Sites Guilty of Hijacking History

Gunkerty Jeb writes "A recent study launched by the UC San Diego Department of Computer Science to determine the scope of privacy-violating information flows at popular websites shows that popular Web 2.0 applications such as mashups, aggregators, and sophisticated ad targeting are teeming with various kinds of privacy-violating flows. Ultimately the researchers determined that such attacks are not being adequately defended against."

Less Than One Percent is Teeming?

[eldavojohn]

... shows that popular Web 2.0 applications such as mashups, aggregators, and sophisticated ad targeting are teeming with various kinds of privacy-violating flows.

So they inspect the top 50,000 sites and 485 have some level of inferring browser history data? I'm not so sure I see the abundance noted in the summary. Less than one percent is teeming? And only one of those sites is ranked in the top 100 by Alexa?

I'm not saying we shouldn't worry about this or we should ignore it but come on.

Just face it, websites often operate on razor thin margins. They live and die by the clicking of advertisements on their pages. Now they've found a way to sell private information that could be mildly useful to the right bidder. And it turns out it mostly adult websites that stream video doing this. You might have cause for being upset but anyone familiar with business models of seedy websites should not be surprised.

I have always used Google Chrome's incognito browser when I go to seedy sites. It's simply not going to be a priority for the masses but for people who are annoyed or angry, it's the best way to deal with this sort of thing. If some major non-adult site were doing this, I think they would be setting themselves up for embarrassment, I'm glad somebody's doing these checks.

Re:

[clone52431]

As far as history sniffing is concerned, just recently we heard about history sniffing by “mainstream ad networks” and YouPorn [slashdot.org] (...accompanied by a great disturbance in the Force, as if millions of anon suddenly cried out in terror and were suddenly silenced). Also, [PDF] “documents hundreds of commercial sites exploiting it” [ucsd.edu].

To learn whether you’re vulnerable (and how exactly this works), http://startpanic.com/ [startpanic.com].

There are a few ways to immunize Firefox against this sort of atta

Re:

[gstoddart]

Does anyone know if there's a website I can visit that will send each of the links I've visited in the past and check it against this list of 485 violators? That would be really easy and helpful to the victims and myself!

See, now that's funny. :-P

Yes, we should all send our entire browsing history to yet another company so they can verify if we might have given away private data.

You, sir, need a newsletter. ;-)

Re:Less Than One Percent is Teeming?

[Moraelin]

Well, it being used by adult sites is the worst case scenario right there.

I mean, one day I could be doing my porn surfi^H^H^H^H^H research on some innocent topic like "anal bdsm gangbang" and next, BAM, a popup comes and says "Mr Moraelin, our mining your history has determined that you've been repeatedly on EA's The Sims 3 site, at least once on the registration site of Hello Kitty Online, in at least one thread named Barbie Horse Adventures Review, and have ordered an iPhone for Christmas. Other users who visited those sites, also visited our gay site, and our guide to coming out of the closet."

Re:Less Than One Percent is Teeming?

[Reziac]

Much more interesting and enlightening, the entire report:

http://cseweb.ucsd.edu/users/lerner/papers/ccs10-jsc.pdf [ucsd.edu]

Wait...

[biryokumaru]

I thought that was the whole point of Web 2.0: directly connecting you to people who want to sell you junk you don't need based vaguely on what your interests might be.

Heck, Netflix recommended Rocky and Bullwinkle based on my interest in Yojimbo, and they were spot on... doesn't get much more Web 2.0 than that.

Re:

[Pojut]

Yay! Another Yojimbo fan! I am constantly amazed by the number of Kurosawa fans I know that haven't seen it...

Re:

[camperdave]

I just looked it up on IMDB: A crafty ronin comes to a town divided by two criminal gangs and decides to play them against each other to free the town. Sounds like a rehash of "A Fistful of Dollars" to me. :-)

Re:

[Pojut]

All the classic samurai movies are Westerns with Swords® :)

Re:

[biryokumaru]

Ya, Kurosawa is a pretty bad hack, it's true. Check out The Hidden Fortress [imdb.com], it's practically a scene-for-scene rip off of the first Star Wars.

Re:

[c6gunner]

Uh. Ok, I want to point out that 1958 comes before 1977, but there's a teeny voice in my head saying "maybe he's being sarcastic ..."

Re:

[biryokumaru]

I wonder if the order of the films Fistful of Dollars and Yojimbo might tip you off...

Re:

[Philomage]

The wikipedia article on Kurosawa is a fascinating read; you should try it sometime.

Turns out that most of western culture's "filmmaking" is just inspired selection of the right sources to rip off.

Magnificent Seven = Seven Samuraii

Fistful of Dollars = Yojimbo (=Dashell Hammett's The Glass Key and Red Harvest)

Star Wars = The Hidden Fortress

Just culture building on culture coming before it: this is why copyright needs to be reined back

Re:

[eudas]

I'm sure you already know this, but...

Yojimbo (1961)
http://www.imdb.com/title/tt0055630/ [imdb.com]

A Fistful of Dollars (1964)
http://www.imdb.com/title/tt0058461/ [imdb.com]

Last Man Standing (I) (1996)
http://www.imdb.com/title/tt0116830/ [imdb.com]

And while we're on the topic, Sanjuro is also a great flick. "It is a sequel to Kurosawa's previous film Yojimbo, with Mifune reprising his role as a wandering ronin."
http://www.imdb.com/title/tt0056443/ [imdb.com]

Re:

[Anonymous Coward]

Whoosh

Re:

[Ihmhi]

And while we're on the topic, Sanjuro is also a great flick.

Or as it's known in America, "Jimbo 3".

.

.

.

(Disclaimer: Only Japanese language speakers will get this joke.)

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[TheRaven64]

Pretty much every film I've watched on the LoveFilm watch online thing ends by telling me that Pulp Fiction and The Shawshank Redemption are 'films like this'. After seeing that recommendation, I think I'd quite like to see a film that actually is like both of those...

Reminds me

[Moraelin]

Reminds me of a couple of months back when amazon.de, supposedly based on my previous purchases and pages visited, recommended me 3 new games for very little girls. And I mean really dress-up Barbie stuff. I'm still wondering exactly what has my alter-ego been looking at on Amazon.

Re:

[Moraelin]

If you have a daughter, then you are used to this.

I don't. That's the problem. I resolved I must buy more manly games, you know, Sweaty Guys Wrestling and Full-Contact Cock-Punching Extreme Edition to change Amazon's opinion of my tastes. Granted, now it probably thinks I'm gay, but it's a start ;)

Re:

[drinkypoo]

You have been looking for cock-punching and barbie. Amazon decides to show you material on catholicism.

Re:

[Anonymous Coward]

It's not Taco's fault that privacy violations tend to get much worse every 28 days.

Re:CmdrTaco ...

[gstoddart]

CmdrTaco: Do you EVER read any submission before publishing?

Before you piss and moan ...

This study comes as a result of the increasing complexity of JavaScript web applications propagating privacy-violating information flows. ‘Privacy-violating information flows’ is a general term which can be subcategorized into four areas of nefarious activity: cookie stealing, location hijacking, history sniffing, and behavior tracking. Their goal was to draw attention to the prevalence of history sniffing at high traffic sites.

Trying reading TFA before you whine too loudly, those words are a direct quote, and, apparently not a typo.

Not saying that sometimes the editors shouldn't proof read more, but it's important to actually know the difference.

Re:

[jginspace]

Ah ... UCSD ... sounds like this might be what you're referencing: http://cseweb.ucsd.edu/~hovav/papers/jjls10.html [ucsd.edu] could be interesting if linked up with the stuff Microsoft are developing (Slashdot story from couple of days ago).

Re:

[jginspace]

Yep: Seems like 'privacy-violating flows' = 'history sniffing' ... common reference is Youporn.

Re:

[John Hasler]

Evidently I'd have to enable Javascript to find out.

Re:

[leuk_he]

I did not post the link without javascript again [slashdot.org] did i?

Re:

[gstoddart]

Evidently I'd have to enable Javascript to find out.

From Facebook, Digg, and the linked site no less.

Man, I love noscript.

Re:

[account_deleted]

Comment removed based on user account deletion

Sometimes the cross site ad placement

[scourfish]

makes me laugh more than frightens me. It's always amusing to go to some popup-riddled website to look up the lyrics to a song, and off in the corner of all of the irrelevant-to-my-tastes "mp3 ringtone justin bieber ringtones here click here to guess your crush" ads is a singular "32-bit RISC based microcontrollers from Atmel" advertisement.

And who's surprised by this?

[Anonymous Coward]

For-profit websites using questionable tactics to gather information to better target their advertisements. Film at 11.

Re:

[tacktick]

Yeah exactly. Wake me up when you find "conclusive evidence" that adult websites that try to foist spyware onto your machine are also tracking and scrabbing for every little crumb of data on you that they can sell. Adblockplus/Ghostery+Noscript+Private browsing mode = Win

"Sites guilty of hijacking history"?

[TyTheBold]

Have we finally found out where in the world/time/on earth is Carmen Sandiego?

Re:

[noidentity]

And what the hell is "hi-jacking"? Is that some new Web 2.0 term for something?

Re:

[Monkeedude1212]

My first thought was of browser hi-jacking, like when you get a nasty piece of Malware that turns all your redirects your google search links to their advertisements.

I would think - that "History Hijacking" would mean gaining control over whats in your history - which seems ultimately useless unless you were aiming to embarass someone on false pretenses...

They really shouldn't use the word "hijacking" out of its real context. Just "reading information" does not constitute hijacking. Even stealing doesn't co

Re:

[noidentity]

They really shouldn't use the word "hijacking" out of its real context.

The headline didn't even use that word; it used "hi-jacking" (note the hyphen). I was asking what that meant. I've never seen that term before.

Re:

[scorp1us]

Agreed. The hyphenation in our advanced concepts of today require hyphenations, but are hi-jacking spellings of already established compound words. Hijack does not need a hyphen. But neither is it a compound word.

Re:

[plover]

The headline didn't even use that word; it used "hi-jacking" (note the hyphen). I was asking what that meant. I've never seen that term before.

It's just editorial hi-jinks, no doubt.

Re:

[CapOblivious2010]

I thought maybe some site was pointing a gun at a historian, and forcing him to write about how wonderful Castro has been for Cuba or something.

Are people retarded?

[the_raptor]

How do people think that all these "web 2.0" social media sites make money? They do it by selling tracking data about you to research companies and the like.

It is like super market "loyalty" cards. They aren't primarily handing those out to keep customers loyal they are doing it to gather information about buying habits.

TANSTAAFL: If you can't figure out the cost of something you are probably being played.

old news to some but now spreading

[oWj9*7!7dsggh7]

For many Slashdot readers, this is old news. But the interesting thing is how awareness of web-privacy issues has hit the mainstream. The Wall Street Journal (whose news pages typically have at least half a dozen trackers on them) has been running a whole series on simple tools to avoid being tracked online.

I think the place of the Internet in society is entering a new phase.

Said it before, I'll say it again

[Pojut]

If a site offers up ads on subjects I'm interested in, I have no problem leaving them unblocked. I learn about products I care about, the site gets ad revenue, and the company gets word-of-mouth. Everyone wins.

So long as sites show me ads relevant to their own subject, I have no problem with them (excluding fly-over ads or ads with sound...those are NEVER ok.)

Re:

[erroneus]

That is a pretty short-sighted point of view. Let me point out that ads these days are far more offensive and far more aggressive than animated GIFs. They come laced with javascript and flash and all sorts of things that can be made to do all sorts of bad things. It also turns out that a great many people get their PCs compromised through ad servers rather than through sites hosting the content you are there for.

I block ads for security purposes and so should everyone else until they stop putting this cr

Read the paper...

[crabel]

The article is not particularly good, this one is better: http://www.switched.com/2010/12/02/bug-gathers-your-browsing-history-youporn-perez-hilton/ [switched.com] You can find the original study here: http://cseweb.ucsd.edu/users/lerner/papers/ccs10-jsc.pdf [ucsd.edu] It is quite interesting, especially the list of sites is on page 9...

Plugins for history/cookie poisoning?

[OpenGLFan]

Back in the dark ages (1997 or so), there was a school of thought that advocated cookie poisoning, not just removal. Anybody know of any firefox plugins that actively randomize your history or cookies? Throwing wrenches into databases is the next best thing to naming your kid Little Bobby Tables.

Re:

[inode_buddha]

In a related way, I've long wondered if its possible to script some history poisoning. Let them read my history all they want. Eventually, some ad company will get all excited about the new "goatse" phenomenon, and go to see what it is. Hence, every time I start Firefox, I want the whole history replaced with goatse.
As it is, my hosts file and noscript makes it all go away.

Re:

[plover]

That's the problem with Web 2.0. Everything's a script, from pull down menus to "Reply" buttons on blogs. Which of those is random? Which is malicious? Which shouldn't I run?

It's easy to sort out the third-party scripts, and block all but domain originated scripts from the sites you visit. I don't care if CrazyEgg can't tell where I clicked, or if google-adsense fails to rack up another hit, or alexa doesn't count me in the Top 100. But I kind of need the internal site navigation stuff, and a lot of sit

History Hijacked?

[lymond01]

"Sites Guilty of Hi-Jacking History"

I thought this was going to be a much more interesting listing of sites that have blatantly changed the facts to suit their needs. whitehouse.gov, foxnews.com, cnn.com, msnbc.com, prettymuchanyfinanciallendinginstitution.com, etc

Re:

[neminem]

And here I thought maybe the Daleks made a site. They're *always* hijacking history.