hide something from you?
Did it ever occur to you that they might have been using a form of JavaScript to load the privacy page? It seems that you're either using an obsolete browser or you've disabled JavaScript for some reason (which is pretty typical of YRO posters I bet).
The privacy policy loaded up just fine for me.
Enough with the lame conspiracy theories.
Anyway... I'm a little appalled that they appear to have tried to hide their privacy agreement, and furthermore, that the CEO's explaination seems incompatible with this information.
The information you quoted was relevant to the information they collect as part of their member signup process. When you sign up to use their software on your web page, you have to give them enough information to create an account from which you can do things like specify settings for their application on your web page. It sounds perfectly logical and reasonable to me.
Thus, it has nothing at all to do with the data sent by their software client.
Web site privacy policies deal with the web sites only, not software delivered or advertised on those sites. That's why they call them "Web site privacy policies."
but, the internet already alows you to do this, just block the host that this commet thing is sending to. you could simply kill acess to adfu.blockstakers.com, or whatever slashdot is using now to get rid of the ads.
surely, you're not saying that individuals shouldn't have the ability to block out information they don't want to see. I wouldn't want an internet where I didn't have (however theoreticaly) control over my packets
--
"Subtle mind control? Why do all these HTML buttons say 'Submit' ?"
ReadThe ReflectionEngine, a cyberpunk style n
You're making the classic YRO assumption here, that all of the companies this Cursor group does business with are in on the conspiracy together. The only way they would be able to make the link you're suggesting is if they had the cooperation of all of their customers.
Large multi-corporate conspiracies to ruin the lives of CUSTOMERS not only sounds silly, but it doesn't sound like it's in the best interests of the companies themselves.
Think about this for a bit. If a company did started handing your personal information over (going against their posted privacy policies and likely breaking laws in the process), this would almost *certainly* be discovered. The resulting PR shitstorm would put both companies out of business, and depending on what they did with this information, the owners/CEO's would likely be in prison.
I'm not saying companies don't break the law occasionally, but you'll find few companies that are willing to risk felony convictions, bankruptcy, a tremendous amount of negative PR, and alienating and destroying the lives of the very customers that are giving them money in the first place. All for a marginal amount of marketing revenue.
It just doesn't make good business sense.
storms-168-12.res.iastate.edu. That's always me (exsept when I'm running linux, atwitch the 12 changes to a 92 or somthing), and I can't imagen that it would be hard for a search site to corolate my IP with other information
Exsept I hardly ever use search engens any more, Just Yahoo, if I'm looking for a particular topic. Maybe altavista in the rare case I need a particular string. With this, though *one* company knows *all* your surfing habits, not just that you looked up x86 assembly coding on Yahoo last june, or you looked for the string 'netbus 17' on altavista.
I suppose it might matter for those that use searches a lot, But I do think that this is a little diffrent. esp since they tried to do it covertly (unlike the q3a thing)
--
"Subtle mind control? Why do all these HTML buttons say 'Submit' ?"
ReadThe ReflectionEngine, a cyberpunk style n
While, yes an individual website will know more about what you did at *there site*, this little bugger tracks you over the entire web, or at least would like to (right now, it has only 60,000).
In other words, CmndrTaco knows everything I do on slashdot, but he dosn't know what I do elsewhere. With this software, the 'commet' people know what you do on over 60k sites. (although, this isn't really that diffrent that what doubleclick is capable of)
--
"Subtle mind control? Why do all these HTML buttons say 'Submit' ?"
ReadThe ReflectionEngine, a cyberpunk style n
Tom Swiss | the infamous tms | my blog
You cannot wash away blood with blood
When you went to some newbie webpage with the tacky "Always under construction" animated gif, scrolling status area javascript, and various HTML errors, and you had the "this site uses something called Comet Cursor as silly eye candy -- click to download" popup come up... how many of you actually got the damned thing?
There's not Linux version, so only people who are on Win9x or Mac were affected. Under Win9x, I've never seen one of these popups in the browser I use (Opera), although I get them in Linux (using Netscape). But even not having been directly affected by this, it makes you wonder. What exactly was that flash of the modem/NIC tx/rx lights for? Was it some closed-source app that is designed to work with an internet connection (IE 5.0, Real Player, Comet Cursor, etc) that can just go ahead and give away privacy information?
Don't use closed source if possible. If you have to, limit it, and make sure you have a firewall that blocks things going in and things going out.
---
--
Internet Explorer (n): Another bug -- that is, a feature that can't be turned off -- in Windows.
Seems like a trojan to me
If you use such a loose definition of 'trojan', the vast majority of software in use today would be classified as such.
Did you know your web browser sends not only its own browser version (complete with a description of your operating system) but the URL of the web page whose link you just followed to get there? Nowhere in the browser's documentation does it say it's going to do this, and I was never asked. Is it a trojan?
No, of course not.
Calling people kiddies is acting like a kiddie yourself. Grow up.
I wasn't calling you a kiddie. I was referring to the class of Slashdot poster that makes knee-jerk posts, responses and tends to bring the average IQ down a few dozen points. Stop taking these things so personally. I wasn't talking about you, unless you fit this profile, but that's out of the scope of this thread.
first of all, what id did was not secret, it was clearly described in most of the readmes, and they *didn't* have any identifying information (such as mac address, or somthing)
there is a huge diffrence between what Id did, and what these people did, if you cant see that, then there is really somthing wrong with you. Is there a diffrence between a guy who grows pot in his back yard for him and a few frends, and a guy who runs a Crystal Meth lab, and poisons hundreds of people? well, yes.
--
"Subtle mind control? Why do all these HTML buttons say 'Submit' ?"
ReadThe ReflectionEngine, a cyberpunk style n
What line?
The source code for the privacy link is as follows:
<a href="#" onClick='window.open("privacy.asp","","width=600,
If you had JavaScript disabled or were using a browser that didn't support it, the above would be equivalent to <a href="#">, which is simply a no-op link (perhaps reloading the same page).
In any event, this is the same link that's been there all day. I read the privacy statement some 10 minutes before you wrote your comment, and I tried it again when I read your comment, and it functioned the same both times.
If your browser is normal and the link didn't work for you one moment, but did the next, then I don't know what to tell you. Either your browser is buggy or you're right in that they were having problems with their site. I can't imagine any reason they would want to hide their privacy statement from people, though. There was nothing about it that put them in a bad light at all.
I do however despise spam with all my heart and soul. This company appears to make money through "direct marketing", or spamming people.
They make their money by putting a little advertising banner on web sites that use their Cursor code. Spam? Hardly. They do send out e-mails, however. Their privacy policy has this to say about it:
This seems like a fairly standard way for a company to act with respects to your e-mail address. I don't think this qualifies as spam in the least. They make you completely aware of what they're doing and always give you the option to refuse. What is the big deal here?
I'm angry because you've chosen to associate me with the conspiracy theorists.
I was annoyed that you jumped to the conclusion that they were Yet Another Evil Company based on the fact that it *looked* like they were trying to hide their privacy policies from everyone, which simply doesn't make any sense. Just because 'malice' is one possible explanation doesn't mean it's the correct one. In this case, it isn't even the logical explanation.
I'm sorry if my post came out sounding bitter -- I've written a dozen or two messages in this thread trying to combat the conspiracy theories that permeate most every YRO article, and some of these posts just get really moronic and I lose my patience. Sorry if that was the case here.
Well, the part where you said "even a portal can't run on thin air" didn't make much sense, when you changed the words.
But really, you're *obviously* uninformed. Not only did you not read the story, you didn't even read the little blurb fully! And yet, when someone calls you on it, you instult them!
That's classic. And by the way, anyone reading your post will think your an idiot, wether or not the ideas are valid or not. If you don't even know who the story's about, how can we exspect you to have any clue as to the impleplications of whats going on?
--
"Subtle mind control? Why do all these HTML buttons say 'Submit' ?"
ReadThe ReflectionEngine, a cyberpunk style n
ug, id WAS NOT sending the data without any warning. all of the readme files up to the 1.09 demotest contained the info, and how to disable it. aperantly the readme for 1.09 was cut down qute a bit, and thats one of the things that was removed
--
"Subtle mind control? Why do all these HTML buttons say 'Submit' ?"
ReadThe ReflectionEngine, a cyberpunk style n
Most of the 'Your Rights Online' articles have been, IMO, non-issues, this one included. People say "If we let them do this then they will keep going until they send our entire lives back!" No. If someone starts sending back e-mail addresses without permission or other very private information THEN we start boycotting and raising hell. Until then just relax, vote with your dollar, send polite e-mails if you don't agree with something and just deal with the larger issues.
I'm reminded of a quotation by Benjamin Franklin: "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety."
If we value our rights, then those rights must be vigorously and unyieldingly defended. If we give in a little now, then we have eroded the foundation on which our liberty stands, and it becomes easier to give in again tommorow, and the day after tommorow.
History has shown, again and again, that little injustices if tolerated, lead to greater and greater injustices. Take World War II as an extreme example.
What we've seen so far is only the start. Without vigorous resistance now to violations of privacy, our right to privacy may disappear overnight. In this case, the line is very clear: software must not covertly send back data to their companies. Anything else is unacceptable.
D'oh! My bad... Hmm, let's hope nobody here is also reading my flame on ntsecurity's spelling.... :-)
Oh, D'oh!