It turns out that the cookies Doubleclick issues are hex numbers in sequence, so if you get enough, you can tell how many are being issued and other
fascinating statistical facts.
ddccss, the Distributed DoubleClick Cookie Snarfing System, now has more than 15 million DoubleClick
cookies in its archive.
Watch the banner ad impressions roll in as all the Linux freaks read the original article, read the comments, and post their own comment, seeing a banner ad every time.
Please, Linux freaks, if you're going to read and comment on "Linux sucks" stories, use Junkbuster. News sites have found out that they can make money by saying Linux sucks, and they're just going to say it more.
Here's an actual reason to send your resume in Microsoft Word format -- you can track who at the company is reading it and when. Put a bullet graphic on your web site, hold your nose and go to Kinko's to save your resume in Microsoft Word format, and sit back and track it.
"Hi, this is Bob. I'm applying for the Internet security position, and I'm calling about my resume which you're looking at right now on your Macintosh." Freak them out but get the job.
Mapping IP addresses to user names and phone extensions is a simple matter of social engineering and common sense.
Randal Schwartz's really simple proxy was what I used as a framework for a one-shot "slashdot munger" to fix a particularly crack-addled wide layout this site was using for a while, and this one looks full-featured but still under development. (Abigail's didn't come up in a perl.com search though.)
Then a lot of websites lose their income, and that will be the end of them - including your beloved slashdot.
Please don't confuse criticism of abuse of a medium with criticism of the medium. This is like saying people should be for email spam because stopping it would mean companies couldn't answer customer support questions by email.
The issue is cross-site tracking, not advertising in general.
You *do* realize that the ads on slashdot can be used for exactly the same thing doubleclick is using them for, don't you?
Read the cookie spec. If my browser gets a cookie from images.slashdot.org, it won't send it back to ads.advogato.org. If slashdot.org goes on a global ad system like doubleclick.net, I think a lot of readers would block their ads.
LWP is an excellent collection of Perl modules for understanding and exploring HTTP headers and cookies. You can use it to test your own cookie-based site and make sure that web applications you develop don't choke when the user passes in an unexpected cookie. You can get a good understanding of the HTTP protocol writing relatively simple scripts. (Sample applications and recommended books on the page too.)
There's been enough publicity about this issue that AOL can't quietly remove Mozilla's (very impressive) image and cookie blocking features. But we should be looking for a general solution to protect all users from tracking, not just a tweakable option that protects only people who know how to compile and configure.
What indeed? Let him be caught surfing for pr0n by all means;)
That doesn't work.
1. Some people are required to take users' privacy into account. "Let skript kiddiez read his mail, he's just an ignorant user" doesn't work with responsible sysadmins, and neither should intrusive tracking.
Good points and it doesn't need to be done in the browser. It can be done in several different places -- the browser,web proxy, router, name server -- and others linked to from other posts in this thread, like the Microsoft Windows Registry or/etc/hosts. Any one of them works.
Discussions like this one get technical people to block Doubleclick for others -- maybe regular users don't care about privacy, and ISPs won't do anything about it, but you can bet that company sysadmins are paying attention. Confidentiality and paranoia are all in a day's work for them. And considering that many of Doubleclick's client web sites depend on traffic from people who are supposed to be working...well, it's not too long before some of them start dropping Doubleclick. Even if a relatively small number of sites block effectively, the content providers will be increasingly motivated to switch.
And that leaves Doubleclick stock in the shitter, and sysadmins looking from banner site to banner site, saying, "who's going to try it next?"
"No inter-site tracking" will become as much an accepted net business practice as "no spam." Isn't having a villain handy?
Carling, Degler, and Dennis, in Linux System Administration, write, "The aims of a security policy are to preserve data integrity, ensure availability, and protect the confidentiality of data." Pay attention to that last one. Is there anyone who you don't want to know what pages users are looking at from work? Maybe they're reading an on-line catalog, and anyone who did traffic analysis on them would have a good guess at the Bill of Materials for your company's next product.
When users are giving up information about your company without knowing it, it's just like any other exploit. Users don't know how to block it so it's up to you. (And we are talking company information here -- unless all they do is look at porn and stock tickers.)
It is your responsibility to block doubleclick.net web tracking, just like it's your responsibility to keep people outside your organization from reading/var/log/maillog.
I've posted this quick-and-dirty way to block doubleclick before, and I'll post it again: zone "doubleclick.net" { type master; file "db.local"; };
See this privacy note for detailed instructions for Red Hat and Debian. With a 5-minute tweak, you can protect the web traffic of everyone who uses your name server. (While you're logged in to the name server anyway, make sure you have the latest BIND.)
Yes, it's better to run a real proxy, or go around to everyone's machine and disable cookies, or do it some other "Right Way." But better to do what you have time for than to not do anything.
You might be interested in Mike Schinkel's "Notes on how to configure IIS for PNG". (It's a zipped Microsoft Word document but those of you with Microsoft IIS probably have Microsoft Word too.)
"Consumers are distressingly, disappointingly obtuse when it comes to their own personal privacy." -- Esther Dyson
System administrators are responsible for protecting user security even if users don't understand the security threat. For example, we don't let users read each other's mail, even if they want to.
Part of protecting user security is blocking the worst, most intrusive web tracking. See this 5-minute privacy tweak to disable doubleclick.net tracking for your entire site, and this article for more good reasons why.
Why did Slashdot choose not to either fight the bogus Unisys LZW patent, or to remove GIF images?
Did andover.net pay Unisys to use GIFs on slashdot.org and its other sites? And, if so, why is a leading open source news site giving direct financial support to software patents?
As long as you use the fucking ?smart quotes?, a good fraction of the comments will be about what a standards-violating IDIOT you are, not about the article?s contents.
You?re an idiot.
Rob?s an idiot for not running the demoronizer on your so-called HTML.
I?m a bigger idiot for spamming the comments without reading the article.
But if you do something annoying -- like write an article on a wiffleball bat and tap someone on the head with it -- expect the reader to react to the style not the content.
You can change/etc/fstab to mount/usr read-only by default, then manually remount it read/write when you need to install or upgrade stuff. AFAIK read-only mounts don't count toward the maximal mount count for fsck.
Slashdot Mirror
ddccss, the Distributed DoubleClick Cookie Snarfing System, now has more than 15 million DoubleClick cookies in its archive.
Also, there's a Fucking Retards Guide to Blocking doubleclick.net.
If you're too lazy to go to Radio Shack, there's a web form you can fill out to get a cat.
Please, Linux freaks, if you're going to read and comment on "Linux sucks" stories, use Junkbuster. News sites have found out that they can make money by saying Linux sucks, and they're just going to say it more.
Tweaking meta tags to ensure high placement in
search results is dead, dead, dead. AltaVista is doing a rank-by-number-of-links thing, just like
Google. ("Raging Search" and "AltaVista" are the same
information, just different layouts.)
Universities are evil proprietary-software-requiring, Linux-banning, too-much-money-charging, free-speech-stomping, bogus-patent-filing bureaucratic Stalinist hellholes anyway.
It's too late for me -- but young hackers, save yourselves! Don't go.
Here's an actual reason to send your resume in Microsoft Word format -- you can track who at the company is reading it and when. Put a bullet graphic on your web site, hold your nose and go to Kinko's to save your resume in Microsoft Word format, and sit back and track it.
"Hi, this is Bob. I'm applying for the Internet security position, and I'm calling about my resume which you're looking at right now on your Macintosh." Freak them out but get the job.
Mapping IP addresses to user names and phone extensions is a simple matter of social engineering and common sense.
Randal Schwartz's really simple proxy was what I used as a framework for a one-shot "slashdot munger" to fix a particularly crack-addled wide layout this site was using for a while, and this one looks full-featured but still under development. (Abigail's didn't come up in a perl.com search though.)
Then a lot of websites lose their income, and that will be the end of them - including your beloved slashdot.
Please don't confuse criticism of abuse of a medium with criticism of the medium. This is like saying people should be for email spam because stopping it would mean companies couldn't answer customer support questions by email.
The issue is cross-site tracking, not advertising in general.
You *do* realize that the ads on slashdot can be used for exactly the same thing doubleclick is using them for, don't you?
Read the cookie spec. If my browser gets a cookie from images.slashdot.org, it won't send it back to ads.advogato.org. If slashdot.org goes on a global ad system like doubleclick.net, I think a lot of readers would block their ads.
LWP is an excellent collection of Perl modules for understanding and exploring HTTP headers and cookies. You can use it to test your own cookie-based site and make sure that web applications you develop don't choke when the user passes in an unexpected cookie. You can get a good understanding of the HTTP protocol writing relatively simple scripts. (Sample applications and recommended books on the page too.)
There's been enough publicity about this issue that AOL can't quietly remove Mozilla's (very impressive) image and cookie blocking features. But we should be looking for a general solution to protect all users from tracking, not just a tweakable option that protects only people who know how to compile and configure.
What indeed? Let him be caught surfing for pr0n by all means ;)
That doesn't work.
1. Some people are required to take users' privacy into account. "Let skript kiddiez read his mail, he's just an ignorant user" doesn't work with responsible sysadmins, and neither should intrusive tracking.
2. When Doubleclick gets big enough, it can buy Congress and get ad filtering banned, (It worked for the MPAA.)
Dan,
/etc/hosts. Any one of them works.
Good points and it doesn't need to be done in the browser. It can be done in several different places -- the browser, web proxy, router, name server -- and others linked to from other posts in this thread, like the Microsoft Windows Registry or
Discussions like this one get technical people to block Doubleclick for others -- maybe regular users don't care about privacy, and ISPs won't do anything about it, but you can bet that company sysadmins are paying attention. Confidentiality and paranoia are all in a day's work for them. And considering that many of Doubleclick's client web sites depend on traffic from people who are supposed to be working...well, it's not too long before some of them start dropping Doubleclick. Even if a relatively small number of sites block effectively, the content providers will be increasingly motivated to switch.
And that leaves Doubleclick stock in the shitter, and sysadmins looking from banner site to banner site, saying, "who's going to try it next?"
"No inter-site tracking" will become as much an accepted net business practice as "no spam." Isn't having a villain handy?
If Doubleclick starts hiding behind hostnames in many domains, the cookies from doubleclick.foo.com won't go to doubleclick.bar.com, and they can't track. They have to use one domain to get their cookies back. And that makes them vulnerable even if you don't have an armored backhoe to dig up their net connection.
You don't need to write a new zonefile. You can use the "db.local" or "named.local" zonefile.
When users are giving up information about your company without knowing it, it's just like any other exploit. Users don't know how to block it so it's up to you. (And we are talking company information here -- unless all they do is look at porn and stock tickers.)
It is your responsibility to block doubleclick.net web tracking, just like it's your responsibility to keep people outside your organization from reading /var/log/maillog.
I've posted this quick-and-dirty way to block doubleclick before, and I'll post it again:
zone "doubleclick.net" {
type master;
file "db.local";
};
See this privacy note for detailed instructions for Red Hat and Debian. With a 5-minute tweak, you can protect the web traffic of everyone who uses your name server. (While you're logged in to the name server anyway, make sure you have the latest BIND.)
Yes, it's better to run a real proxy, or go around to everyone's machine and disable cookies, or do it some other "Right Way." But better to do what you have time for than to not do anything.
You might be interested in Mike Schinkel's "Notes on how to configure IIS for PNG". (It's a zipped Microsoft Word document but those of you with Microsoft IIS probably have Microsoft Word too.)
their own personal privacy." -- Esther Dyson
System administrators are responsible for protecting user security even if users don't understand the security threat. For example, we don't let users read each other's mail, even if they want to.
Part of protecting user security is blocking the worst, most intrusive web tracking. See this 5-minute privacy tweak to disable doubleclick.net tracking for your entire site, and this article for more good reasons why.
It's fast, it's easy, and it protects your whole network, not just your one brower. It's the Pigdog DoBBS (Denial of Big Brother Service)
Send mail to letters@latimes.com
You must include your full name, street address, and daytime phone number.
Instructions page for how to write letters.
Remember, short letters that make one correct factual point each are most likely to get printed.
Did andover.net pay Unisys to use GIFs on slashdot.org and its other sites? And, if so, why is a leading open source news site giving direct financial support to software patents?
GIFs are evil anyway.
Jon,
As long as you use the fucking ?smart quotes?, a good fraction of the comments will be about what a standards-violating IDIOT you are, not about the article?s contents.
You?re an idiot.
Rob?s an idiot for not running the demoronizer on your so-called HTML.
I?m a bigger idiot for spamming the comments without reading the article.
But if you do something annoying -- like write an article on a wiffleball bat and tap someone on the head with it -- expect the reader to react to the style not the content.
Did I say you?re an idiot?
Don
The place I work has a pretty good way out of
the idiotic morass:
1. We go to Linux user group meetings and announce
that we're hiring.
2. We buy beer for free software authors and ask
them to come work for us.
So if you want a good geek
job, go to those user group meetings, or just
start a user group and invite employers to
announce jobs.
Ignore Mindcraft, concentrate on the customer.
You can change /etc/fstab to mount /usr
read-only by default, then manually remount
it read/write when you need to install or
upgrade stuff. AFAIK read-only mounts don't
count toward the maximal mount count for fsck.