[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Web bugs and spyware

>http://aolcom.cnet.com/news/0-1005-200-5008849.html?tag=tp_pr

Most of this is noise, and very Windows centric.  There is very little you can do about HREF-ing a transparent gif from a website (there already HREFing lots of other stuff),  but the information collected from the resulting server log borders on useless:  a time, browser type, maybe an identity string, and a possibly dynamic or Masqueraded or proxied IP address.
 
Quote: "Through an insecurity in Windows, they showed how easy it is for people to get stuff off (aconsumer's) hard drive," said Richard Smith, chief privacy officer at the Denver-based nonprofit  group the Privacy Foundation, who testified at the Thursday hearing. 

That pretty much sums up the article,  they talk about stealing address books, etc...  On a Linux system the address book is wherever you told your mail client to put it, in whatever format it prefers.  In part Linux has security through diversity, as there are a great variety of mail clients,  gathering address books would be useless because you'd have to decipher each one IF you could get the browser to send it to you.

Quote: The Privacy Foundation also is testing a beta version of a browser plug-in, dubbed a Web bug detector, that allows people to identify the tags. 

Ah yes!  Fix security problems by monitoring the flawed software.

Quote: In his testimony, Smith illustrated how simple it is to peer into other people's e-mail by attaching a Web bug to the message. According to Smith, a person can send an e-mail with a bug that secretly sends copies back to the sender when the e-mail is replied to or forwarded. 

Now we are talking about accesing peoples computers by sending them trojan e-mail, and still calling them "Web bug"s.  Of course this might have to do with the ***TERRIBLE*** and downright ***FOOLISH*** practice of sending e-mail as HTML (which is what introduces the problem of HREF's and the like in the first place).   Problems like the one sited above have "Outlook" written all over them, and don't really reflect badly on the Windows platform as a whole, but on one mail client that anyone who has the slightest concern about security will annihilate from their machine.  The fact that people go looking for more software in order to be able to continue using the software that caused the problem in the first place is proof that sanity is an abnormal condition.

Quote: "If an e-mail can be wire-tapped in the halls of Congress, where else is e-mail safe? The answer is nowhere," Smith said. 

Oh, please.  99.999% of the time e-mail is sent in SMTP clear text.  It can be wire-tapped ANYWHERE between its origin and its destination by any pimply junior high student with a packet sniffer.

Quote:  Other more malicious forms of Web bugs are "executable bugs," which can install a file onto people's hard drives to collect information whenever they are online. For example, one such bug can scan a person's machine to send information on every document that contains the word "financial."  Perhaps the most nefarious bugs are "script-based executable bugs that can go out and take  any document from your computer" without notice, said Wang, who warned of programs that can track live, private recordings through Webcams or voice recorders hooked up to computers. 

That executable bug can understand every the file format of every file on a PC! Wow!  And I'm not going to notice it plowing through 17Gb of stuff?  And again, "script-based executable bugs" screams "Outlook".  Notice that the study that found all the above things was performed by a company selling software to protect those victimized users.

Quote: Other script-based bugs also execute files, but they're not installed on a person's PC. They can simply try to control the person's computer from its server, as well as track the consumer's travels on the Web from behind the scenes. An example of this can be found on a popular entertainment site, PassThisOn.com, which launches multiple browser windows when a person tries to exit the site. 

Using javascript to launch a browser window constitutes controlling a computer?  Isn't how to do that in like the first 30 pages of the O'Rielly Javascript book?

I *********LOVE*************** this next one....

Quote: "What if, as an ad company, you knew that a household was going to Web sites about firearms and bomb-making? What's the responsibility of that advertiser holding that information? Should they have to turn that over to law enforcement?" Reinke pondered.

It's illegal to visit sites about bomb making and fire-arms?  Hey, FBI! I have a copy of the "Terrorist's Handbook", "The Communist Manifesto", "Revolt of the Masses", "The Frozen Republic", and "Introduction to Rocketry", as well as a college textbook about organic chemistry and several D&D books from way back in the day.  Must be I'm one of the shifty loners that ceaselessly commit acts of extreme violence.

Seriously, though... no matter what platform you choose to use, articles like the referenced are much better examples of truly pathetic journalism and tawdry sensationalism then any significant threat to anyones privacy.  (Not that there aren't real threats to privacy).  Configure your machine intelligently, select mail clients, etc..., that make some effort to operate in a secure fashion and you'll be virtually impervious to most such bugs.