apparently, there's a size limit for the comment display and i went past it. sorry. if you hit the "reply to this" button, you see the whole comment. that looks like a bug in slashcode. for simpler reference, here's the part that was cut off:
worried about cookies? javascript:alert(document.cookie) in the address bar will show you what cookies are being sent back from that page.
worried about dcs tracking?
load the page in mozilla's javascript debugger and it will show you all the.js on the page and allow you to look at what it does.
worried about "invisible" images?
use internet exploder v.6. among its features is the "privacy report", which will provide you with a complete list of images served on a site, whether or not they are written to the page, along with whether or not the serving of that image includes a cookie.
more information about that cookie
if we look at the privacy report in internet exploder for the do-not-call site, we find that a cookie is indeed being served by the dcs server. isn't that a violation of the gov't policy? let's find out by looking at the cookie in mozilla's cookie manager. go here to see the results.
there's an old saying: think first, then talk. it really is a shame that it isn't heeded by more people around here. but, i reserve most of my contempt for the guy who made the original report, James Parry, and Andrew Orlowski, the reporter who wrote it up. neither of these individuals did the slightest research before producing their foaming-at-the-mouth print item. i don't know if they were just lazy, or indifferent to being accurate in their reporting. either way, they have no credibility with me, and should have none with you. simply put, they are not reliable sources of information.
seldom have i seen less thought go into more verbiage than in this thread.
first of all, government sites are forbidden to use cookies! DOH! period, no exceptions, end of story. there is no cookie tracking (aka permanent cookies). if it ends in.gov and it is a government agency (there are a couple exceptions, such as the federal reserve bank, which is not a gov't agency), there are no permanent cookies being served on the page.
and now for some facts and a lesson in web technology
the referenced code comes from the Data Collection Server, a product of WebTrends, which is a division of NetIQ Corp.
DCS works by collecting clientside information from javascript embedded on the page. that information is sent to a special web server at the customer end (the owner of the dcs installation, in this case, att, apparently). that server takes the url of the image and converts the query string into a log entry, w3c extended format, and writes it to a log.
the owner of the dcs installation then runs another netiq product, such as webtrends reporting center, against the log and produces reports of site activity.
these reports do not contain any personally verifiable information. anyone with a brain larger than a walnut could figure this out. how do you think they are going to process web server log files in the gigabyte size range to extract personal information?
the dcs image called in the javascript is never written to the page. it doesn't need to be. the only thing that dcs requires to work is that the image call be made with the necessary information. That information includes such dangerous items as, the name of the page (document.url), the referrer (document.referer), the browser (navigator.userAgent), the time zone (getTimezoneOffset()), the color depth of your video (screen.colorDepth) and the screen resolution (screen.width "x" screen.height).
here is an example of how the information is transmitted:
DCS image URL
it's not unusual for dcs servers to serve a cookie for visitor tracking purposes. the server has an optional plugin that can be used to set this cookie. the cookie set by the dcs server contains only an identifying number that allows the subsequent log file analysis to distinguish between new and returning visitors. if a cookie is served by the dcs server, that is all it can do. more on that later.
because the image is not written to the page, "scrubbers" are worthless and it can't be detected in the browser unless you look at the code on the page. it's just att's bad luck that they left the "no script" tag on the page, which is designed to let them know how much traffic is generated from browsers with javascript disabled. since that traffic is generally less than 5% and usually in the 1%-2% range, they would have been better off to just leave out that code, anyway. as it is, the slashdot lemmings have all rushed off the cliff and are probably on their way to a psych ward for recovery. if att had left off that code, this conversation would not even be taking place! it's fairly evident that neither James Parry nor Andrew Orlowski possessed the technical skills to find the image, otherwise.
variations of this code have been in production use of some of the largest sites on the web for over 3 years. i personally know some sites that are using this technology that are among the most heavily trafficked sites on the 'net and which are undoubtedly regularly used by slashdot lemmings. i know this, because i work for netiq as a consultant on webtrends products and i have helped with the installation of the product or its maintenance for many sites around the country.
finally, for those who can stop goosestepping in the panic storm, there are simple checks that can be made on any site using javascript.
worried about cookies? javascript:alert(document.cookie) in the address bar will show you
If the user has a tracking cookie from AT&T, that'll be sent back as well, which could potentially provide a link to personally-identifiable information. For example, if you pay your AT&T phone bill online, you could get a cookie that way. Then when you visit the DNC site, AT&T knows exactly which of their customers it was
put down that crack pipe and take a reality check. cookies can only be read from the domain in which they are issued.
it is impossible for att or anybody else to "grab" personal information from you in the manner described.
furthermore, companies like att are very sensitive to what is done with cookies because of the potential for abuse. cookies are not insecure because of what they do on your browser, they are insecure because everything that goes into the cookie goes into the server log file. they don't want sensitive information floating around the company in logs that usually are not secured.
criminy, are there any web-literate people on this site anymore?
Just a small nitpick - the article fails to mention that only users of browsers capable of (or set to by default) showing images can be tracked by this method.
no, only browsers with javascript enabled will pull the main image.
there is a subsidiary image that is pulled if the browser has javascript disabled, or if the browser is so old (pre javascript 1.1) that it doesn't understand javascript image arrays.
Interestingly, f-prot also makes a Linux version. Good for watching Samba shares, perhaps. I just downloaded it, though, so I'm not sure what its capabilities are.
i'll have to look into that. for me, the main thing is getting the word out that there are more good players in the av market that the big two you-know-who.
and if you want to purchase from, e.g., avg, the price is 1/2 of what you pay for That Other Software. (avg sells product subscriptions, $33 for two years, which is so reasonable, why would you even buy that other bloatware?)
i'll chime in for avg anti-virus (www.grisoft.com) but f-prot (www.f-prot.com) also makes a free version which i haven't tried but have seen praised. i do recommend avoiding mcafee & norton because they are bloated.
zone alarm free firewall, if you need one. i used it on my xp machine & it worked fine.
mozilla for windows is very nicely done. includes a mail client & a news client if you need them.
if you do a lot of digital photography, adobe makes photo album, which my wife says is satisfactory in the free version, though the cheap version has more features.
MS makes the baseline security analyzer and the iis lockdown tools available free for security purposes. i recommend you use at least the first one.
His only criticism follows from that, slamming people who whine about things and do nothing to help themselves, expecting others to fix their lives. In fact, that's one thing libertarians ought to be admired for. At least they try their best to proactively fix things on their own rather than demanding someone else, like the government, do it for them. I think that is quite an admirable trait in a person.
actually, like most libertarians, he assumes that people who want a law passed against spam are "whiners" and not "taking personal responsibility" in some way. that was actually my point, in that regard -- libertarians have this utopian fantasy that "taking personal responsibility" will somehow transform the desert into an oasis. "taking personal responsibility" is a code phrase for "become a libertarian" with all that implies, morally and ideologically.
Sitting on your butt and demanding a politician take care of it while you eat potatoi chips and watch Surviver is NOT taking personal responsibility.
no, but why do you assume that everyone who is working on or demanding legal action is so doing? i run linux/bsd/sunos on 6 of my 9 machines, procmail my incoming mail and have next to no real problem with spam ordinarily. i still would like to see some legal action taken to slow down the onslaught. the last worm-blast from m$ used variations on a "honeypot" address of mine & as a result, i received somewhere around 5000 of those mails in less than a week.
yes, that's an exception to the "spam" rule but i would like to see something that would promote a more active search for the butthead that did it. even though i'm not a windows user, i still paid a price in time and bandwidth for those who are.
so, i guess the first rule of "personal responsibility" would be: don't use windows.;-)
and, as usual, there's no follow-through as to what it actually would be like to live in a world in which "i'm alright jack, screw you" was the dominant social theorem.
Where did you get the idea that that is the dominant social theorem for libertarians?
first, i got it from reading some of their literature, especially that rag published in port townsend, wa. second, i got it from reading their various posts around usenet and before that, on fidonet.
As far as I learned their views, their attitude is more accurately characterized as "if you don't put your actions where your mouth is, stop whining".
yeah, and everyone who is not a libertarian is automatically a "whiner."
The lives of people who don't take responsibility for their own life are not worth considering. After all, they don't do so themselves.
this kind of elitist bigotry makes you an excellent candidate for the role of libertarian. i come from a different school, one in which all human beings deserve respect, not just the ones that fall into your socioeconomic class or your political clique. it's because of people like you making the decision of whose lives are "not worth considering" that we are over in iraq right now, killing off civilians left and right. and, of course, let's not forget about israel, where animal abuse is a more serious offense than killing a palestinian. another classic decision of whose lives "are not worth considering."
nope, sorry. there are better ways of living and better ways of constructing a society than adopting the "virtue of selfishness" theory propounded by libertarians.
and, btw, every isp i've used has terms of service that forbid spamming, header forgery and abuse of system resources. so, yes, spammers are stealing bandwidth because they could not do what they are doing without getting kicked off the victim isp. in some cases, they lie to get an account, in others they hijack other users' accounts to do their work.
this is the standard libertarian fantasy, that the world would become just wonderful... if everybody became a libertarian. and, as usual, there's no follow-through as to what it actually would be like to live in a world in which "i'm alright jack, screw you" was the dominant social theorem.
notice the standard libertarian assumption that, if you (a) aren't a libertarian and/or (b) want gov't action against ________________ [fill in the blank with spammers, in this case], you are a person without a sense of "personal responsibility." notice also, the standard libertarian assumption that, as a libertarian, the author is a cut above the rest of us "schmoes."
the fact is, spammers are thieves, stealing services from bandwidth providers. it's not clear to me why the author of this piece, and libertarians in general, regard this behavior as something that can be stopped if i display "personal responsibility" on the internet. it also is not clear just what that actually means, but never mind. and it is not clear exactly why they are less than eager to legally stop this behavior, but my suspicion is that it is because spamming is a business; and libertarians just can't bring themselves to take serious action against that "entrepeneurial spirit." if you're doing it to make money, a libertarian will bless you for it.
i'm dubious about laws against spammers, because i think they will be ineffectively administered. it's not that the technological means of tracking down spammers don't exist, it's that such a process would be time-consuming and expensive. i think that prosecutors just don't want to invest in it. that may be a necessary decision -- funds for attorneys general are not unlimited, and they have to deal with rapers, murderers and wife beaters, too.
i think a bounty law, that would allow individual citizens to bring spammers to book, would be more effective. imagine forming a company comprised of some technically proficient individuals, lawyers and maybe accountants, who working together could track down big-money spammers and present all the technical, legal and financial information about the spammer to a prosecutor, in exchange for either a state-sponsored reward or a percentage of the seized property.
seems to me the obvious solution here... partner with another monitoring company to provide these services, possibly at a discounted rate. move this company off your servers by the simple expedient of making them redundant.
and if you're feeling vengeful, be sure to let them know that is what you are doing.
there are monitoring systems you can use inhouse, if you want to put the manpower into it.
i think the suggestions to get the company lawyers involved are correct, also. knowing where you stand legally is important.
ms makes a free tool called microsoft baseline security analyzer. if you haven't seen it, a copy of a sample report in open office format is available at MS Baseline Analyzer Report.
require every incoming machine owner to run this tool and provide a copy of the results to IT. don't turn on their ports until they do. in addition, require that machines already on the network provide an updated report at least once a term. this insures against machines going home for the holidays & returned borked up. in addition, you could require at least one report by a virus scanner to accompany the security report.
it's not perfect but it will insure that every machine coming onto the network has at least been tested. and it puts the work on the owner of the machine, not on the IT dept personnel. all you have to do is verify that the report is acceptable. yes, you'll have some paperwork -- well, a drive somewhere with student folders on it -- but i don't think the overhead will be overwhelming, even for thousands of students.
the old saying is... "common sense isn't." if i see a hundred tales of woe regarding "identity theft" here, am i going to run & hide? is the sky falling? i think not.
snap out of it! use some common sense! i had my checking acct raided -- and it wasn't "identity theft." it was a simple thing like... stealing my mail. some people stole my bills out the outbox at my (locked entrance) apt building, used my checks to get my acct number, printed up new checks with my account number and somebody else's name, and wrote about $1000 worth of checks against the acct. (1) my bills didn't get paid (2) my money disappeared.
folks, anybody wants access to your acct, it is as simple as stealing your mail on bill-paying day. furthermore, there is a team of thieves circulating in massachusetts with an even simpler scheme: they cover the card reader in an ATM with their own cardreader & put a wireless web cam where it can see the touchpad. then they line up the scanned cards with the pin numbers... and they own you. so far, they've gotten away with over $100,000. so much for your elaborate schemes with password protection.
how many financial accts are there in this country? 100 million? what's the actual percentage of them getting raided? try putting it into perspective. get your finger off the panic button.
my top two annoyances.
the linux "community," as typified here & in some mailing lists, has a collective head bigger than jack's beanstalk. hey fellas, guess what? who cares if you're a geeky stud puppet? can you put the bread on the table and the bacon in the bank? the computer is a tool. users have the obligation to use the best tool for the job.
now, the recent usability study that showed SuSe catching up to Windows was promising. but, judging from the commentary here, i'd say that most slasdotters do not want linux to become the "captain of the desktop & the queen's navee." they like the idea of somehow being special because of their... computer operating system??? whaaaat?
my technical peeve is printing. it's ironical that the system that originated as a printing system is horrible on the home front. i've used cups. it's satisfactory for normal office-type printing, but the setup and configuration are nontrivial. but setting up color printing is a freaking nightmare. which is why i do that off the winders machine.
there are other complaints here that are significant and accurate. it's too bad that there are so many users who want nothing to change, because they are a significant blockade to the improvement of the GNU/linux system. "Lead, follow, or get out of the way."
i think the 'bottom line' will be... do sales of CDs go up after this? if they do, riaa is vindicated. if they don't, riaa looks ineffectual or wrong-headed.
of course, if the self-righteously indignant stopped buying CDs and thus 'boycotted' riaa companies, riaa would be facing a truly unpleasant outcome to their practices.
i predict this won't happen. the people who are doing the bulk of this mp3 swapping are not 'music lovers' -- they're greedy people out for a free one, somewhat like people who loot after a riot. or, people who pig out at a buffet dinner. the fact that you down 10 hot dogs at a picnic does not make you a 'hot dog lover' -- it makes you a hog.
i don't believe that riaa's long term outlook is good. but i don't believe, either, that the users of p2p software will be the ones who break the back of the corporate music monopoly. i don't think they have the backbone or the persistence to take on that battle.
i detest riaa as the epitome of corporate greed and overweening hubris. but i don't have much respect for file downloaders, who so far have demonstrated no other moral character than that of their enemies. when i see some actual fighting back, some boycotts and letter campaigns, some court battles where downloaders actually put themselves at risk, some negative publicity for riaa, i'll change my mind.
no one should be fooled by lieberman's sudden 180.
we all know that his primary concern is to get into the pocketbooks of soccer moms, left and right. he is the senator from a state that depends heavily on defense contracting, has the city that ranks second in the nation in poverty (hartford), a school system in shambles, an unbalanced budget, a governor who has just been fined for the second time in 9 years for ethical improprieties (accepting gifts) and whose campaign team is headed by another convicted bribe-taker, where mayors of two major cities have either gone to jail for graft or are about to do so. he was until recently a ranking member of a far-right religious organization which procured funding for emigration-to-israel projects. (he quit that group when he started campaigning for prez.) and, remember that he pounded the lectern demanding censorship of the internet when running with gore.
the senator has done diddly for his state. he comes from a state where political corruption is business-as-usual and he is part & parcel of that package. he will do the same for the country, while lining his own pockets, if elected president. don't just not vote for this guy, work against him.
mp
Waterbury CT (37 yrs for the mayor for having sex with 8 & 10 yr-old girls, now waiting for his corruption trial to begin)
this is not a technical discussion about debian or any other distribution. i made a simple statement, which seems to have gone right by you. i'll repeat it. i install debian, the networking does not work. translated, that means, "I am not connected to my network." i install slackware, it does work. translated, that means "I am connected to my network." i'm sorry if you can't understand simple english, or distinguish between general statements made in the course of a general discussion, and technical descriptions made in the course of a technical discussion. the general discussion, which you seem not to have read, concerned the likely decision by debian maintainers to remove a significant percentage of the core documentation from the main installation.
your opinion of me is about as significant as the hairs on the back of a gnat's rearend. i do get irritated by people like you, who don't read the posts to which you are replying; but i realize that that is just the nature of the forum.
i suspect that i am like most slackware users -- we installed it because we have work to do. we want something simple, efficient and functional. you can keep your religious enthusiasm and your pious purity, as they seem to be important enough to you that you had to take time to call me names. they bore me, as does your flaming.
I don't know about that. I've been using Linux for 3 months, Debian the entire time, I'm a freak and have probably installed my system from scratch 40 times in that period. I'm a neat freak on my computer.
whatever works. i've been using slackware for years, it works right out of the box. it has a good installer, not that whacked out apt/dselect crap. never got a debian box to work straight up, never had a problem with slack.
i'm a chump, i never give up hope. so, periodically, i go back and give debian another try. i'm sure i will again. although, this horsepucky about documentation just puts me off completely. installing software without its documentation has got to be the most chuckleheaded idea i've come across in -- i don't know how long. a long time.
What's broken? Enter your networking information at install, or use DHCP to do it for you.
In other words, you're full of shit.
thanks for the intelligent reply. are you considered representative of the debian community? no wonder it's so small.
i'll stick with slackware. everything works when i install it. i don't have to go around figuring out what's missing and why the networking doesn't work out of the box.
which, by the way, as i've installed debian on two PCs and a laptop and it has NEVER worked oob, i consider that just to be the normal install for debian. and really, i don't give a shit what you think about it.
i do believe that your True Believer arrogance is typical of debian groupies. feel free to keep on proving me right. i don't doubt that the reason debian continues to have the WORST installation procedure short of starting from scratch, is that you fully express the indifference of the debian "community" to the concept of usability.
heh, and now that you propose to remove all "tainted" documentation, not only will your users have a horrible installation experience, but after the software is installed, they won't have any documentation! good idea!
Maybe some of the people engaging in this silly debate should spend some time writing some documentation instead of arguing over licensing. This kind of over-zealous ideological navel-gazing is really pathetic.
totally agree. documentation for free software ranges from nonexistent to horrible. periodically, i will go on binges where i go to freshmeat and browse through new releases and try some things out. or, maybe i just want to look over offerings in some area (recently, it was IDEs for java).
i never ceased to be amazed at the lousy documentation offered with some packages. i've downloaded items that had _no_ documentation whatever! zipola! how do these people expect anyone to actually install and use their product? the other day, i had one package that actually included incorrect instructions for installation. i had to work it out on my own.
this may be off-topic but... those who play chess probably remember years ago, the internet chess server was the only game in town. and, frankly, it was horrible. there were all kinds of abuses. one day i was even on there when a guy was making sexually suggestive comments to a 9 year-old girl who had logged in to play some chess.
then, a professor from carnegie-mellon named daniel sleator "hijacked" the ics, rewrote the entire code base and turned it into a "pay to play" forum. there was a riot. a lot of players were seriously upset. i myself got an ansi bomb in my email (remember those?) from a guy upset by my pro-ics stance. but, you know what? the abuses were gone. people started paying, just because of that. you could actually log in and play in a pleasant atmosphere.
the seriously upset people went off and founded the fics, the free internet chess server. and, to attract users, they implemented the procedures necessary to prevent the resurfacing of the abuses on the old ics. they worked hard to make fics attractive, not only from a dollar standpoint, which actually has limited utility, but from an experiential standpoint. they figured out what seemed to have escaped the administrators on the old ics -- people will choose a non-free alternative if it offers them a better experience. it's too bad that it took the "hijacking" of the free resource to teach this lesson.
my point in telling this long tale is that the same rule applies to software in general. people flocked to the paying option because it offered them the pleasant experience they desired. just so, i will not, and many people will not, use a poorly documented piece of software simply to avoid the licensing issues on a well-made, thoroughly documented piece of software. i won't. and most people won't. if i have work to do, i don't have time to "figure it out" piecemeal. emacs is the greatest editor in the world. i love it. but if it didn't have the best documentation of any editor in the world, i probably would not still be using it. i would be using something that had better documentation. (which wouldn't be vim. that help system must rank among the most UNhelpful. and it is a good example of how poor documentation can stymie even the most hopeful attempts to learn new software.)
lousy documentation is actually the main reason i tend to avoid new software packages of the "free" variety. as a rule, i will only pick them up if
i really need the item and can't avoid using it
i'm bored on a sunday afternoon and i've already finished with slashdot
i'm bored and there's nothing on tv
i'm bored
the fact is, almost all the best software documentation has come through the FSF. period. those naysayers and whiners from debian ought to take a lesson from the people who are actually doing the work.
what is going to happen at debian is, they will remove all the "tainted" documentation, and people who install their distribution will find themselves will all kinds of software that has no documentation. you don't have to be a rocket scientist to figure out that a lot of debian distros are going to get wiped off the hard disk as a result. free software will not benefit from their puritanical stance, and neither will debian itself.
sorry for the long rant. it's sunday afternoon.;-)
If you install a Debian distribution on your system created from the "main" repository, it is guarunteed that everything on your system, including an image of the system as a whole, is free at *least* in the sense of the GPL.
correct. of course, it won't be a working system, you will have to spend two or three hours reconfiguring it before you can do any useful work (like, read a slashdot thread in a graphical browser). but, that won't happen until after you fix its broken networking, anyway.
but hey, it's free as in free speech -- who cares if it works?
i think you missed the point. if you want to sit around the house and whine about how "fucked up" things are, and do nothing to make them better, and send money to tv megacorps to save your "favorite tv show," that says more about you than about the organizations i mentioned.
all of these organizations provide opt-out. use it. personally, i don't care if they send me junk mail -- it's not spam and they paid for it. and, i believe, in getting the word out about what is going on and what they are doing, they are doing good work for the cause.
in my experience, the biggest sources of junk mail and phone calls are credit card companies and magazines. dr dobbs journal and c/c++ users journal probably account for 30% of my junk mail. ymmv.
why would people waste their money on this? it's TV! get a life!
i have to agree, though perhaps not so vehemently. there are about one zillion things wrong with our society, and "saving" a tv show isn't going to fix a single one of them.
it's not only about "getting a life," it's also about getting priorities in order.
donate to the fsf, aclu, eff, a local charity, the developers of your favorite software over at sourceforge.
Slashdot Mirror
apparently, there's a size limit for the comment display and i went past it. sorry. if you hit the "reply to this" button, you see the whole comment. that looks like a bug in slashcode. for simpler reference, here's the part that was cut off:
worried about cookies?
javascript:alert(document.cookie) in the address bar will show you what cookies are being sent back from that page.
worried about dcs tracking? .js on the page and allow you to look at what it does.
load the page in mozilla's javascript debugger and it will show you all the
worried about "invisible" images?
use internet exploder v.6. among its features is the "privacy report", which will provide you with a complete list of images served on a site, whether or not they are written to the page, along with whether or not the serving of that image includes a cookie.
more information about that cookie
if we look at the privacy report in internet exploder for the do-not-call site, we find that a cookie is indeed being served by the dcs server. isn't that a violation of the gov't policy? let's find out by looking at the cookie in mozilla's cookie manager. go here to see the results.
there's an old saying: think first, then talk. it really is a shame that it isn't heeded by more people around here. but, i reserve most of my contempt for the guy who made the original report, James Parry, and Andrew Orlowski, the reporter who wrote it up. neither of these individuals did the slightest research before producing their foaming-at-the-mouth print item. i don't know if they were just lazy, or indifferent to being accurate in their reporting. either way, they have no credibility with me, and should have none with you. simply put, they are not reliable sources of information.
mp
first of all, government sites are forbidden to use cookies! DOH! period, no exceptions, end of story. there is no cookie tracking (aka permanent cookies). if it ends in .gov and it is a government agency (there are a couple exceptions, such as the federal reserve bank, which is not a gov't agency), there are no permanent cookies being served on the page.
and now for some facts and a lesson in web technology
the referenced code comes from the Data Collection Server, a product of WebTrends, which is a division of NetIQ Corp.
DCS works by collecting clientside information from javascript embedded on the page. that information is sent to a special web server at the customer end (the owner of the dcs installation, in this case, att, apparently). that server takes the url of the image and converts the query string into a log entry, w3c extended format, and writes it to a log.
the owner of the dcs installation then runs another netiq product, such as webtrends reporting center, against the log and produces reports of site activity.
these reports do not contain any personally verifiable information. anyone with a brain larger than a walnut could figure this out. how do you think they are going to process web server log files in the gigabyte size range to extract personal information?
the dcs image called in the javascript is never written to the page. it doesn't need to be. the only thing that dcs requires to work is that the image call be made with the necessary information. That information includes such dangerous items as, the name of the page (document.url), the referrer (document.referer), the browser (navigator.userAgent), the time zone (getTimezoneOffset()), the color depth of your video (screen.colorDepth) and the screen resolution (screen.width "x" screen.height).
here is an example of how the information is transmitted: DCS image URL
it's not unusual for dcs servers to serve a cookie for visitor tracking purposes. the server has an optional plugin that can be used to set this cookie. the cookie set by the dcs server contains only an identifying number that allows the subsequent log file analysis to distinguish between new and returning visitors. if a cookie is served by the dcs server, that is all it can do. more on that later.
because the image is not written to the page, "scrubbers" are worthless and it can't be detected in the browser unless you look at the code on the page. it's just att's bad luck that they left the "no script" tag on the page, which is designed to let them know how much traffic is generated from browsers with javascript disabled. since that traffic is generally less than 5% and usually in the 1%-2% range, they would have been better off to just leave out that code, anyway. as it is, the slashdot lemmings have all rushed off the cliff and are probably on their way to a psych ward for recovery. if att had left off that code, this conversation would not even be taking place! it's fairly evident that neither James Parry nor Andrew Orlowski possessed the technical skills to find the image, otherwise.
variations of this code have been in production use of some of the largest sites on the web for over 3 years. i personally know some sites that are using this technology that are among the most heavily trafficked sites on the 'net and which are undoubtedly regularly used by slashdot lemmings. i know this, because i work for netiq as a consultant on webtrends products and i have helped with the installation of the product or its maintenance for many sites around the country.
finally, for those who can stop goosestepping in the panic storm, there are simple checks that can be made on any site using javascript.
worried about cookies?
javascript:alert(document.cookie) in the address bar will show you
< img BORDER="0" NAME="DCSIMG" WIDTH="1" HEIGHT="1" SRC="http://g6589dcs.nyc2.aens.net/DCS000003_6D4Q/ njs.gif?dcsuri=/nojavascript" >
nothing, because that is part of a "no script" tag, so all you do is make it look like a lot of people with javascript disabled showed up.
mp
put down that crack pipe and take a reality check. cookies can only be read from the domain in which they are issued.
it is impossible for att or anybody else to "grab" personal information from you in the manner described.
furthermore, companies like att are very sensitive to what is done with cookies because of the potential for abuse. cookies are not insecure because of what they do on your browser, they are insecure because everything that goes into the cookie goes into the server log file. they don't want sensitive information floating around the company in logs that usually are not secured.
criminy, are there any web-literate people on this site anymore?
mp
no, only browsers with javascript enabled will pull the main image.
there is a subsidiary image that is pulled if the browser has javascript disabled, or if the browser is so old (pre javascript 1.1) that it doesn't understand javascript image arrays.
mp
i'll have to look into that. for me, the main thing is getting the word out that there are more good players in the av market that the big two you-know-who.
and if you want to purchase from, e.g., avg, the price is 1/2 of what you pay for That Other Software. (avg sells product subscriptions, $33 for two years, which is so reasonable, why would you even buy that other bloatware?)
mp
zone alarm free firewall, if you need one. i used it on my xp machine & it worked fine.
mozilla for windows is very nicely done. includes a mail client & a news client if you need them.
if you do a lot of digital photography, adobe makes photo album, which my wife says is satisfactory in the free version, though the cheap version has more features.
MS makes the baseline security analyzer and the iis lockdown tools available free for security purposes. i recommend you use at least the first one.
good luck.
mp
actually, like most libertarians, he assumes that people who want a law passed against spam are "whiners" and not "taking personal responsibility" in some way. that was actually my point, in that regard -- libertarians have this utopian fantasy that "taking personal responsibility" will somehow transform the desert into an oasis. "taking personal responsibility" is a code phrase for "become a libertarian" with all that implies, morally and ideologically.
Sitting on your butt and demanding a politician take care of it while you eat potatoi chips and watch Surviver is NOT taking personal responsibility.
no, but why do you assume that everyone who is working on or demanding legal action is so doing? i run linux/bsd/sunos on 6 of my 9 machines, procmail my incoming mail and have next to no real problem with spam ordinarily. i still would like to see some legal action taken to slow down the onslaught. the last worm-blast from m$ used variations on a "honeypot" address of mine & as a result, i received somewhere around 5000 of those mails in less than a week.
yes, that's an exception to the "spam" rule but i would like to see something that would promote a more active search for the butthead that did it. even though i'm not a windows user, i still paid a price in time and bandwidth for those who are.
so, i guess the first rule of "personal responsibility" would be: don't use windows. ;-)
mp
Where did you get the idea that that is the dominant social theorem for libertarians?
first, i got it from reading some of their literature, especially that rag published in port townsend, wa. second, i got it from reading their various posts around usenet and before that, on fidonet.
As far as I learned their views, their attitude is more accurately characterized as "if you don't put your actions where your mouth is, stop whining".
yeah, and everyone who is not a libertarian is automatically a "whiner."
The lives of people who don't take responsibility for their own life are not worth considering. After all, they don't do so themselves.
this kind of elitist bigotry makes you an excellent candidate for the role of libertarian. i come from a different school, one in which all human beings deserve respect, not just the ones that fall into your socioeconomic class or your political clique. it's because of people like you making the decision of whose lives are "not worth considering" that we are over in iraq right now, killing off civilians left and right. and, of course, let's not forget about israel, where animal abuse is a more serious offense than killing a palestinian. another classic decision of whose lives "are not worth considering."
nope, sorry. there are better ways of living and better ways of constructing a society than adopting the "virtue of selfishness" theory propounded by libertarians.
and, btw, every isp i've used has terms of service that forbid spamming, header forgery and abuse of system resources. so, yes, spammers are stealing bandwidth because they could not do what they are doing without getting kicked off the victim isp. in some cases, they lie to get an account, in others they hijack other users' accounts to do their work.
mp
notice the standard libertarian assumption that, if you (a) aren't a libertarian and/or (b) want gov't action against ________________ [fill in the blank with spammers, in this case], you are a person without a sense of "personal responsibility." notice also, the standard libertarian assumption that, as a libertarian, the author is a cut above the rest of us "schmoes."
the fact is, spammers are thieves, stealing services from bandwidth providers. it's not clear to me why the author of this piece, and libertarians in general, regard this behavior as something that can be stopped if i display "personal responsibility" on the internet. it also is not clear just what that actually means, but never mind. and it is not clear exactly why they are less than eager to legally stop this behavior, but my suspicion is that it is because spamming is a business; and libertarians just can't bring themselves to take serious action against that "entrepeneurial spirit." if you're doing it to make money, a libertarian will bless you for it.
i'm dubious about laws against spammers, because i think they will be ineffectively administered. it's not that the technological means of tracking down spammers don't exist, it's that such a process would be time-consuming and expensive. i think that prosecutors just don't want to invest in it. that may be a necessary decision -- funds for attorneys general are not unlimited, and they have to deal with rapers, murderers and wife beaters, too.
i think a bounty law, that would allow individual citizens to bring spammers to book, would be more effective. imagine forming a company comprised of some technically proficient individuals, lawyers and maybe accountants, who working together could track down big-money spammers and present all the technical, legal and financial information about the spammer to a prosecutor, in exchange for either a state-sponsored reward or a percentage of the seized property.
that would rule.
mp
and if you're feeling vengeful, be sure to let them know that is what you are doing.
there are monitoring systems you can use inhouse, if you want to put the manpower into it.
i think the suggestions to get the company lawyers involved are correct, also. knowing where you stand legally is important.
mp
require every incoming machine owner to run this tool and provide a copy of the results to IT. don't turn on their ports until they do. in addition, require that machines already on the network provide an updated report at least once a term. this insures against machines going home for the holidays & returned borked up. in addition, you could require at least one report by a virus scanner to accompany the security report.
it's not perfect but it will insure that every machine coming onto the network has at least been tested. and it puts the work on the owner of the machine, not on the IT dept personnel. all you have to do is verify that the report is acceptable. yes, you'll have some paperwork -- well, a drive somewhere with student folders on it -- but i don't think the overhead will be overwhelming, even for thousands of students.
mp
Good! glad to see someone is pointing out the obvious. you cannot be legally bound by any document you were prevented from reading before signing.
there's no discussion. that ought to be a "doh!" all 'round. where's perry mason when you need him?
mp
snap out of it! use some common sense! i had my checking acct raided -- and it wasn't "identity theft." it was a simple thing like ... stealing my mail. some people stole my bills out the outbox at my (locked entrance) apt building, used my checks to get my acct number, printed up new checks with my account number and somebody else's name, and wrote about $1000 worth of checks against the acct. (1) my bills didn't get paid (2) my money disappeared.
folks, anybody wants access to your acct, it is as simple as stealing your mail on bill-paying day. furthermore, there is a team of thieves circulating in massachusetts with an even simpler scheme: they cover the card reader in an ATM with their own cardreader & put a wireless web cam where it can see the touchpad. then they line up the scanned cards with the pin numbers ... and they own you. so far, they've gotten away with over $100,000. so much for your elaborate schemes with password protection.
how many financial accts are there in this country? 100 million? what's the actual percentage of them getting raided? try putting it into perspective. get your finger off the panic button.
mp
now, the recent usability study that showed SuSe catching up to Windows was promising. but, judging from the commentary here, i'd say that most slasdotters do not want linux to become the "captain of the desktop & the queen's navee." they like the idea of somehow being special because of their ... computer operating system??? whaaaat?
my technical peeve is printing. it's ironical that the system that originated as a printing system is horrible on the home front. i've used cups. it's satisfactory for normal office-type printing, but the setup and configuration are nontrivial. but setting up color printing is a freaking nightmare. which is why i do that off the winders machine.
there are other complaints here that are significant and accurate. it's too bad that there are so many users who want nothing to change, because they are a significant blockade to the improvement of the GNU/linux system. "Lead, follow, or get out of the way."
mp
of course, if the self-righteously indignant stopped buying CDs and thus 'boycotted' riaa companies, riaa would be facing a truly unpleasant outcome to their practices.
i predict this won't happen. the people who are doing the bulk of this mp3 swapping are not 'music lovers' -- they're greedy people out for a free one, somewhat like people who loot after a riot. or, people who pig out at a buffet dinner. the fact that you down 10 hot dogs at a picnic does not make you a 'hot dog lover' -- it makes you a hog.
i don't believe that riaa's long term outlook is good. but i don't believe, either, that the users of p2p software will be the ones who break the back of the corporate music monopoly. i don't think they have the backbone or the persistence to take on that battle.
i detest riaa as the epitome of corporate greed and overweening hubris. but i don't have much respect for file downloaders, who so far have demonstrated no other moral character than that of their enemies. when i see some actual fighting back, some boycotts and letter campaigns, some court battles where downloaders actually put themselves at risk, some negative publicity for riaa, i'll change my mind.
mp
we all know that his primary concern is to get into the pocketbooks of soccer moms, left and right. he is the senator from a state that depends heavily on defense contracting, has the city that ranks second in the nation in poverty (hartford), a school system in shambles, an unbalanced budget, a governor who has just been fined for the second time in 9 years for ethical improprieties (accepting gifts) and whose campaign team is headed by another convicted bribe-taker, where mayors of two major cities have either gone to jail for graft or are about to do so. he was until recently a ranking member of a far-right religious organization which procured funding for emigration-to-israel projects. (he quit that group when he started campaigning for prez.) and, remember that he pounded the lectern demanding censorship of the internet when running with gore.
the senator has done diddly for his state. he comes from a state where political corruption is business-as-usual and he is part & parcel of that package. he will do the same for the country, while lining his own pockets, if elected president. don't just not vote for this guy, work against him.
mp
Waterbury CT (37 yrs for the mayor for having sex with 8 & 10 yr-old girls, now waiting for his corruption trial to begin)
this is not a technical discussion about debian or any other distribution. i made a simple statement, which seems to have gone right by you. i'll repeat it. i install debian, the networking does not work. translated, that means, "I am not connected to my network." i install slackware, it does work. translated, that means "I am connected to my network." i'm sorry if you can't understand simple english, or distinguish between general statements made in the course of a general discussion, and technical descriptions made in the course of a technical discussion. the general discussion, which you seem not to have read, concerned the likely decision by debian maintainers to remove a significant percentage of the core documentation from the main installation.
your opinion of me is about as significant as the hairs on the back of a gnat's rearend. i do get irritated by people like you, who don't read the posts to which you are replying; but i realize that that is just the nature of the forum.
i suspect that i am like most slackware users -- we installed it because we have work to do. we want something simple, efficient and functional. you can keep your religious enthusiasm and your pious purity, as they seem to be important enough to you that you had to take time to call me names. they bore me, as does your flaming.
thanks for sharing.
mp
mp
whatever works. i've been using slackware for years, it works right out of the box. it has a good installer, not that whacked out apt/dselect crap. never got a debian box to work straight up, never had a problem with slack.
i'm a chump, i never give up hope. so, periodically, i go back and give debian another try. i'm sure i will again. although, this horsepucky about documentation just puts me off completely. installing software without its documentation has got to be the most chuckleheaded idea i've come across in -- i don't know how long. a long time.
mp
In other words, you're full of shit.
thanks for the intelligent reply. are you considered representative of the debian community? no wonder it's so small.
i'll stick with slackware. everything works when i install it. i don't have to go around figuring out what's missing and why the networking doesn't work out of the box.
which, by the way, as i've installed debian on two PCs and a laptop and it has NEVER worked oob, i consider that just to be the normal install for debian. and really, i don't give a shit what you think about it.
i do believe that your True Believer arrogance is typical of debian groupies. feel free to keep on proving me right. i don't doubt that the reason debian continues to have the WORST installation procedure short of starting from scratch, is that you fully express the indifference of the debian "community" to the concept of usability.
heh, and now that you propose to remove all "tainted" documentation, not only will your users have a horrible installation experience, but after the software is installed, they won't have any documentation! good idea!
mp
totally agree. documentation for free software ranges from nonexistent to horrible. periodically, i will go on binges where i go to freshmeat and browse through new releases and try some things out. or, maybe i just want to look over offerings in some area (recently, it was IDEs for java).
i never ceased to be amazed at the lousy documentation offered with some packages. i've downloaded items that had _no_ documentation whatever! zipola! how do these people expect anyone to actually install and use their product? the other day, i had one package that actually included incorrect instructions for installation. i had to work it out on my own.
this may be off-topic but ... those who play chess probably remember years ago, the internet chess server was the only game in town. and, frankly, it was horrible. there were all kinds of abuses. one day i was even on there when a guy was making sexually suggestive comments to a 9 year-old girl who had logged in to play some chess.
then, a professor from carnegie-mellon named daniel sleator "hijacked" the ics, rewrote the entire code base and turned it into a "pay to play" forum. there was a riot. a lot of players were seriously upset. i myself got an ansi bomb in my email (remember those?) from a guy upset by my pro-ics stance. but, you know what? the abuses were gone. people started paying, just because of that. you could actually log in and play in a pleasant atmosphere.
the seriously upset people went off and founded the fics, the free internet chess server. and, to attract users, they implemented the procedures necessary to prevent the resurfacing of the abuses on the old ics. they worked hard to make fics attractive, not only from a dollar standpoint, which actually has limited utility, but from an experiential standpoint. they figured out what seemed to have escaped the administrators on the old ics -- people will choose a non-free alternative if it offers them a better experience. it's too bad that it took the "hijacking" of the free resource to teach this lesson.
my point in telling this long tale is that the same rule applies to software in general. people flocked to the paying option because it offered them the pleasant experience they desired. just so, i will not, and many people will not, use a poorly documented piece of software simply to avoid the licensing issues on a well-made, thoroughly documented piece of software. i won't. and most people won't. if i have work to do, i don't have time to "figure it out" piecemeal. emacs is the greatest editor in the world. i love it. but if it didn't have the best documentation of any editor in the world, i probably would not still be using it. i would be using something that had better documentation. (which wouldn't be vim. that help system must rank among the most UNhelpful. and it is a good example of how poor documentation can stymie even the most hopeful attempts to learn new software.)
lousy documentation is actually the main reason i tend to avoid new software packages of the "free" variety. as a rule, i will only pick them up if
- i really need the item and can't avoid using it
- i'm bored on a sunday afternoon and i've already finished with slashdot
- i'm bored and there's nothing on tv
- i'm bored
the fact is, almost all the best software documentation has come through the FSF. period. those naysayers and whiners from debian ought to take a lesson from the people who are actually doing the work.what is going to happen at debian is, they will remove all the "tainted" documentation, and people who install their distribution will find themselves will all kinds of software that has no documentation. you don't have to be a rocket scientist to figure out that a lot of debian distros are going to get wiped off the hard disk as a result. free software will not benefit from their puritanical stance, and neither will debian itself.
sorry for the long rant. it's sunday afternoon. ;-)
mp
correct. of course, it won't be a working system, you will have to spend two or three hours reconfiguring it before you can do any useful work (like, read a slashdot thread in a graphical browser). but, that won't happen until after you fix its broken networking, anyway.
but hey, it's free as in free speech -- who cares if it works?
mp
"quitters never win and winners never quit."
i think you missed the point. if you want to sit around the house and whine about how "fucked up" things are, and do nothing to make them better, and send money to tv megacorps to save your "favorite tv show," that says more about you than about the organizations i mentioned.
all of these organizations provide opt-out. use it. personally, i don't care if they send me junk mail -- it's not spam and they paid for it. and, i believe, in getting the word out about what is going on and what they are doing, they are doing good work for the cause.
in my experience, the biggest sources of junk mail and phone calls are credit card companies and magazines. dr dobbs journal and c/c++ users journal probably account for 30% of my junk mail. ymmv.
mp
i have to agree, though perhaps not so vehemently. there are about one zillion things wrong with our society, and "saving" a tv show isn't going to fix a single one of them.
it's not only about "getting a life," it's also about getting priorities in order.
donate to the fsf, aclu, eff, a local charity, the developers of your favorite software over at sourceforge.
such donations truly can "make a difference."
mp