Web Bug Detector

(H)elix1 writes: "I'm sure /. is about to be hit with this, but CNET just released a story about a web bug detector plug-in for IE called Bugnosis by the Privacy Foundation. An interesting toy, but the thing that grabbed my attention was the Web Bug Gallery. It would seem our beloved slashdot has them as well. Course, so did CNET, but that is a different story...." I think improved cookie-handling is much more useful in preventing tracking, but this is interesting because it provides visible feedback about tracking efforts.

Re:hey guy, it's okay!

This is a common misconception; the reality, however, is much more disturbing. The little blinky dot you humans call webbugs are actually tiny miniature CIA cameras implanted in your screens to take pictures of you surfing Slashdot naked. Us CIA guys only admitted to using DNABots when they were already obsolete, much like the obsolete Echelon system, which has been replaced by people using Windows XP. We find it's much easier to allow the citizens to administer their own surveillance device. Saves us mucho manpower.

Therefore, buy XP and save the government valuable surveillance budget dollars.

Agent Bitterman, Superspy
President Chief Head Director of the Leadership Branch of the Executive Level of the CIA

Funny...

...slashdot used to berate sites that used web bugs, but it looks like they have them too now...

- A.P.

--
Forget Napster. Why not really break the law?

Re:IE5 had this too

It's back in the current 6 betas.

Re:Apache Privacy Issues

I think we need a new moderation choice: 'Didn't get the joke'

Correction

The Active X controls are required only for the somewhat unusual download and installation and then can be disabled according to the author.

------------
You only have to enable ActiveX control downloading in order to install
Bugnosis -- you can disable it after installation. That makes it really no
different than downloading an .exe from us. The Bugnosis control that we
download isn't scriptable, so other Web sites and email users will find it
harder to abuse.

Regards,
David

Prof. David Martin
University of Denver Math/CS

The cure will kill you worse than the disease

The installation requires Active X controls = on. So that makes the cure worse than the disease. I'll trade some privacy for not opening up my machine to remote execution Active X shit.

/. has even better info.

As /. logs witch moderators spend points on witch comments. Slashdot now has the IP address of the CrackSmoking dude who found this 'Informative'.

--
echo '[q]sa[ln0=aln80~Psnlbx]16isb15CB32EF3AF9C0E5D7272 C3AF4F2snlbxq'|dc

IE5 had this too

A beta of IE5 between 5.01 and 5.5 had the same feature, "Accept third-party cookies" Always/Prompt/Never, but they took it out in 5.5

/. hypocrisy

Of course /. uses web bugs. They still use GIFs, too. This is a "do what we say" website, not a "do what we do" one.

Re:No!!

There's also another point. All those Web bugs look identical from an HTML/HTTP point of view, but they're radically different from a data-collection point of view. Hitbox, for example, uses those bugs solely for site statistics. They can tell when two hits were from the same person and can tell a site things like how many people followed a given path through it, but they've no idea who a given person is and don't store any information on which paths a particular person followed in the database the sites access.

Disclaimer: I only program the systems for Hitbox/WebSideStory. I don't represent them or their opinions, they pay the executives to do that.

Re:/. hypocrisy

You forgot raging about the MPAA, asking us to boycott movies, and then providing us with useless Katz reviews of movies *every* week.

Installed it, and got the OSDN bug on this article

In the realm of cosmic irony, I installed the web bug tracker, then went into this full article, and promptly got the OSDN web bug.

If you're among the folks like me that have to use IE, use that Restricted Sites setting under the security tab (and while you're in there, crank that restricted zone up to disallow derned near everything). Also set your browser to warn you when you get cookies. Add entire that want to set cookies to your restricted zone. None of the muss and fuss of an ad filter (which breaks everything when I have to VPN to the office).

For the first couple of weeks, you'll be adding a few sites per week. I also added to mine the list someone posted of the sites that track users the most. I don't get cookies now, unless I'm actually shopping online. :-) If someone wants a copy of the list, I could find a home for it.

Re:How Dare they?!?!

It uses a table, so the formatting on this will be way off

Bugnosis analysis of: Articles: Web Bug Detector (http://slashdot.org/comments.pl?sid=01/06/08/1220 230&op=Reply&threshold=-1&commentsort=0&mode=neste d&pid=18)

Highlighted images may be Web bugs.

Properties Contact Image URL

Tiny, Once, Domain, TPCookie (anon=anon_id&-1-vGtvAizyjA&boxex&%27whatsnew%27%2 C%27slashdot-main%27%2C%27freshmeat-main%27%2C%27n ewsforge-newsvac%27%2C%27sourceforge-news%27%2C%27 linux-news%27%2C%27open-mag%27%2C%27questionexchan ge-top10%27%2C%27themes-new%27%2C%27thinkgeek-new% 27&exboxes&%27whatsnew%27%2C%27slashdot-main%27%2C %27freshmeat-main%27%2C%27newsforge-newsvac%27%2C% 27sourceforge-news%27%2C%27linux-news%27%2C%27open -mag%27%2C%27questionexchange-top10%27%2C%27themes -new%27%2C%27thinkgeek-new%27) http://sd- images.osdn.com/Slashdot/pc.gif?comments,992003991 337

Property name Description

Tiny image is tiny, so is probably not meant to be seen

Protocols image URL contains more than one Web protocol name (e.g., "http:" twice)

Cookie image URL overlaps with the cookie field too much

Lengthy image URL is unusually long

Domain image comes from a different domain than the main document

Once image is used only once in the document

TPCookie image comes from a different domain than the document and manipulates a cookie (Third Party Cookie)

Recognized compares the URL against a set of recognized Web sites

Slashdot *is* OSDN

Of course Slashdot contains an OSDN webbug. Slashdot is owned by OSDN. Some people gotta turn their paranoia control WAY down, otherwise they're gonna start seeing black helicopters soon.
-russ

Big Deal !

My netscape browser can detect any web bug ! it prints "Bus error (core dumped)" everytime it sees one !

Here they are:

From www.slashdot.org/ :

<SCRIPT LANGUAGE="JAVASCRIPT">
<!--
now = new Date();
tail = now.getTime();
document.write("<IMG SRC='http://sd-images.osdn.com/Slashdot/pc.gif?ind ex,");
document.write(tail);
document.write("' WIDTH=1 HEIGHT=1 BORDER=0><BR>");
//-->
</SCRIPT>
<NOSCRIPT>
<IMG SRC="http://sd-images.osdn.com/Slashdot/pc.gif?ind ex,992004976" WIDTH=1 HEIGHT=1 BORDER=0><BR>
</NOSCRIPT>

Yep, there they are. Web bugs if I've ever seen 'em...

-grendel drago

And more...

Three from our friends at k5 [kuro5hin.org].

Oh My God! Rusty's tracking me! That Low-Life Capitalist Corporate Big Business Pig! What do he and Inoshiro want with me! Why can't you guys leave me alone!!!!

Cookie Monitor

If I were designing a browser, I would have a cookie monitoring window, which would log cookie activity. One could author filtration scripts to block certain domains from cookie access, manually delete cookies from the monitor window, etc.

Does Not Does Not

The author of the CNET article chould have taken one more step in research... and the author of the slashdot article should have verified.

http://www.slashdot.org
Contained a bug from the Open Source Development Network (OSDN.com)

SLASHDOT is part of the OSDN pages by VA Linux.
It's not a 'bug'.

Bugnosis isn't smart enough to tell the difference between a real bug and a simple page counter, and probably can't be. We should really worry about much more important things and stop feeding paranoia.

Re:I don't get it.

Cookies are simply a way of adding state to a stateless protocol. So for the most common example you could automatically remember your username to slashdot the next time you return.

Most good browsers will let you set them to only receive cookies from the host you are connecting to. And cookies should only get sent back to the host that they came from.

These "web bugs" allow a site to send information to a third party( eg Addvertiser, Government agency, ... ) by causing another http request to be made. THis request, although it is for an invisible image, could have peramaters. These parameters could send all of the info that one site has collected about you to another. That third party site could then also send a cookie for its own use to your system.

I hope this makes sense, I am not quite awake.

MOD THIS UP!!

Everytime something happens with Napster or the MPAA, someone on Slashdot says "well stop sitting there talking about it on Slashdot and actually *do* something! Go boycott them or donate to the EFF" blah blah blah. So maybe instead of just talking about privacy issues or the tyranny of gif patents, Slashdot could actually get off its duff and do it. I know how much time it takes to convert a whole website, but its something that could be done incrementally.

Re:Installed it, and got the OSDN bug on this arti

Actually, I've been doing restricting sites in IE (at work) for some time in this manner.

Windows stores these restricted sites in a location in the registry, here's an example:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\Cu rr entVersion\Internet Settings\ZoneMap\Domains\doubleclick.net]
"*"=dword:00000004

I made a big list of these using one of those websites that list tracking networks and a short Perl script, then edited it for the particular machine I was on (Windows 2000 requires the header "Windows Registry Editor Version 5.00" whereas older versions of Windows require "REGEDIT4").

You can export these lists and share them with everyone but be careful when you accept these as people can add themselves to unrestricted zones if you don't read the registry files (note the dword value at the end, should be "4").

Proxies that filter web bugs

There are some proxies out there that filter banner ads / cookies / and web bugs.

One of the most interesting ones is webwasher (http://www.webwasher.com - for windows & linux, free for personal use, not open source).
Webwasher does not use regular expressions to filter images: it filters them by size. Most banner ads have a standard size (for ex 468x60). Webwasher has a list of known banner sizes and filters all images which match the list of sizes. And it's efficiency is very impressive!

Thus, using webwasher, it's very easy to filter all web bugs which are usually 1x1

Alas, webwasher is not opensource and has some issues. But I think that the idea behind this product is great and I'd love to see it implemented in an opensource proxy :)

The way webwasher handles cookies is also very interesting: you can specify 3 sorts of cookies
- the good ones (allow them, keep them)
- the neutral ones (allow them, delete them after 24 hours)
- the bad ones (always block)

The default policy for unknown cookies is to set them to neutral; that lets the user visits site normally (without the occasional glitches that happen when you block all cookies with sites that won't let you browse without allowing them), without compromising the privacy of the users for cookies are deleted after 24 hours.

Web Bugs And Corporate Policy

First post insanity aside (trust me, it's only fun for about 5 minutes and bad for your karma because moderators despise it), there's this quote featured in the CNN article [cnet.com] (yes, I do actually read the related articles before posting flamebait):

"Our goal with the software is to reveal how Web bugs are tracking all of us on the Internet and to get companies to 'fess up' about why they are using them," Richard Smith, the Privacy Foundation's chief technology officer, wrote in his privacy tip sheet.

"Any company that uses Web bugs on their site should say so clearly in their privacy policies and explain the following: why they are being used, what data is sent by a bug, who gets the data, and what they are doing with it," he added.

There are two things that I'd like to point out about those statements. First of all, companies with web sites are (in most countries) legally required to tell you about what kind of data they collect and what they do with it. The majority of such privacy statements either consist of the usual "we don't collect any information that can personally identify you" variety or they are hidden beneath so many links at the very bottom of the most obscure pages in the site that your average user never reads them.

Second of all, I agree with your point regarding the suggestion that companies should be required to thoroughly explain what kind of bugs they use (if any), what's sent and received and where the data goes. I personally think it's a great idea. And it's all well and good for sites that deploy their own web bugs. But what about the web sites who use web bugs belonging to other websites (e.g sites who use DoubleClick web bugs, or Slashdot using a web bug from OSDN)? The application should be the same, of course, but how is that handled from a legal perspective? Who is responsible for the "bug"? The company who wrote/owns it, or the company that deploys it? Answers to any of these questions are more than welcome (particularly by someone involved in the legal profession), as I'm sure that there's at least some of us Slashdot readers that would like to know.

Self Bias Resistor
"Imagination is more important that knowledge." - Albert Einstein

Bah!

As any open source fanatic will tell you, it is imperative that you read the HTML source of every page that you view.
We don't need no stinkin' Bug Detector!

--- note sarcasm ---

Comments from a Bugnosis author

Yep, we consider the OSDN image to be a Web bug, because it acts as a surreptitious information conduit between slashdot.org, the reader's computer, and osdn.com. Information sent through this path picks up both slashdot and OSDN cookies, so it bypasses the "same domain" rule preventing one domain from manipulating cookies set at another. Of course there's no way for Bugnosis to understand the business relationship and contracts that may restrict the use of the conduit (P3P will help with this). What's absolutely clear is that a facility designed for displaying images is being run in reverse to transmit information without the user's permission or knowledge.

Many people have been asking (cursing, etc. :) for Mozilla, Mac, Opera etc. support. I think it would be great to investigate, and I have a student trying to learn something about Mozilla now. We just don't have the expertise yet. I'd be very interested in hearing from potential contributors. Heck, just a plugin or diff that shows how we can tap into browsing events and access the DOM in Mozilla could make it possible for us to proceed. Frankly, IE support was pretty easy because of all the books and sample code out there. Besides, we had just finished a long-winded report [privacyfoundation.org] on IE browser extensions & their privacy practices when we started this project, which made Bugnosis pretty easy to envision.

We decided not to make Bugnosis a Web bug blocker, just a good analysis and exposition tool. See, the problem with many "privacy enhancing technologies" is that they put the burden on users to protect themselves. I firmly believe that being concerned about privacy shouldn't mean that you have to make it a huge personal priority, say, by committing time to downloading, maintaining, and upgrading yet another piece of software. Privacy should just be built in. Bugnosis shows how the current infrastructure is being used, and so contributes to the debate on what reasonable standards should be. In the privacy arms race, I'd much rather be a reporter in the trenches than an arms manufacturer -- even defensive arms.

Any CS students interested in working with us? We'll be setting up at Boston University in the fall.

David

Mozilla

One of the cool things about Mozilla (and its Linux [sourceforge.net] and Windows [kmeleon.org] derivatives) is the opportunity to only accept cookies from the current page. I'm sure that when Mozilla is released and starts to take chunks out of IE's dominance, people will start to use this feature and web bugs will become less useful.

Web bugs = bad name, not so bad tactic

What's the big deal with web bugs, anyway? As long as the tracking that's being done is for use by the site I am visiting, I see no problem with them...it's just a tactic for getting usage statistics about your site. And what's wrong with that? When you go to a store, there are video cameras watching you, and records of your sales, etc...why shouldn't a website know which pages were visited? As long as the information being collected can't be used to uniquely identify me, I see no problem with it. A web bug can't collect any more information than your standard log file, and maybe get access to your cookies. But it can only access cookies *that were set by it in the first place*. Web sites don't have the luxury of talking face to face to everyone who comes to the site, like a retail store does. Somehow, they need to monitor what's going on, and a web bug is one way to do a good job of it. One could easily add the same code the web bug executes to the top of every page...and I don't think there would be any problem with that. Web bugs are just a more elegant solution -- you can abstract out all those tracking functions, and use it as a module.

Re:Web Bugs And Corporate Policy

Richard Smith writes:
"Any company that uses Web bugs on their site should say so clearly in their privacy policies and explain the following: why they are being used, what data is sent by a bug, who gets the data, and what they are doing with it," he added.

The submitter writes:
It would seem our beloved slashdot has them as well.

Of course, a number of Slashdot readers were already familiar with this topic -- those of us who sometimes read at -1 have seen this subject raised and modded down, and then addressed by Slashdot editors who are then modded down by angry trolls. Or you can read about it on one of the troll web sites.

And this is the way all information about Slashdot is handled. Why did moderation go completely nuts a month ago? The only official word was in a -1 post from Michael buried in a -1 thread. Beyond that, you have to read (site whose name I won't mention to avoid getting 200 idiot sporks and crapflooders on my case) to find out what's going on. As always, security through obscurity doesn't work; it only confines the information to the people you least want to have it.

The bottom line, though, is that it comes down to trust. There's never been an official explanation of what the web bugs here do but while I don't, for instance, trust the editors to have any concept of what it means to be logically or ethically consistent, I do believe that they wouldn't do anything outrageous to my privacy.

Unsettling MOTD at my ISP.

Re:I don't get it.

Cookies are not the big deal. I can block those. Its the 1x1 gifs that kick off an HTTP request, with additional params that bother me.

Look at a few and you will see...

http://svr/path/[*.dll|.gif|etc]?param0=xxxx (amps)param1=xxxx...

That, my friend, gives you something far better than just a server log entry. And there is no blocking it... unless you start taking notes and set up your host table to say *.evilsite.com is at 127.0.0.1

Apache Privacy Issues

There is a little-known feature in the Apache Webserver that quietly logs your IP address as you view pages from it.

Trolls throughout history:

Re:I don't get it.

What bothers me most is the scale on which the tracking is done; since so many sites use particular ad agencies (say doubleclick) they can build a list of many of the sites I've visited. For example, say I browse a gay porn site, then I browse a Quake3 games site, then I visit Amazon to look for comic books. Double-click need only have an information-supplying affiliation with one of those that may have my "real" personal details, name etc (for example Amazon), from that they can build a fairly extensive database of what I do online. All without my consent, which is against the law in my country, but in the US it seems companies can do this openly with no fear, so I'm guessing its not illegal in the US.

No!!

I see no problem with them...it's just a tactic for getting usage statistics about your site. And what's wrong with that

You missed the point. Thats fine, there is nothing wrong with that, but that is not the issue here. Web bugs are not attempt to gather statistics at a specific site, web bugs are attempts to track surfing across multiple unrelated sites. For example, say I visit a gay porn site, which have some doubleclick ads with hidden bugs in. Then off I go to Amazon.com to order a book about fly fishing, and unbeknownst to me, once again doubleclick has web bugs on Amazons site. So now a company (doubleclick) has a database linking the same user to those two completely unrelated activities. Now all doubleclick needs to do is establish some sort of affiliation with Amazon, and whammo, doubleclick suddenly knows my name, and has a database indicating that I have bought books on fly-fishing, like gay porn, browse slashdot, am anti-Microsoft, enjoy reading The Onion every Wednesday, whatever, they have a huge database on me. All without my consent or knowledge (which happens to be illegal in my country, but it would seem not in the US.) Sure you can say "don't use cookies" or "delete your cookies regulary", but what the fuck, thats not a solution, thats purely symptomatic treatment of the REAL problem, which is that these companies should be strictly prohibitied from doing this sort of thing in the first place. Either way, more than 80% of people are not even going to know how to delete their cookies or will just be too ignorant of the problem to care. Americans seem to love treating the symptoms of a problem but ignoring the actual problem itself.

And you may not think doubleclick would be able to collect much info - but trust me on this - double is EVERYWHERE. It is virtually impossible to do casual web browsing for more than a few hours without getting doubleclick cookies. Try it. Delete all your cookies, browse for a while (casual browsing, e.g. some slashdot, maybe some cnn or other news sites, maybe some gaming sites etc), and see what cookies you have. Chances are extremely good you have doubleclick.net, bfast.com, hitbox.com, flycast.com, avenuea.com and a few of the other very common ones.

We're not talking about web statistics or cookies here. Get the facts straight.

iCab

Yet another reason iCab [icab.de] is my favorite browser.

It has the most sophisticated filtering system I've seen. You can filter cookies using many criteria, including (my favorite) blocking cookies that come from a different domain from the main page. AND you can filter IMAGES by size, w/ options to exclude sizes including 1x1px (this blocks most web bugs) as well as most common advertisement sizes, like the ubiquitous banner. What you get instead is a blank banner-(or whatever-)sized space with an icon of a coffee filter in the corner. Hee!

And speaking as a web designer, the feature doesn't compromise the legitimate use of spacer GIFs.* Page design is preserved, and who cares if the 1-px. GIF is actually loaded or not.

*Yes, I know that with CSS we shouldn't need spacer GIFs. I will rejoice when browser support for CSS is consistent enough for us to rely on them. Meanwhile, though, clients still tend to expect web pages to be as as precisely designed as print, and sometimes you gotta cheat. But that's another discussion.

hey guy, it's okay!

that little /. bug is intended to merely collect your anatomical information and take a little something we like to call a "DNA fingerprint". makes it easier for everyone to know what kind of As-Seen-On-TV products you might wanna buy. _______________________________________________

Must be the early morning lack of coffee

But I was hit with a strong sense of irony when I saw "Microsoft" and "Web Bug" and thought that someone had developed a plug-in that would tell you if the page you were viewing was written in bad html.