News for nerds, stuff that matters
Sections
About
 More Web Site User Data Gathering Revealed |
Posted by jamie on Thursday August 03, @12:00PMfrom the trust-but-verify dept.
Three days ago, a small group called Interhack was featured in an AP wire story about some curious data transmission they'd found. The company receiving the data, Coremetrics, tracks unique visitors through its clients' corporate websites, and promises those clients "seamless performance," because: "data tags load invisibly as small transparent gifs, and information is encrypted to appear invisible to your customer." The customer is you, the user. The GIFs are web bugs. The information can be personally identifying, which most of its clients' privacy policies fail to mention. But -- importantly -- the company promises that "Any data Coremetrics tracks and reports is owned solely by our customers and we are contractually precluded from reselling or using this data." Is that enough? Emmett and I talked both to Coremetrics and to the hackers who put the spotlight on them.
Emmett Interviews Interhack
Slashdot: For those uninitiated, what's interhack all about?
Basically, we're a firm of hackers interested in pushing technology forward through research, making computing apply to people by developing custom products and consulting for folks who want to put the technology to use, and helping people understand exactly what the ramifications of these systems are. That's a pretty broad way of saying that we're all about the Internet and making it work.
Slashdot: When did you start researching this story, and how long did it take to put the pieces together?
Sometime in May, someone sent us a tip about Coremetrics and what it's doing. We took a quick look over their web site to see their advertised services and then started to look at how the service is actually implemented on various client sites. We examined several sites, most of which very clearly stated in their privacy policies that they're using Coremetrics for site monitoring and provided links necessary for people who don't like it to opt out of the system. Most of the sites with clear, full disclosure policies weren't even sending Coremetrics personally-identifiable information like names and addresses.
The more interesting part of our find was in the sites that did send personal information to Coremetrics, particularly those that carried the TRUSTe privacy seal. Over the course of about three weeks, we performed an investigation of these sites, gathering as much information as possible from them. We reverse-engineered the system by reading the sites' code, reading through the obfuscation, and comparing logs of our network's activity with the activity that would be perceived by an end user.
What we found was a clear difference in user expectations and what was actually happening, as well as a clear difference between what Coremetrics says it offers and what its eLuminate service makes technically feasible. After writing drafts of our report and press release, we decided to take a wait-and-see approach to the release. Specifically, we wanted to ensure that sites that just started to use the Coremetrics service had adequate time to update their policies and to have an accurate idea of what was happening with the system after having been in production.
After waiting and watching for more than a month, we decided to release our findings. So, on Monday morning, we sent a pre-release copy of our report to Richard Smith and some folks at Zero Knowledge Systems. In addition, we contacted each of the firms named in our report and Coremetrics so that if the failure to disclose or the ability to profile people across web sites was unintentional, there would be time for some investigation and a decision about how to fix the problem. After the end of business Monday, we released our report.
Slashdot: What needs to change? In a perfect world, how do we deal with this?
This is a very interesting question. In my perfect world, detailed levels of profiling would not take place at all. There would be no such thing as persistent cookies. In general, I'm just not comfortable with the level of privacy that the industry as a whole has given up for the sake of a little convenience.
How big of a deal, really, is it to have to enter your password when you login to a web site? Don't forget that the reason why we have passwords in the first place is so that you'll have to do something at the beginning of the session to prove who you are.
Web browsers also need to be more intelligent. That is, they need to be able to identify things like dependencies on third parties so the user can know whether those images should be fetched or ignored. Right now, browsers -- for the most part at least -- just aren't very defensive. The model of parsing everything you're given worked fine in the Old Days for which some of us long so much but the fact of the matter is that you really can't blindly trust anyone on the Internet.
I'm not suggesting becoming a luddite. I'm suggesting that folks take a sort of "trust, but verify" approach a la Ronald Reagan. Right now, there's a lot of trust and almost no way to verify.
Slashdot: This all comes down to trust. How many policies are just there so people will shut up about personal information so they'll start buying stuff online?
I couldn't say. Policies are almost always written by lawyers. That probably speaks to the covering-one's-posterior-position value of privacy policies.
Slashdot: Since we can't trust written policies, what should people be doing before they start conducting business with these websites?
Verify everything. As I said earlier, though, we're severely lacking in tools that are accessible to most people that can help in that regard. I think Zero Knowledge Systems' Freedom network is a huge step in the right direction. Tools like Muffin (muffin.doit.org) also help, but it would be cooler for that kind of functionality to live right in the browser itself. There are opportunities for eager hackers on this front.
It's also important to stress that tools alone won't do it -- there is no silver bullet. People are going to have to have some understanding of what's happening in order to use these tools effectively.
Finally, where you see discrepancies, point them out. Most of the time, they're oversights. Look at how Lucy.com and Fusion.com dealt with this problem: they updated their sites. So although the problem shouldn't have happened in the first place, they did the right thing. Contrast that with Toys "R" Us, which issued a statement saying that what they're doing isn't a violation. And their privacy policy still doesn't say a word about Coremetrics. They still haven't said anything to address the issue of having information collected on children.
Companies that don't fix their problems don't take your privacy seriously, no matter how much lip service they pay. So don't go to their sites. Don't buy their stuff. Tell them why you're not buying their stuff. Tell their competitors why you shop where you do, lest the new places you shop get the bright idea to try to hide something.
Jamie Talks to Coremetrics
Here's the service Coremetrics provides to corporate websites:
Many companies demand accurate knowledge of how their sites are being used: what sections are popular, what paths visitors take through the site, where people click over from, and so on. It's like web log analysis but more specialized for large shopping sites.
Since these demands are very much the same, and the code to do the analysis is similar, outsourcing happens. From a CEO's viewpoint, Coremetrics fiddles with the website to do better-quality tracking than the company could do on its own, and then makes the resulting statistics available over SSL.
But from your viewpoint and mine, that "fiddling" results in cookie-carrying web bugs all over the sites we visit -- web bugs which usually send back to the Coremetrics servers a unique visitor tag, like any other cookie, but one that sometimes includes your name, email address or other personally identifying information.
Coremetrics promises that this information remains private. When DoubleClick collects data from <img> cookies across multiple websites, they do so with the stated intention of tracking you personally; this is part of their business plan.
According to Coremetrics, they do things very differently. Data is not cross-correlated between their client websites, they say, because their contracts with their clients prohibit this. In fact, their contract forbids them from doing much of anything with that data except statistical analysis.
I gave the Coremetrics PR person I talked to a chance to explain, using the example of their client Toys 'R' Us:
"Coremetrics is merely an agent that collects this data on behalf of an individual customer, for that individual's sole use only. We do not collect data, as was inferred very incorrectly by Interhack, across multiple unrelated websites, with any intention of selling it to third parties -- or even distribution to third parties. That's because we, as the agent, do not own that data, nor do we have any rights to that data. Toys 'R' Us, and Toys 'R' Us only, is the sole owner of that data. So legally, we cannot do any of the possibilities that Interhack had alluded to in their report."
But here's the interesting thing.
If I'm browsing my favorite website, Coremetrics is clearly a third party. They have a special contractual relationship to keep my data private, which we shouldn't ignore. But nevertheless -- a third party.
So why do some of their clients' privacy policies not mention this?
Toys 'R' Us is a good example. As Interhack made clear, they do send personal data to Coremetrics' servers. But their privacy policy reads, "We do not share any personally identifying data about our guests with anyone outside of Toysrus.com, its parent, affiliates, subsidiaries, operating companies and other related entities."
So is Coremetrics one of their affiliates or a related entity? I wouldn't think so, but I'm not a lawyer. One interesting thing is hidden in that privacy policy's HTML; after the closing </html> tag is the hidden message: "<!--CoreMetrics Information if enabled-->." Hmmmmmm.
Coremetrics lists twenty clients; I tried to contact seventeen of them for comment, with marginal success by press time. Three reported that they had not yet activated Coremetrics or had decided not to use the service at all. One (guru.com) reported not sending any personal information -- presumably, only tracking visitors with a non-identifying unique ID.
Two sites (lucy.com and fusion.com) began mentioning Coremetrics in their privacy policies on August 1, the day after the Interhack report. One site (thewest.com) did not even have a privacy policy until yesterday; they'd been working on it, and my email may have made it a priority because it was on their site three hours later.
According to Coremetrics, they encourages all their clients to disclose the use of their service in their privacy policy, and include a link for users to opt out. But some sites reported as using or planning to use Coremetrics' services have privacy policies that could use some clarification.
Altrec.com informs me that "...in the near future ... we plan to add to our privacy statement our use of Coremetrics and the fact that Coremetrics neither owns, distributes, nor has rights to the data it sorts on Altrec.com's behalf." However, their current privacy policy states very simply: "Altrec.com will never sell or give your e-mail address (or any other information about you) to anyone else without your permission. Period."
(Last-minute update -- just before press time, Altrec.com clarified that they are "sending unique ID (unique to Altrec.com) and city, state and zip. No other personally identifiable information is being sent to Coremetrics.")
Bravanta.com bounced me between different people until I got to leave voicemail that wasn't returned by press time. Their policy says they "do not and will not sell, trade or rent the personal information of our customers or gift recipients to any third parties."
(Update two hours later: Bravanta reports that they also have decided not to use Coremetrics' service, and are not currently using it.)
Mall.com didn't get back to me either, and their policy reads "We will NEVER release your name and personal information to a third party..."
Getplugged.com has a rather confusing privacy statement that begins, "Any personally identifiable information GetPlugged.com collects will be used solely for the purposes stated within this Privacy Statement" and wanders around from there. I'm not sure what to make of it, frankly.
All these polices may indeed be correct, if the sites are stingy with personal data. Like guru.com (and altrec.com), they may be using the Coremetrics service only with non-personal IDs. But, as with Toys 'R' Us, that may also not be the case.
(fusion.com, getplugged.com, and altrec.com also happen to be TRUSTe licensees, but TRUSTe wasn't able to comment by press time. In the AP wire story on Monday, they had harsh words but were speaking hypothetically; no comment since then.)
It's hard enough to read privacy policies already. Most of them are designed to protect companies legally, and mostly manage to confuse users. The distinction between Coremetrics as a third party; or affiliate; or agent, is a little too fine for the average consumer, and needs to be spelled out in each policy, as Coremetrics itself recommends.
But is all this a tempest in a teapot? If a signed contract forbids a company from misusing data, is that all we need to know?
I don't think so. In the first place, at the very least, companies like Toys 'R' Us need to disclose such things in their privacy policies. That's just common sense.
In fact, according to Coremetrics privacy advisor Dave Farber, they plan contractually to require such disclosure with future clients. (The company could not confirm or deny this at this time.)
More importantly, we as consumers are being asked to trust a third party whose reputation we know nothing about. In fact, 99% of us will never even have heard of them and might not understand what they do. We're told that a contract protects us, but we're still being asked to trust something we can't see. And when evidence of policy violations is turned up by a group of hackers, that erodes our trust.
After speaking at length with Coremetrics' PR, I get a general feeling of trust from them. (Of course that's a large part of their PR staff's job, earning reporters' trust.) More importantly, Dave Farber is well-respected, and his confidence carries weight -- with me at least.
Still, as Interhack says, our motto should be "trust but verify." That's why I proposed, to Coremetrics, that they publicly post, on their website, the paragraphs from their clients' contracts which assure that our private data remains private. If the actual legal words that protect our data are up there for us to see, we don't have to trust anyone.
When I mentioned this to Coremetrics' PR person, he promised to consider it; Dave Farber thought it was "a very good idea." It's unusual for corporations to make contracts public, even in part, but in this case it would do a great deal to put everyone's fears to rest.
< Court to FBI - Full Public Review Of Carnivore | Non-RIAA Record Companies? >
| Slashdot Login |
| Don't have an account yet? Go Create One. A user account will allow you to customize all these nutty little boxes, tailor the stories you see, as well as remember your comment viewing preferences. |
| This discussion has been archived. No new comments can be posted. |
|
no more privacy (Score:1, Insightful) by Anonymous Coward on Thursday August 03, @12:05PM EDT (#5) |
| they can do whatever they want ann they will, for most people thats invisible and they dont give a shit, they wont even notice.
If you dont want to be tracked the solution is "DO NOT ACCEPT COOKIES! and clear your cache once in a while... |
|
Re:no more privacy (Score:1, Insightful) by Anonymous Coward on Thursday August 03, @12:07PM EDT (#10) |
| better yet, use junkbuster or some other cookie cutter. |
|
Re:no more privacy (Score:2, Insightful) by Roast Beef (jay@tamboli.cx) on Thursday August 03, @12:14PM EDT (#19) (User #2298 Info) http://tamboli.cx |
| The problem is that with web bugs and your IP address, it's just as easy to track you. They've got the pages you go to with times and your IP. |
|
Re:no more privacy (Score:1) by plague3106 (ajj3085@rit.edu.no.spam) on Thursday August 03, @12:37PM EDT (#95) (User #71849 Info) |
| If thats all they get, then so what? |
|
Re:no more privacy (Score:1) by B'Trey (ddjonesATspeakeasy.org) on Thursday August 03, @01:35PM EDT (#232) (User #111263 Info) |
| If you're with a dial-up ISP and get a dynamic IP address, probably no big deal. If you have a cable modem, DSL or similar and have a static IP, then having that IP address may be equivalent to having all of your private data. Never ascribe to maliciousness that which can be adequately explained by incompetence. |
|
Re:no more privacy (Score:1) by plague3106 (ajj3085@rit.edu.no.spam) on Friday August 04, @09:55AM EDT (#357) (User #71849 Info) |
| Still, so what? How would they know that? How would they know who had that number? How do they know its not a router for 5 other computers in the house? I have yet to see anyone marketing b/c differnetly b/c they kept seeing the same ip visit the site. Its not equivelent b/c even if they have my ip they don't really know anything abouit me, or even if its the same ip. Besides, i had cable modem, and my ip did change every now and then. So what? |
|
Re:no more privacy (Score:1, Interesting) by Anonymous Coward on Thursday August 03, @01:34PM EDT (#230) |
| If you run your own dns servers....
Setup empty zones for the webmarketing companies. We haven't been seeing doubleclick data for about six months or so. |
|
Re:no more privacy (Score:1) by Phroggy (slashdot2@NOSPAMphroggy.com) on Thursday August 03, @01:03PM EDT (#161) (User #441 Info) http://phroggy.com/ |
| they can do whatever they want ann they will, for most people thats invisible and they dont give a shit, they wont even notice. If you dont want to be tracked the solution is "DO NOT ACCEPT COOKIES! and clear your cache once in a while...
You're aware, of course, that this breaks a lot of Web sites? Sure, Slashdot still works, although you lose any hope of customization, but most e-commerce sites break. I'm working on figuring out how to use cookies on my home page, just because they're so darned neat, and one of the hardest things to do is gonna be figuring out how to make the site still work if cookies are off. A lot of companies don't bother, and simply require cookies. |
|
Re:no more privacy (Score:4, Interesting) by Anonymous Coward on Thursday August 03, @01:23PM EDT (#211) |
| You're aware, of course, that this breaks a lot of Web sites?
Simple fix:
Matt
|
|
Re:no more privacy (Score:1, Insightful) by Anonymous Coward on Thursday August 03, @02:25PM EDT (#282) |
| or, still simpler, just set the permissions of ~/.netscape/cookies to read-only.
this is still better because you can keep exactly the cookies you want from one session to the next.
adding new ones is trivial: enable writes to the file, fire up the browser, go to only the site you want, exit the browser, mark file read-only. this happens very rarely for me.
harry truman capote
|
|
Cookie tricks (Score:1) by jawtheshark (jawtheshark@sdniwssorc.ten) on Friday August 04, @03:15AM EDT (#350) (User #198669 Info) http://www2.vo.lu/homepages/willekens/jorg/ |
| Cool! I'd never think of such a trick....is there a similar trick under Winblows (using Netscape)? Right now I automatically delete the cookie.txt file at bootup (Dayly bootup anyay), but I'm not sure if it works well: for example I always have to log *twice* into /. I've read the read-only trick too, I'm going to try that but I'd appreciate other solutions.
|
|
Re:no more privacy (Score:1) by Phroggy (slashdot2@NOSPAMphroggy.com) on Thursday August 03, @02:51PM EDT (#290) (User #441 Info) http://phroggy.com/ |
| Shift the context maintenance from the cookie to the URL. If you don't want them to understand or mess with the context state, then use obfuscation and hashing liberally.
My Web site uses themes; you can choose how the pages will be displayed. Most of the themes are based on (read: blatently stolen from) various operating systems, so the text shows up as if it were in a window, and that window can look like a Win95 window, a Mac OS window, an X window, etc. Each page is dynamically generated from a Perl script that takes two arguments in the query string (the end of the URL): "page" and "theme". Obviously, "page" indicates the name of the page to be viewed (except on the main home page, which is handled seperately), and "theme" indicates what theme you want to view it in. If "theme" is omitted, it chooses a default theme for you. The problem with this is that the URL looks somewhat ugly, and if you link to a particular page from somewhere, you'd be linking to the page with a particular theme. I want the theme to be chosen for you automatically the first time you get to the site, since certain themes are not appropriate for certain browsers. That's why I want to use cookies instead - make it a local preference in the browser, and make it persist between sessions (in case you're demented enough to actually go back to my home page someday). |
|
Spot the webbug (Score:3, Funny) by FascDot Killed My Pr on Thursday August 03, @12:07PM EDT (#7) (User #24021 Info) |
| Do they look anything like this: now = new Date(); tail = now.getTime(); document.write("<IMG SRC='http://images2.slashdot.org/Slashdot/pc.gif?/comments. pl,"); document.write(tail); document.write("' WIDTH=1 HEIGHT=1>"); document.write("<IMG SRC='http://images.slashdot.org/pagecount.gif?/comments.pl, "); document.write(tail); document.write("' WIDTH=1 HEIGHT=1> "); -- MailOne for Linux |
|
Re:Spot the webbug (Score:1) by mat catastrophe (mat_catastrophe@E-X-cite.com(excite)) on Thursday August 03, @12:10PM EDT (#11) (User #105256 Info) http://www.freespeech.org/mat/ |
| I've seen that, as well. I've always wondered just how innocent those things are.... "I'd rather be forgotten than remembered for giving in..." --Refused |
|
Re:Spot the webbug (Score:5, Informative) by jamiemccarthy (jamie@slashdot.org) on Thursday August 03, @12:14PM EDT (#20) (User #4847 Info) http://jamie.mccarthy.org/ |
| I knew someone would bring this up (trolls have been spamming our comments with it). I'll just post the same info I posted to another thread yesterday:
Please note that all these images come from slashdot's own servers. They're pagecounter images. I'll just forward along the email I got from Richard M. Smith, the guy who coined the term "web bug", when I asked him about it:
Jamie McCarthy |
|
DoubleClick Ads on Slashdot (Score:3, Interesting) by fridgepimp (fridgepimp@tuxdocs.org) on Thursday August 03, @12:32PM EDT (#82) (User #136338 Info) http://www.tuxdocs.org |
| Slashdot has run numerous stories about the questionable behaivior of DoubleClick and its affiliate sites. In fact, this article aludes to it.
However, slashdot has been serving DoubleClick ads with increasing frequency of late. NOW, I am NOT suggesting that Slashdot is corrupt or evil. I'm just curious to know whether or not we can expect these adds to behave similarly to the DoubleClick ads that have been described in previous stories. If so, doesn't that fall into the "web bug" catagory. Why hide it in a 1x 1 GIF when it's right there in a DoubleClick ad? Anyway, I'm just curious. I posted this on the root level of the story and have already been modded down to -1. So moderators, do your worst. I'm just looking for an answer, not a flame war. -fp -- It is the perceived insignificance of one's own existence that causes one to cast aspersions upon the existence of another. |
|
Re:DoubleClick Ads on Slashdot (Score:1) by ashpool7 (ashpool7 at blah blah blah yahoo! dot com) on Thursday August 03, @01:50PM EDT (#260) (User #18172 Info) |
| 1. Set Netscape to warn on cookie transaction and poke around slashdot until you get a doubleclick cookie. OR Clear your cookie file, click like crazy on slashdot links, and then examine it. 2. Post your results to this forum 3. Get modded up and possibly an answer. :) |
|
Re:Spot the webbug (Score:1) by rkent (rkent(at)acm.org) on Thursday August 03, @12:44PM EDT (#112) (User #73434 Info) http://cc.kzoo.edu/~k96rk01/ |
| Well, rather than splitting semantic hairs, I think the point of bringing this up is to ask: what does Slashdot do with those invisible images? This has really nothing to do with whether or not they come from a foreign server. Let's not squabble about whether they're "technically" web bugs or not.
That said, it looks to me like it keeps track of which comments you've read, or what your comment preferences are, or something. If you don't want this tracked, don't accept cookies from slashdot! The site can be viewed perfectly without them, you just have to post as AC. Or, you can accept one lousy cookie when you log in and never ever accept another one.
Slashdot is not out to get you. Or if it, is, it's not trying very hard :)
"We are the most ripped-off company around..." - Bill Gates, 1980 |
|
Re:Spot the webbug (Score:1) by jallen02 (:-( .) on Thursday August 03, @01:12PM EDT (#177) (User #124384 Info) http://gdev.net/~jallen |
| Did you even.. READ what jamie just wrote???? He said it was a page counte to track hits... Jeremy If you think education is expensive, try ignornace -Derek Bok (Former Havard President) |
|
Re:Spot the webbug (Score:1) by rkent (rkent(at)acm.org) on Thursday August 03, @02:46PM EDT (#288) (User #73434 Info) http://cc.kzoo.edu/~k96rk01/ |
Sure, to "track hits." Towards what end? To say that
"We are the most ripped-off company around..." - Bill Gates, 1980 |
|
Re:Spot the webbug (Score:1) by Evangelion on Thursday August 03, @01:20PM EDT (#199) (User #2145 Info) |
|
Because the image is sent down by a CGI script (presumably perl), which would be less efficient the bigger the image got (relative to the webserver sucking it off the drive). -- eris:~$ dd if=/dev/random of=~/.signature bs=1 count=120 |
|
Re:Spot the webbug (Score:2, Interesting) by graniteMonkey on Thursday August 03, @12:44PM EDT (#117) (User #87619 Info) |
| Okay, Jamie, so now we've established that Richard M. Smith himeself says the code on this web-page is not a "web bug". Now that I know it's there, what does Slashdot/Andover with this "non-web bug" to differentiate it from a genuine web bug? Just curious, really. Does the information reach some corporate entity outside Slashdot.org? Andover.net? Is the information for the sole non-resellable use of Slashdot.org? Andover.net?
It was destiny from the start... |
|
Re:Spot the webbug (Score:1) by ichimunki (x at ichimunki dot com) on Thursday August 03, @03:04PM EDT (#294) (User #194887 Info) http://www.ichimunki.com |
| Unless I seriously misunderstand this, the placement of these small GIFs on the web page gives the GIF server no information that is not in your typical HTTP header. In the Slashdot case, both the page server and the "non-bug" server belong to Slashdot. What this provides them is no more or less than they already have. What it might provide is the ability to turn off some logging on a busier server and turn that duty over to a less busy server (i.e. the one that exists only to pump out single pixel GIFs). This is also useful if you have multiple servers doing the bulk of the work, and would like to track usage centrally. This way the bug-server gets a unified sense of all visits, while the page-server is able to distribute the load as needed without worrying about discontinuous visit information. Simply put, this is the most efficient way to track this. They could theoretically track it 100 other ways, but I can't think of a way that improves on this technique. I think the Slashdot usage is not only understandable, but acceptable. However, I think the undisclosed gathering of even this readily available HTTP header information, where the bug URL is not in the same domain as the referring page is as objectionable as using banners to enable cookies from a single domain to be activated by what appears to be a completely separate. It's a tradeoff, since they get only HTTP header information out of the deal, they get less information, but there is also no way to turn off these GIFs, like there is with cookies. Well, yeah, you could use Lynx. *smirk* >>Nader in 2000<< |
|
Re:Spot the webbug (Score:1) by ZoneGray on Thursday August 03, @12:46PM EDT (#125) (User #168419 Info) |
| Seems like it would be easy enough for a browser to implement a feature that warns if a page is loading content from multiple domains.
If they wanted to get really fancy, they'd let the user accumulate an "okay" list and a "don't load from multiple domains" list. |
|
Re:Spot the webbug (Score:1) by Kronos. (kro@SPAMTACULARpenguinpowered.com) on Thursday August 03, @01:30PM EDT (#221) (User #40016 Info) |
| I've recently been trying out Opera 4, I don't know if it's in other versions but one thing it does do is tell me if a site tries to set a cookie that is not for the same domain as the site and already i have come across countless numbers of these. It's really probably quite simple to implement it to handle other content too although you can already filter out stuff with proxies like muffin which in my view is really where this should be done. My opinion is a browser is a browser.. it implements the w3c standards and dealing with stuff from other sites(banner and such) belongs at the proxy level and not in the browser.
|
|
Re:Spot the webbug (Score:1) by ZoneGray on Thursday August 03, @04:36PM EDT (#310) (User #168419 Info) |
| All these replies are about cookie handling. And those are good features, but...
The real problem with web bugs is that they don't really need cookies to learn something about you. Just the fact that you hit the page, and load an image that causes a hit on another server, can be a problem. For example, an embedded image in an HTML e-mail message can act as a read receipt. A bunch of sequential hits from the same IP address can be associated, and if one of the sites provides your cookie info to the bug company, then it doesn't matter if the others send out cookies or not. Again, the only real protection would be if your browser warned that the page you're loading consists of content from multiple domains. |
|
Re:Spot the webbug (Score:1) by abe1x on Thursday August 03, @01:57PM EDT (#268) (User #160362 Info) |
| iCab does one better and letter you automatically block all cookies not sent by the server hosting the page you are visiting. Mac only though. |
|
Re:Spot the webbug (Score:1) by dgl (/.@dgl.cx) on Thursday August 03, @02:09PM EDT (#275) (User #37957 Info) http://dgl.cx/ |
| There is an option in my version of netscape 4.6 and mozilla: Advanced|Cookies and Accept only cookies that get sent back to the orginating server. This provides a little protection but I think if the sites use JavaScript they can get around it (probally why slashdot use it on their "counter") It is much better as many people have said to run junkbuster with a good block file or if you use squid there's a brilliant piece of software called squid_redirect that blocks most adverts and web-bugs. |
|
Re:Spot the webbug (Score:2, Interesting) by Digital Mage on Thursday August 03, @01:12PM EDT (#180) (User #124845 Info) |
| Although the ad might not come from an outside source, my question is...Why is the number associated with the pagecounter image also associated with the advertising image?
I'm going to have to go diving through the ad code (assuming the slashdot guys use the one from sourceforge) to see exactly what the number is used for. My guess is that the number is used to see how many eyeballs saw that particular ad, but what they do with the number beyond that is unknown. Example: <IMG SRC="http://images.slashdot.org/pagecount.gif?/article.pl,965319456" WIDTH=1 HEIGHT=1> ..... <IMG SRC="http://images.slashdot.org/banner/tkgk0082en.gif?965319456" WIDTH=468 HEIGHT=60 ALT="Click Here!"></A><BR> |
|
Re:Spot the webbug (Score:1) by Anomalous Canard (murphy(at)panix(dot)com) on Thursday August 03, @01:20PM EDT (#198) (User #137695 Info) |
| Please note that all these images come from slashdot's own servers.
We as users have no way of knowing if images2.slashdot.org is your server or an ad.doubleclick.net server added to your DNS entries. Now I, a trusting soul, trust /. more than, say the NY Times or any other random provider, but you have to admit that the user has no way of telling who is tracking them. "Same domain" dosn't mean anything more than coming from the same DNS server. It dosn't tell me that the server is under the administrative control of the domain holder. Hell, murphy.dialup.[redacted].net is administered by me, not by my ISP. I'm glad that I don't allow Javascript to run on Slashdot or on any other site. -- Anomalous: deviating from what is usual, normal, or expected Canard: a false or unfounded report |
|
Re:Spot the webbug (Score:1) by _xeno_ on Thursday August 03, @01:41PM EDT (#244) (User #155264 Info) |
| I'm glad that I don't allow Javascript to run on Slashdot or on any other site.
The JavaScript is basically irrelavent - it just determines the time the client read it as opposed to the time the server read it. If you have JavaScript disabled, then the same image is used, this time created through a set of <NOSCRIPT> tags. The ONLY difference is that the numbers generated in this case are generated server-side, not client-side. You might wanna try blocking images2.slashdot.org instead. (In the case of Mozilla, bring up the context menu for the image, and choose Block Image from Loading and all adds will be gone. Eventually they may allow you to add sites manually, but for the time being, it works. Assuming you can find the 1 pixel...) |
|
Re:DNS Entries (Score:1) by xrayspx (xrayspx@xrayspx.com) on Friday August 04, @08:01AM EDT (#353) (User #13127 Info) http://www.arcaneimages.com |
| Well, 209.207.224.245 (images2.slashdot.org) *IS* far removed from 64.28.67.48 and 64.28.67.57, www and images.slashdot.org respectively. 209.207.224.245 is owned by DigitalNation while the others are Exodus. Exodus is the current hosting company for slashdot, DigitalNation is the OLD hosting company. So images2.slashdot.org, while not sitting right next to images.slashdot.org, IS under their control, DNS does not point to doubleclick. So there we are.
This is actually the way user tracking SHOULD work, internally, for internal use. Not with crap bounced halfway around the net to some company who may/may not sell it to someone. xrayspx |
|
Re:DNS Entries (Score:1) by Royster (murphy(at)panix(dot)com) on Saturday August 05, @03:30PM EDT (#361) (User #16042 Info) |
| So images2.slashdot.org, while not sitting right next to images.slashdot.org, IS under their control, DNS does not point to doubleclick.
I'd like to know how one concludes from an IP number who the administrator *really* is. "There go the heebies, but I've still got the jeebies" |
|
Re:DNS Entries (Score:1) by xrayspx (xrayspx@xrayspx.com) on Friday August 11, @01:29PM EDT (#367) (User #13127 Info) http://www.arcaneimages.com |
| That would be an inference. It's more logical to say "slashdot used to be hosted at this colo center, images2 is AT this colo center, images2 is probably run by slashdot staff" than it would be to say "images2.slashdot.org used to be hosted at this colo center, therefore doubleclick staff have flown in a tigerteam in a silent black helicopter to run images2.slashdot.org"...
Or maybe I'm just not paranoid enough anymore. |
|
Re:Spot the webbug (Score:1) by belphegore (craig_REMOVETHIS_@hughes-family.org) on Thursday August 03, @06:26PM EDT (#331) (User #66832 Info) http://www.hughes-family.org/craig |
| <img src="http://doubleclick.slashdot.org/webbug/invis.gif" width=1 height=1>
Doesn't come from a different domain. Clearly is a web bug though. If a company wants to use web bugs, and is prepared to have someone be inserting them into their HTML, they'll add a DNS entry or two if necessary too. ECHELON fodder follows: terrorist bomb buy plutonium sarin attack federal kill strike cocaine heroin shipment greenpeace red brigade IRA jihad khmer |
|
Re:Spot the webbug (Score:1, Redundant) by cybercuzco (cybercuzco@yahoo.com) on Thursday August 03, @12:14PM EDT (#24) (User #100904 Info) http://www.processtree.com/?sponsor=24427 |
| Youll note however, that that little snippet of code is commented out, and therefore is not run when you load a page.
Heres what it really looks like: <!-- now = new Date(); tail = now.getTime(); document.write("<IMG SRC='http://images2.slashdot.org/Slashdot/pc.gif?/comments.pl,"); document.write(tail); document.write("' WIDTH=1 HEIGHT=1>"); document.write("<IMG SRC='http://images.slashdot.org/pagecount.gif?/comments.pl,"); document.write(tail); document.write("' WIDTH=1 HEIGHT=1><BR>"); //--> "you've corrupted the Borg" -Picard to Lore Piss off the man,Vote Nader! |
|
THE ABOVE IS A TROLL (Score:1) by Roast Beef (jay@tamboli.cx) on Thursday August 03, @12:16PM EDT (#28) (User #2298 Info) http://tamboli.cx |
| Comment tags keep browsers from displaying JavaScript code. The code still runs. |
|
Re:THE ABOVE IS A TROLL (Score:1) by ethereal on Thursday August 03, @12:46PM EDT (#124) (User #13958 Info) http://slashdot.org/users.pl |
It may be incorrect, but it is not a troll. New potentially illegal .sig: You can find out more about methamphetamine by searching for "methamphetamine". |
|
Re:Spot the webbug (Score:2) by jfrisby (jfrisby@mrjoy.com) on Thursday August 03, @12:28PM EDT (#69) (User #21563 Info) http://www.mrjoy.com |
| That's an HTML comment, not a JavaScript comment. It is there for browsers that don't understand JavaScript, so they wont display it to users. This is a very common practice.
The JavaScript is still executed. -JF MrJoy.com -- Because coding is FUN! |
|
Remove foot from mouth, mr. clueless. (Score:1) by rakslice (amtonner@n_o_s_p_a_m.uwaterloo.ca) on Thursday August 03, @12:29PM EDT (#74) (User #90330 Info) |
| I assume that, since you appear to have left a valid e-mail address, that post wasn't a troll, so:
It's javascript, not HTML. See the script tags? Next time, get a clue before posting. |
|
Re:Spot the webbug (Score:2, Informative) by _xeno_ on Thursday August 03, @12:41PM EDT (#107) (User #155264 Info) |
| Hemos tried to explain this in this post.
For the truely lazy: RE: Doubleclick. |
|
Re:Spot the webbug (Score:3, Informative) by cwhicks (mr_winkee@tinkletown.com) on Thursday August 03, @12:44PM EDT (#116) (User #62623 Info) |
| Bad Moderation Alert: What classifies this as a troll? Is it such comman knowledge what these "webbugs" on /. are?
Is the person saying something inflametory that they know to be false to get a response? Just because you are satisfied with the explanation, doesn't mean everyone has to be. Or is it that /. is somehow holy and never should be questioned? Personally, I've seen these images at the top and was suspicious, and now from the informative responses, I know what they are. - I like pudding. |
|
Web Bugs (Score:3, Informative) by AlexZander (zander@wpi.edu) on Thursday August 03, @12:07PM EDT (#8) (User #33064 Info) http://www.wpi.edu/~zander |
| Someone should write an option into Mozilla or it's ilk to NOT LOAD any image with a height and width of 1. That would stop the web bugging industry at least for a little while, don't you think?
(web bugs are EVIL) Evil never dies -- It just comes back in reruns |
|
Re:Web Bugs (Score:1, Insightful) by Aerolith_alpha (aero@nospammynospammyno.org) on Thursday August 03, @12:16PM EDT (#29) (User #85503 Info) http://aerolith.bsod.net |
| As a web designer I am totally against this idea, because I use 1x1 gifs all the time for spacing purposes. I think a better option would be to limit all images on a page to a single server. That way stuff from other server's wouldn't load. This would be a problem when you have images.yourserver.com as well to load balance, but the solution to this would be having all of the images come from a consistent server, so if all the images came from images.yourserver.com, they would be allowed, but the little bug from statmarket would show up as broken... :) 8.314 J/mol K MATEY!!!!!!!! |
|
(OT) Use of 1x1 invisi-images (Score:1) by skoda (fischer _ dj @ mailcity . com) on Thursday August 03, @12:25PM EDT (#56) (User #211470 Info) http://fischer_dj.tripod.com |
| As an amateur (hobbyist) web designer, I'm wondering what you use 1x1 images for. In my very limited experience, they're handy when stretched to various sizes, but I haven't seen a need (yet) for a one pixel offset. So can you give a pointer or two on the secrets of web design? :)
My attempts at HTML coding can be seen at fischer_dj.tripod.com. |
|
Re:(OT) Use of 1x1 invisi-images (Score:1) by Aerolith_alpha (aero@nospammynospammyno.org) on Thursday August 03, @12:49PM EDT (#132) (User #85503 Info) http://aerolith.bsod.net |
| part of my personal style is to make a table that has an extra cell around the right edge that is only 1 pixel wide to add a border effect. I use a 1px image as a spacer to keep this open. If you don't have anything there, it will show up as blank in netscape, IE handles it okay, but netscape gets all wierd about tables. Yes 'gets all wierd' is a technical industry term... or something. I was a hobbyist myself until I decided to put my resume out there... I am doing compE in school right now though, so this is more or less a temporary thing. 8.314 J/mol K MATEY!!!!!!!! |
|
Re:(OT) Use of 1x1 invisi-images (Score:1) by jphillip on Thursday August 03, @01:04PM EDT (#165) (User #189979 Info) http://www.avalonhigh.com |
| A useful trick used in the webcomics world (and could be used in any image archive) is to load a comic image in a 1x1 IMG in order to cache it.
So say you're reading through some archived pages on a site. While you're reading July 24's comic, the one for July 25 is loading into a 1x1 pixel down in the corner. Click the "Next" button to go to July 25's page, and boom, the comic is loaded directly from the cache. And while you read that one, July 26's is loading quietly in the corner. Granted, the images aren't originally 1x1, but are merely shrunk to that size. Plus, the traditional usage seems to take a 1x1 transparent GIF and stretch it to larger sizes for layout purposes. So maybe 1x1 images which are specified to display 1x1 could be filtered. It'd break *some* pages, but not nearly as many.
Many syndicated comics suck. Avalon is not syndicated. This does not imply that Avalon does not also suck. |
|
Re:(OT) Use of 1x1 invisi-images (Score:1) by Aerolith_alpha (aero@nospammynospammyno.org) on Thursday August 03, @01:31PM EDT (#224) (User #85503 Info) http://aerolith.bsod.net |
| i was thinking that as well with the 1x1 streched, but i have used them at 1x1 before, and as a designer it pisses me off when my pages don't display right... its generally my fault when they dont, but I don't really want/need the extra hassel of another constraint placed on the way i design 8.314 J/mol K MATEY!!!!!!!! |
|
Re:(OT) Use of 1x1 invisi-images (Score:1) by jphillip on Thursday August 03, @02:09PM EDT (#274) (User #189979 Info) http://www.avalonhigh.com |
| I *thought* I had seen some bastardized HTML tag which achieved the same effect as a 1x1 transparent GIF... the SPACER tag. Introduced in Netscape 3. I can only assume that IE doesn't support this, and that CSS makes the whole thing moot anyway. But if that can eliminate the need for 1x1 transparent GIFs for layout, then we can safely block such.
Many syndicated comics suck. Avalon is not syndicated. This does not imply that Avalon does not also suck. |
|
Re:Web Bugs (Score:1) by EMN13 on Thursday August 03, @12:26PM EDT (#59) (User #11493 Info) |
| You shouldn't be using 1x1 gifs for spacing anyway... In a decently designed website there is no need for them. Use CSS, or whatever else, but relying on 1x1 images for spacing isn't the brightest idea. It destroys the way HTML was indtended to function - structurally, with UI separated out. Why blame mozilla for having such difficulty making a browser work if the true culprits are the people abusing rendering implementations on specific browsers.
Apart from that, if anyone were to implement a 1x1 filterer, that obviously shouldn't effect layout, so it would still space things as before (to not break any web sites) but simply not load the images. Would only make your web server faster because of fewer requests. |
|
Re:Web Bugs (Score:1) by Aerolith_alpha (aero@nospammynospammyno.org) on Thursday August 03, @12:50PM EDT (#135) (User #85503 Info) http://aerolith.bsod.net |
| rooooiiiiight. So when a netscape user comes to the site, it looks like it got mauled by a script kiddie... Once they fix the way netscape handles CSS i will start using it. I already use it on my personal site, but the industry is another matter. 8.314 J/mol K MATEY!!!!!!!! |
|
Re:Web Bugs (Score:1) by the coose (jmarkw@^^^^^NOSPAM.mindspring.com) on Thursday August 03, @02:29PM EDT (#284) (User #171981 Info) |
| Actually, I've found that it is IE, not Netscape, that seems to have issues with CSS. I set up a class for div to have left and right margins of 5%. Within that I placed an img that was much longer than the body's width but was relying on the div to stop it from running off the right. This worked fine in Netscape 4.7, but IE 5.0 ignored the div's right margin of 5% and used the img's default size instead. Same thing with container elements and tables. Yeah, it's easy to workaround but just kind of annoying...
|
|
Re:Web Bugs (Score:1) by Aerolith_alpha (aero@nospammynospammyno.org) on Thursday August 03, @02:47PM EDT (#289) (User #85503 Info) http://aerolith.bsod.net |
| i had major and inexplicable problems with layers in netscape 4.7 to the point where i had to abandon the layer approach entirely in order to make it netscape compliant. These days I just say screw netscape and design for IE on my personal sites... I still use netscape on my linux box, but my winblows machine and my mac both have IE on them... 8.314 J/mol K MATEY!!!!!!!! |
|
Re:Web Bugs (Score:1) by homer_ca on Thursday August 03, @12:28PM EDT (#71) (User #144738 Info) |
| Mozilla already tried it in an earlier version, but they abandoned it because it breaks so many sites. Many sites serve out images from akamaitech for load balancing purposes, and Yahoo loads images, both ads and content, from their yimg.com domain.
Oh well, back to playing whack-a-mole with my junkbuster blockfile. |
|
Re:Web Bugs (Score:1) by KnightStalker (hoffmanj-A@T-oit-D.T-edu) on Thursday August 03, @01:23PM EDT (#212) (User #1929 Info) http://internet.oit.edu/~hoffmanj/ |
| The day-before-yesterday nightly build of Mozilla will load images from "images.site.tld" but not completely different domains if you turn on the "disable images from different domains" feature -- I assume it works similarly with cookies.
The only problem with this is, if it becomes widespread, places like Doubleclick will quickly get domains like "dc.amazon.com" (or whatever) that all point to the same server. -- "Nothing of importance happened today." -- From George III's diary, July 4, 1776 |
|
Re:Web Bugs (Score:1) by Aerolith_alpha (aero@nospammynospammyno.org) on Thursday August 03, @01:39PM EDT (#241) (User #85503 Info) http://aerolith.bsod.net |
| instead of just domain checking they could check the IP as well, so that it its not close, they can block it... Maybe take a bit longer to figure a way around that...
donno if that would work though, because I don't really know if all servers have close IP's for their domains... the ones that i have dealt with are only 1 number off, like C class stuff, but I dont know if that is the case everywhere. 8.314 J/mol K MATEY!!!!!!!! |
|
Re:Web Bugs (Score:1) by KnightStalker (hoffmanj-A@T-oit-D.T-edu) on Thursday August 03, @01:45PM EDT (#252) (User #1929 Info) http://internet.oit.edu/~hoffmanj/ |
| I thought of that... looking at the yahoo and yimg stuff, www.yahoo.com resolves to 200.71.200.67, 204.71.200.68, 204.71.202.160 whereas us.a1.yimg.com resolves to 206.191.161.51, 206.191.161.50. So that's out, too.
I don't think there's a good way around it, and I'm willing to put up with the odd site like Yahoo where I can't load the images. -- "Nothing of importance happened today." -- From George III's diary, July 4, 1776 |
|
Re:Web Bugs (Score:1) by Aerolith_alpha (aero@nospammynospammyno.org) on Thursday August 03, @01:49PM EDT (#259) (User #85503 Info) http://aerolith.bsod.net |
| esp. if it is something like yahoo--most of the images on there are adds anyway besides the main title graphic... 8.314 J/mol K MATEY!!!!!!!! |
|
Re:Web Bugs (Score:1) by Eimi Metamorphoumai (Eimi47@yahoo.com) on Thursday August 03, @12:40PM EDT (#103) (User #18738 Info) http://cec.wustl.edu/~adl4 |
| What if it didn't load the image, but instead did the spacing anyway? Use its own hardcoded 1x1 transparent gif instead of yours. Seems it would be a lot faster for the client, and wouldn't break spacing on sites (unless that 1x1 is some color other than transparent, which I would imagine is pretty rare). Visit me on #weirdness on the Undernet. |
|
Re:Web Bugs (Score:2) by Sloppy (sloppy@spam^H^H^H^Hrt66.com) on Thursday August 03, @12:44PM EDT (#111) (User #14984 Info) |
As a web designer I am totally against this idea, because I use 1x1 gifs all the time for spacing purposes. That doesn't make sense. The web uses HTML, and HTML is a logical markup language where the client (not the server) makes formatting decisions. Why would a "web designer" ever need to micromanage such detailed issues as spacing? --- Have a Sloppy night! |
|
Re:Web Bugs (Score:4, Informative) by juniorbird on Thursday August 03, @01:07PM EDT (#170) (User #74686 Info) http://home.earthlink.net/~juniorbird |
| Not only does this Web designer use one-pixel gifs... pretty much every Web designer does. The reason is that browsers suck. Theoretically, by using CSS, visual presentation of information can be managed. But CSS support is horrible -- only IE 5 for Mac really has it (among released browsers at this point).
So Web designers are forced to use HTML for visual presentation of information (no, just putting it in a simple list isn't good enough -- 400 years of learning how to effectively present information says otherwise. See Edward Tufte's works FMI). And the only way to do that is to micromanage detailed issues like spacing. But all that's moot. The worst part about this whole article is that the companies are lying to their customers about how their information is being used. There is almost no way an educated user, without the benefit of infinite time and tools, could have known to protect him- or herself from this information theft. That's why Truste needs to sue and the FTC needs to get involved. Personally, I think that the companies who did this need to be permanently banned from having a Web presence in order to set an example, but I don't know how that could be done legally. You can do something: opt out http://www.coremetrics.com/opt_out_ options.html |
|
Re:Web Bugs (OT) (Score:1) by Aerolith_alpha (aero@nospammynospammyno.org) on Thursday August 03, @01:21PM EDT (#202) (User #85503 Info) http://aerolith.bsod.net |
| better than I could have said it... :) 8.314 J/mol K MATEY!!!!!!!! |
|
Re:Web Bugs (Score:2) by TheTomcat (sean@nbnet.nb.ca) on Thursday August 03, @01:34PM EDT (#229) (User #53158 Info) http://riptear.dyndns.org |
| I wish I had some mod points.
Hey moderators: This post, #170 is HIGHLY deserving of being modded right up to +5. Sorry for abusing my +1. "If there is hope it lies in the proles." -George Orwell, 1984 |
|
Re:Web Bugs (Score:1) by Aerolith_alpha (aero@nospammynospammyno.org) on Thursday August 03, @01:19PM EDT (#196) (User #85503 Info) http://aerolith.bsod.net |
| i can tell you dont work in web design at all, nor do you have to deal with clients that have LOGOs. When I am given an image of a client logo that is not alterable because of the whole 'corporate idenity' business, I have to design around it, which sometimes necessitates doing things like small gifs to push the logo over to where it needs to go.
Further, sometimes I must make a web page that looks exactly like a Print piece, which is very hard to do consistently between platforms/browsers. As a result I again have to use pixel spacers that wont change in size like an & nbsp ; would to make it happen the way the client wants it. 8.314 J/mol K MATEY!!!!!!!! |
|
(OT) HTML as design tool (Score:1) by skoda (fischer _ dj @ mailcity . com) on Thursday August 03, @01:49PM EDT (#258) (User #211470 Info) http://fischer_dj.tripod.com |
| juniorbird & Aerolith_alpha have given some excellent comments on this. But there is another issue that is raised by your point.
"HTML is a logical markup language where the client (not the server) makes formatting decisions. "
That is exactly right! Which is why HTML is really the wrong language to be using for today's web design purposes.
The original intent of HTML, if I understand correctly, was to provide a method for describing the abstract format of the content, and then allow the viewer to format that content according to his desires. Want BIG BOLD headlines? Got it. Want small italic body text? No problem. Want everything mono-space fonts? Can do.
The problem is that that is not a good way to present most information, nor is it generally desireable. Further, companies (and many users) want you to see their information in a very specific way, and don't want you mucking around with it. Pepsi wants you to see their blue cans blue, not mauve with pink polka dots. IBM wants their computer specs presented with a certain combination of fonts, sizes, and images they think is most enticing to a potential buyer. They don't want you to fool around with their formatting and maybe make something less enticing to yourself. And so on. What web designers want to do is page layout! Not logical formatting.
The thing is, HTML sucks as a page layout device. That's not what it's meant to do, but that's what we use it for. Which is why web designers (even the finger-painting equivalent of designers, like me) do un-natural and perverse things with 1x1 invisi-gifs; so we can get things to right.
As Murphy said, when all you have is a hammer, everything looks like a nail. |
|
Re:(OT) HTML as design tool (Score:1) by Aerolith_alpha (aero@nospammynospammyno.org) on Thursday August 03, @01:54PM EDT (#263) (User #85503 Info) http://aerolith.bsod.net |
| hear hear... I do everything as a mockup in photoshop first to present to the client. Then it takes me anywhere from 4 hours to 2 days to build the pages in HTML/Java/DHTML, etc until i can get it to look and work like my model did. I would almost be tempted to do EVERYTHING in flash, just because its so easy, and it looks JUST LIKE you design it, even scaled, however as a linux user I don't feel the need to force people to use win/mac with flash viewer to see the site. For corporate sites i end up doing a lot of the infamous INTO FLASH, but I dont have much say in that... 8.314 J/mol K MATEY!!!!!!!! |
|
Re:(OT) HTML as design tool (Score:1) by MrBogus on Thursday August 03, @09:54PM EDT (#345) (User #173033 Info) |
| Actually, I wish folks like you would just recommend Flash or PDF to clients that want 'printed output'-like pages. Then we can get the HTML back nice and simple, and it will be easier for me to add dynamic content to pages that aren't junked up with nested tables and spacer gifs.
Of course, this could backfire, and next thing you know I'd be writing a database backend to a Flash application. |
|
Re:(OT) HTML as design tool (Score:1) by Aerolith_alpha (aero@nospammynospammyno.org) on Friday August 04, @01:17PM EDT (#358) (User #85503 Info) http://aerolith.bsod.net |
| would you REALLY want the entire web to be flash? *SHUDDER* 8.314 J/mol K MATEY!!!!!!!! |
|
Re:(OT) HTML as design tool (Score:1) by MrBogus on Friday August 04, @06:34PM EDT (#360) (User #173033 Info) |
| Eventually: it will either be Flash, W3C DHTML + Time extentions + SVG, Microsoft PPT format. Think TV. (Yes, I'm a cynical coot.) |
|
Re:Web Design Bugs (Score:1) by Aerolith_alpha (aero@nospammynospammyno.org) on Thursday August 03, @01:42PM EDT (#246) (User #85503 Info) http://aerolith.bsod.net |
| you said it... Although I am a programmer as well, don't get me wrong on that score... But the client provides all of the content in 99% of the cases that I have worked on. I just make it look perty. And the client has to 'approve' that too... 8.314 J/mol K MATEY!!!!!!!! |
|
Re:Web Bugs (Score:1) by PollMastah (polls@poll.booth.com) on Thursday August 03, @12:44PM EDT (#113) (User #174649 Info) http://www.slashdot.org/pollBooth.pl |
Let's find out what people think about the various alternatives: Poll: which of the following is the best solution?
Let's make Slashdot polls happen once a day! Join the Slashdot Poll Suggestion Club |
|
Re:Web Bugs (Score:1) by Tower (/dev/whoop-ass) on Thursday August 03, @02:08PM EDT (#273) (User #37395 Info) |
| >No, filter out completely transparent images!
How do you know, until you download them... >Disable cookies attached to graphic files This should be an option everywhere... how many images are custom tailored to you, when the html is not? >Cookies are evil, don't use them A popular concept on /. - even if it means you have to post AC... >I only read Slashdot, so what's this gotta do with me? This one should win hands down... -- "Funk the Dumb Stuff!" - ToP |
|
Re:Web Bugs (Score:1) by spRed (spred+slashdot@geocities.com) on Thursday August 03, @01:35PM EDT (#235) (User #28066 Info) |
| Only allowing images from one site won't help. It is trivial to set up a proxy from /. (for example) to doubleclick, or anyone else. Doubleclick would still get the info, and to the browser it would look like /.
I agree with the current high scoring comment, if web sites are merely outsourcing their traffic analysis, there is no problem. You don't demand that sites that use WebTrends to analyse their logs say so in their privacy policy, do you? It only becomes a problem when the 3rd party trackers are allowed to aggregate the information they collect for their clients, and can resell that information. I would say that it is in the best interests of the collectors to NOT do this if they just want to sell a traffic analysis service. -Red GeekySig ? Perhaps : PerhapsNot |
|
Re:Web Bugs (Score:1) by Aerolith_alpha (aero@nospammynospammyno.org) on Thursday August 03, @01:45PM EDT (#251) (User #85503 Info) http://aerolith.bsod.net |
| its not a matter of them using webtrends, its about what the do with the data afterwards, no? 8.314 J/mol K MATEY!!!!!!!! |
|
Re:Web Bugs (Score:2) by mOdQuArK! on Thursday August 03, @01:56PM EDT (#267) (User #87332 Info) |
| Doesn't this break the web-wide caching system being implemented by companies such as "akamai"? I thought they provided load-balanced web services for those web services which were expecting high peaks of service requests. |
|
Re:Web Bugs (OT: 1x1 spacing = NOT insightful) (Score:1) by bald anders on Friday August 04, @04:46AM EDT (#352) (User #218322 Info) |
| WTF is so hard to understand about Hyper *Text* Markup Language? You can't design HTML, period. So you either use Cascading Style Sheets and hassle the browser-vendors for not implementing it right, or you leave it. Text is about content, style is about design. And remember to give all images alt-tags. I feel sorry for the braille or lynx users who (don't!) have to wade through 300 spacers with a little text scattered about.
As I said to a friend: Websites that rely heavily on design or JavaShit are often lacking content and thus not worth visiting. Web-designers who *rely* on graphical capabilities on the client side aren't. But I never rant without giving a tip: Close your Frontpage Express, download the [X]HTML/CSS-spec from w3c.org, and at least read the intro. Then, with your favorite text-editor, hand-craft an HTML-file. At least for me, this was a truly enlightening experience. (Don't bother with CSS2 yet, support sucks.) Why is all this processing accompanied by an experienced inner life? |
|
Re:Web Bugs (Score:1) by Aerolith_alpha (aero@nospammynospammyno.org) on Thursday August 03, @01:23PM EDT (#208) (User #85503 Info) http://aerolith.bsod.net |
| because its horizontal only... at least in all references i have seen... if not, please let me know. 8.314 J/mol K MATEY!!!!!!!! |
|
Re:Web Bugs (Score:1) by skoda (fischer _ dj @ mailcity . com) on Thursday August 03, @12:21PM EDT (#41) (User #211470 Info) http://fischer_dj.tripod.com |
| I was going to say that might not be a good idea since it would destroy the layout of many web sites and negatively affect others. Then I realized that the use of 1x1 images is probably pretty low (since they're normally 'stretched' when used as page layout devices) So, yeah, you've got a decent idea there :)
But I wonder if there's a way to filter on the the contents of the SRC tag value, and avoiding the minor risk of upsetting someone's page layout. |
|
Re:Web Bugs (Score:2, Informative) by Phroggy (slashdot2@NOSPAMphroggy.com) on Thursday August 03, @01:12PM EDT (#179) (User #441 Info) http://phroggy.com/ |
| I was going to say that might not be a good idea since it would destroy the layout of many web sites and negatively affect others. Then I realized that the use of 1x1 images is probably pretty low (since they're normally 'stretched' when used as page layout devices) So, yeah, you've got a decent idea there :)
You'd be surprised. One of the reasons I use 1x1 transparent GIFs is, say I've got a table, and one cell has a background, but no foreground text or graphics - just a background color, or repeating background pattern, and I'm using this cell (probably not very big) for layout and design purposes, because there's no other way to do it. Well, if I don't include that 1x1 GIF, then the browser thinks the table cell is empty and won't render it at all (so I don't get my background). This is remarkably annoying. I used to use instead, but then I started doing these with really small areas where a whole wouldn't fit, so I've switched to 1x1 GIFs. For an example of what I'm talking about, check out my home page. |
|
Re:Web Bugs (Score:1) by passion (passionatmonkeydotorg) on Thursday August 03, @12:24PM EDT (#52) (User #84900 Info) |
So - who's to stop the use of 1x2 or 2x1, or 2x2 images...? - passion |
|
Re:Web Bugs (Score:1) by beebware ([rc-slashdot@|http://www.]beebware.com) on Thursday August 03, @12:25PM EDT (#57) (User #149208 Info) http://www.beebware.com/ |
| But what about 'single pixel spacers' - usually used just to enable tables to render correctly. Sometimes height=1 width=600 (or whatever) is used for 'drawing lines', but single's do have their own good purposes...
Richy C. -- Beebware |
|
Re:Web Bugs (Score:1) by EMN13 on Thursday August 03, @12:30PM EDT (#78) (User #11493 Info) |
| Single pixel spacing doe not have it's own good purposes. Design the logical layout and then apply style. I sure prefer simple sites to sites that are so obfusciated as to need one pixel spacing... |
|
Re:Web Bugs (Score:1) by Phroggy (slashdot2@NOSPAMphroggy.com) on Thursday August 03, @01:16PM EDT (#189) (User #441 Info) http://phroggy.com/ |
| Single pixel spacing doe not have it's own good purposes. Design the logical layout and then apply style. I sure prefer simple sites to sites that are so obfusciated as to need one pixel spacing...
If browsers weren't so buggy and annoying, we (Web designers) wouldn't need to work around them by using single-pixel GIFs for spacing and such. It is possible to create an attractive design that doesn't get in the way of the content, and easily run into a situation where you need a 1x1 spacer (or something even more annoying) to make it work in HTML. |
|
Re:Web Bugs (Score:1) by Ranalou (ranalou@transcendence.net) on Thursday August 03, @12:27PM EDT (#62) (User #200662 Info) |
| Someone should write an option into Mozilla or it's ilk to NOT LOAD any image with a height and width of 1. That would stop the web bugging industry at least for a little while, don't you think?
Or, more to the point, since a 1x2 transparent image would do the job just as well- examine the image. If the entire image is transparent (possibly, even if it's all the same color) then drop it. By the time you've examined the image, however, you've already downloaded it. Part of the damage, at least, is already done. You could, however, highlight the web bug and bring it to the attention of the user, where they might be able to in their browser, in their favorite proxy, or even in their firewall establish that either this particular bug, or bugs with similar URLs should never be downloaded again. This would help to defeat some data correlation, helping to minimize the damage.
For extra credit, one might set up an RBS-like database that could be trusted to serve as a source of web bugs that exist, and a plugin or modification to browsers to help keep others from downloading them. That's a full-scale effort, however, and probably far less practical.
|
|
Re:Web Bugs (Score:2) by arivanov on Thursday August 03, @12:27PM EDT (#64) (User #12034 Info) |
| No it will not. They will simply use transparent gifs. Which is just the same. And it is not just gif as PNG also has transparency channel. @*** Baker's Law *** Misery no longer loves company. Nowadays it insists on it. |
|
Re:Web Bugs (Score:1, Interesting) by Anonymous Coward on Thursday August 03, @12:28PM EDT (#66) |
| Didn't they have some option to let you not load any image from a different server? It seems like that would accomplish the same thing and still allow for "page counter" gifs |
|
Re:Web Bugs (Score:1) by Expecting Rain (pmulliga|at|wso.williams.edu) on Thursday August 03, @12:37PM EDT (#96) (User #217620 Info) http://wso.williams.edu/~pmulliga |
| Someone should write an option into Mozilla to get it to load web pages without crashing my computer in the process. They could put a little checkbox in the Preferences that says "Crash Computer Frequently." If you don't want it to do that, you could simply uncheck the box. *That* would be a useful feature. I can't wait to assemble a Beowulf cluster out of these signatures. |
|
Re:Web Bugs (Score:1) by Tower (/dev/whoop-ass) on Thursday August 03, @02:15PM EDT (#278) (User #37395 Info) |
| And here I was just waiting for SSL to work...
Haven't had any stability problems since M12 on NT or Linux (Mandrake through 7.1 - replaced with stock kernel and XFree 4.0) -- "Funk the Dumb Stuff!" - ToP |
|
Re:Web Bugs (Score:1) by BloodyStupidJohnson (sharpa@softhome.CRUFT.net) on Thursday August 03, @12:44PM EDT (#118) (User #150956 Info) |
| In iCab for the macintosh you can filter images by size and by server. If an ad gets through, just right-click on it and tell iCab to filter images of that size or from that server or both. It is VERY handy. All web browsers should have that feature. |
|
Size... (Score:1) by WolfTheWerewolf on Thursday August 03, @02:13PM EDT (#277) (User #84066 Info) |
| Web bugs, per-se, do not have to be 1X1 transparent GIF images. They could very well be some other company's logo, they could be a button, anything. Blocking image grabbing from remote sites would be a good start, though many pages are written to fetch images from afar. I honestly see no useful reason to do so other than to pass some form of information to another site/domain. Browsers or blockers need to have a way to say "No images/pages to be loaded outside of the domain I'm currently viewing." Yah yah. |
|
got rights? (Score:1) by ackthpt on Thursday August 03, @12:10PM EDT (#13) (User #218170 Info) http://www.dragonswest.com |
| The fact that I'm receiving spam targetted at me suggests the tip of the iceberg begins with the lifting of my email address. The bottom of the ice berg is the buying and selling of info about me among enterprises. I've had a number of pre-approved credit card apps appear in the mail for the last 20 years and a congress which refuses to pass progressive legislation utterly barring solicitors from phoning me (free speech my a**). I prefer to exercise the right to privacy. Before *anyone* may solicit me, or share info on me, they *must* seek my permission first. Without it, they are tresspassing. Vote Naked 2000 |
|
... (Score:1) by Fist Prost (fistprost@outthroughthe.inbox.as) on Thursday August 03, @12:12PM EDT (#16) (User #198535 Info) http://amishrakefight.org/gfy |
| time to use that Mosaic emulator! At any rate Someone ought to put this one feature into mosaic:block any images below certain size. fist prost(retired first poster) I smack kneejerk moderators. |
|
How many? (Score:2, Interesting) by Jon Shaft (hades@vertonet.com?slashdot comment) on Thursday August 03, @12:14PM EDT (#17) (User #208648 Info) http://members.aol.com/PizarroD/shaft/ |
| How many of us actually put in proper information into websites? Usually the only time I ever put in proper information is when I'm going to purchase something, and being a poor college kid, that is very rare. I can see being extremely worried about it if I were making more money and able to spend it on things, but that's far off. Right now there is probably a lot of junk mail and phone calls going to 1642 Slackware Ave, Retro, CA (111)222-3334... I can't remember putting in real information in a long time... actually the last time I put in that information was when I bought a DeCSS TShirt.
Toysrus.com sells information even tho they say in the privacy statement they don't? Welp, add another place not to shop to my list. Does anyone publish a listing of companies that don't sell information to other public/private companies anywhere? I'm sure it would be very useful to some. Who's the black private dick, who's a sex machine for all the chicks? |
|
Re:How many? (Score:2) by brunes69 (nighthawk@n2.com) on Thursday August 03, @12:20PM EDT (#38) (User #86786 Info) http://www.geekboxmicro.net |
Yeah really. Someone should Mod this up, and maybe some marketing braindead's will see it. No one I know EVER puts in their real information, real email, or anything, unless they absolutely have to. And I'm not just talking about us l33t hackers, I'm talking about joe average Internet user. In schools around where I live, they actually teach you not to ever give your real information (including email) unless its someone you absolutely trust. So what I would liek to know is, what good is all this tracking, when your'e tracking fake people? It's just a huge waste of time. Not that I reallly care, I added all banner ads to my hosts file being redirected to 127.0.0.1 a LONG time ago ---There is no spoon....--- |
|
Re:How many? (Score:2) by arivanov on Thursday August 03, @12:35PM EDT (#89) (User #12034 Info) |
First: you are referring to the Slashdot crowd. For example I am sufficiently paranoid to put my old address or my company address on warranty cards and other stuff like this when I buy personal kit so my snail mail address does not get out. But this is me. Joe average random luser puts his personal information. Both in a conventional store and online Second: correlation analysis is a great thing and statistics is a great science. If there is enough information and the criteria for filtering bogus data are well defined it can be filtered and your real you to show up. @*** Baker's Law *** Misery no longer loves company. Nowadays it insists on it. |
|
Re:How many? (Score:2) by British on Thursday August 03, @12:34PM EDT (#85) (User #51765 Info) http://british.nerp.net |
| What about if you consistenly use the same bogus info to several websites? perhaps some company is compiling info about "Hugh Jass" someday hoping to get his/her real info and send them TONS of junk mail.
Can junkbuster filter out useless 1x1 images completely? I mean, I can live without a 1 pixel image or three on a web page. Kids love the rich taste of web content! http://british.nerp.net |
|
Re:How many? (Score:1) by Tower (/dev/whoop-ass) on Thursday August 03, @02:19PM EDT (#281) (User #37395 Info) |
| >Can junkbuster filter out useless 1x1 images completely?
Your browser would have to do that... junkbuster doesn't get the sizing information... Formatting would be screwed up on a *lot* of pages, if you happened to turn all 1x1s off. -- "Funk the Dumb Stuff!" - ToP |
|
Re:How many? (Score:1) by Phroggy (slashdot2@NOSPAMphroggy.com) on Thursday August 03, @01:22PM EDT (#205) (User #441 Info) http://phroggy.com/ |
| Toysrus.com sells information even tho they say in the privacy statement they don't? Welp, add another place not to shop to my list. Does anyone publish a listing of companies that don't sell information to other public/private companies anywhere? I'm sure it would be very useful to some.
I'm thinking the Better Business Bureau might not be a bad place to start. |
|
Re:How many? (Score:1) by Tower (/dev/whoop-ass) on Thursday August 03, @02:18PM EDT (#280) (User #37395 Info) |
| I especially like it every time they redo my.weather.com... require e-mail, name and address again... I usually just fill in all of those fields from the following sentence:
I filled these out before (or something similar) and I place MAILER-DAEMON@weather.com in the e-mail slot, and click all of the 'send me...' buttons... -- "Funk the Dumb Stuff!" - ToP |
|
Emmett and Interhack (Score:1, Flamebait) by Xerithane (xerithane@nerdfarm.org) on Thursday August 03, @12:14PM EDT (#18) (User #13482 Info) http://www.nerdfarm.org |
| Emmett Plant, "journalist" on slashdot. Emmett Plant, founder Time City Project. D. Clyde W., very visible member Time City Project D. Clyde W., member of interhack Hm, can we same shameless plug.. considering slashdot uses bugs I can't believe that they are slamming coremetrics. Slashdot used to get worse on a monthly basis, then weekly, now it's with every post. nerdfarm.org everything you've ever wanted for christmas. |
|
Self-important web bugs that talk to themselves (Score:1) by Rares Marian (rmarian@winblowsstart.com) on Thursday August 03, @12:31PM EDT (#79) (User #83629 Info) |
| Are you talking to you?
Am I talking to me? Caught signal SIGSIG read this comment again. |
|
Re:Emmett and Interhack (Score:2, Interesting) by Emmett Plant (emmett@slashdot.org) on Thursday August 03, @12:40PM EDT (#102) (User #8 Info) http://www.mentaltempt.org |
| Emmett Plant, "journalist" on slashdot.
Feeling bitter, Jay? You've got all the right in the world to question my journalistic integrity. As a matter of fact, I welcome it. But unless you've got a problem the facts or the way I present them, chill out. If I've said something untrue in my work, you've got a responsibility as a reader to point it out. You haven't done that, though. Stories are not created in a vacuum. As a reporter, I rely on relationships with people to get my job done. As a writer, I rely on the English language to convey facts to the audience. The worst part is that you can't see beyond your own personal problems and outright bitterness to understand that Interhack does some very important work, and that this story is important to anyone who does business online. What do you want me to say, Jay? Clyde clued me in to the Interhack press release. I work with Clyde on Time City. Clyde pointed me to it because he thought it was newsworthy. It was. I did some research, got together with Jamie, and we wrote the piece. I didn't write the piece as a favor to Clyde. Matter of fact, I don't even know if Clyde is involved with Interhack. I think he's related to Matt, though. Actually, I think you'd be amazed how many stories are submitted to me and Slashdot by personal friends that I reject. What do you want from me? I don't find where you work and post things about the quality of your work. I don't question your professional integrity, because I really don't understand or know what you do for a living. At this point, I don't care. You just seem like someone who was really burned and you're working out your 'angry ex-girlfriend' mojo on me for some unknown reason. I'm sorry you didn't like the article. Slashdot used to get worse on a monthly basis, then weekly, now it's with every post. Then don't read it. Apparently it's causing you undue stress.
--Emmett
|
|
He has a point (Score:2, Insightful) by FascDot Killed My Pr on Thursday August 03, @12:44PM EDT (#114) (User #24021 Info) |
| I have no issues with Mr Plant--I don't know him at all. Nor do I know anything about Time City. However, I do know that doctors don't operate on their friends (or family of friends) or families (or friends of family). Same goes for journalism. From the facts presented by "Jay" and you, it seems as though you've interviewed a friend of a friend for your article. That's a no-no, regardless of newsworthiness. Why not just have roblimo or someone interview the friend? -- MailOne for Linux |
|
Re:He has a point (Score:1) by gra |