DoubleClick 'Web Bugs' On Porn, Medical Sites

The ever-vigilant Brill's Content sent a freebie to the ever-vigilant Politech that makes us long for vigilante justice. It seems the odds-on favorite for this century's Big Brother, DoubleClick, has contracted to put 1x1 pixel graphic Web bugs on porn and medical sites. Read all about it. But don't worry, we're assured by the porn sites that although "DoubleClick [secretly] collects the information [that you, John Q. Doe, personally spent 12.2 minutes at a girl-on-girl fetish page and then spent 19.7 minutes reading up on your prostate problems], it does not have the technical skill to understand it."

Da Feds

[swerdloff]

Bill Clinton just said that Federal sites can't use cookies anymore. What stops them from using these bugs? Not persistent, but so what?

And frankly, I don't understand the value of this to doubleclick. Everyone knows that watching girl-girl porn is the only reason to upgrade to DSL. Where's the new information?

Doh!

[LaNMaN2000]

DoubleClick must be the stupidest company on Earth. After they announced their intention to merge personal information with surfing habits, the backlash shaved 25% of their market cap--before the March downturn. Consequently, they placed a representative on a consumer privacy board and extolled the benefits of self-regulation while offering their assurances that the consumer would be protected.

Their continuing abuse only brings Internet privacy issues to the forefront, and the data they collect is not even that useful to advertisers! The benefits of ads targetted using this type of data is constanly coming under scrutiny. The only thing DoubleClick will accomplish is showing self-regulation to be the farce that it is and forcing the government to intervene.

Re:Hmm..

[QuMa]

For the articles, obviously.

Re:What I want...

[Cecil]

I was hoping this functionality (along with Junkbuster itself) would be integrated into Mozilla someday. Since it's an open source program, I have no doubts that someday, someone, somewhere will hack up a nifty privacy-enabled version of Mozilla.

There is an incredibly useful MUD client called zMUD [zuggsoft.com] that contains a feature I'd love to see more often: tiny little toggle buttons for various features that you may want to turn on or off, sitting unobtrusively to the right of the input bar. Would it be that difficult to put a little 'proxy' icon to the side of the location bar? God knows they don't have enough stupid little useless icons up there. Click it to toggle the proxy on and off, among other things. Also a little toggle for Javascript would be immensely helpful.

That's MY "what I want..."

Re:Proxy servers

[36-bitter]

Instead of just blocking this stuff, how hard would it be to poison the database by sending back tags that were randomly generated, or exchanged with others'?

Re:My 127.0.0.1 list

[Cecil]

You obviously haven't done tech support much. While old-school DOS users may find it easier to 'put file X in directory Y', I've got a feeling that 90% of the people attempting this would feel FAR more comfortable booting up Internet Explorer, going to the site [waldherr.org], downloading junkbuster, and clicking the "open this file when done" checkbox.

How often do people these days move files around directories? especially ones with big scary warnings and thousands of files like C:\windows\system? I'd venture that running an installer is much more intuitive these days than shuffling files around on the hard drive. most people don't even know how to access the hard drive and its folders, they just know how to run programs.

web bug faq

[dannym]

"Is there any method of removing Web Bugs from HTML pages?

Not really. The technical problem is that there is no method of distinguishing Web Bugs from spacer GIFs which are used on Web pages for aligment purposes." -- The Web Bug FAQ

Why not just replace the location of every 1x1 gif specified on websites with the location of a local, transparent 1x1 gif? (make some add-on that filters all the html before it goes through your browser, like what is already done to get rid of ads)

Re:Et tu, Altavista?

[sqlrob]

However, boycotting AltaVista isn't going to do anything about this problem

TELL THEM you are, and tell them why. They may not listen, but then again, they may.

Re:DoubleClick's Fatal Error

[sqlrob]

Great, the companies over there can't do that sort of thing (I wish that was true here *sigh*)

SO WHAT? Just because it is a US company doesn't mean it isn't your data being collected. The first W in www means the weak link wins, regardless of how strong the EU privacy laws are, the US' weak ones completely undermines them.

"12.2 minutes"?

[Voltage_Gate]

"...12.2 minutes at a girl-on-girl fetish page..."

More like "12.2 seconds" is some cases. Hope that's not offtopic. :]

JB won't catch on

[gad_zuki!]

Junkbuster defaults to blocking no sites, blocking all cookies, and making your user_agent tell web servers that your using a Macintosh and an ancient version of NS. After 20 minutes of setting it up and probably not even using the cookie blocking feature (like i want to hunt for every site I use that wants cookies) you realize that a search for 'block ads hosts file' on google and a simple cut and paste to windows/hosts is all you ever needed.

JB is great for privacy power users but if you want site blocking to catch on with most users show them the easy way.

hitbox.com does this, too

[Skapare]

I found an animated, no-cache, zero-age, self-reloading, web bug on dice.com [dice.com] that has a web bug at the bottom of the page (you can see it easily at the very end of the HTML source). The fact that it is animated, with no caching, and instant expire set causes it to keep reloading, which not only tells them where you visit, but also how long you leave the page up. And it's a f---ing obnoxious annoying 5086 bytes that keeps being downloaded over and over.

Block hitbox.com [hitbox.com] (all subdomain names, too) from your web proxies!
Maybe I should make this my new sig.

Re:Web bugs on slashdot

[pirodude]

That server doesnt look like its owned by dn..just on their network. Internal traffic is common as a port scanner usually scans certian ports to be sure that your services that you signed up to have monitored are still running.

Re:Need something MORE than Junkbuster.

[nut]

Do products like Junkbuster and Guidescope actually attempt to load these URL's? It would intuitively seem easier to code them not even to try the URL if it is in the blockable list.

Recycled tip; use squid guard, not Junkbuster...

[Spoing]

SquidGuard [squidguard.org] is quicker, and has many features not present in Junkbuster. Take a look.

Bona-Fide Uses

[JayBonci]

1x1 banners, or gif images do have their bona-fide uses. For example, take a look at counters. More often than not, most advanced counter scripts will actually tell you from what ip a visit was registered, what browser they were using and any other of those fun and exicting pieces of information passed along in your broswers heading. Now, leaving the paranoia at the door here, a web administrator could use these to modify the pages for you when you log in. Things like a favorite articles section, or perhaps slashdot could better organize itself to intelligently tailor itself to the types of articles that you commonly read. It has been done before. The paranoia about web bugs is only partially viable, since perhaps companies are using the demographics information provided by the banner ads to better track and market their site. Seeing when an email is read helps to present to an exec to tell how many people it has reached to see whether it is worth it to continue funding the project. Its simple enough. Now, ill give the paranoids a nod saying, yes, doubleclick has done some unscrupulous things with their information, but what is to say that all "web bugs" are malicious. What if everyone new of an ethical advertising company? What then... would it be okay for people to take web bug surveys? Or do we all have to live with an unintelligent web? Face it, what you do is tracked... --jay

Re:Need something MORE than Junkbuster.

[Gregg M]

How about cookie MANGLERS that send back 100K cookies with lots of funky characters (maybe crash their server)? Or cookie swappers that send back cookies to make you look like you surf random sites.

Maybe you could send them some real good virus code and hope that during a scan their virus software goes beserk! It would certainly catch someones eye!

Re:Double CLick should have to use opt in.

[Money__]

Doubleckick and all other parties collecting tracking data should be (hopefully, someday under US law) seeking the informed constnt of all the people it's tracking.

I know some of you might be saying "But that would be to expensive!" and that's exatly the point. It should be a little expensive to collect what amounts to a digital biography of a persons life.
___

Andy Griffith and DoubleClick

[effer]

Barney: Ange! I was whackin...errr, looking up info on pneumonoultramicroscopicsilicavolconeosis and now I'm getting SPAM!

Andy: Don't you worry Barn, Opie had the same problem this mornin'. He's bangin' and a sendin' on his super celery box right now!

Opie walks in
Opie: Hey Pa! I think I did right by the Golden Rule!

Andy: Whatcha do son?

Opie: I loaded web pages with all those purty lil 1x1's and cross linked them to each other, all friendly like, and published them as links on all the purty girl..um Doctor type newsgroups! I figgur they can get 2 millun cookies per hit! They shur must be hungry!

(Canned laughter)

Andy: They sho' must be Ope. Speakin' of hungry, let's go get us some of Aunt Bea's Sweeeeeeet potato pie!

Opie: Heck yeah Pa!

Ubforseen side effects?

[gypsytrader]

If the marketing companies getthere way, I think its only a matter of time before in some election somewhere, the information that one canidate views porn on line is "leaked" to the press. . . which begins an ugly war of internet info leaks. . . Realizing I feel that doubleclicks actions are bout as virtuos as putting a camera in the girls lockeroom, I still cant help but find humor in the possabilities.

Anyway, what the hell is the big deal about porn sites, so longs as the site isnt illeagal? I subscribe to http://www.nakkidnerds.com - I pay by CC. Do you think that your e-financial transaction are private? My grandfather once said, "dont say anything on the phone you wouldnt want to see printed in the local paper." I think the same is true of the internet. If you dont want anyone knowing that you look at naked girls, go to a store in a different town, buy a mag with cash. . . also wear a big hat and park your car several blocks away. I just simply refuse to be ashamed of what I do. hle I dont condone anyone snooping on me, I accept it as a fact of modern life that the possability exists that what I am doing at anytime may be monitored, and act accordingly.

Sample WWW killfile

[unny]

Use <A HREF="http://muffin.doit.org">Muffin</A>!
Then:

strip blink
strip /blink
tagattr embed.type strip comet
tagattr font.size replace 1 -1

kill casino
kill rawlikesushi
kill cotac.com
kill BAN_record
kill topsites.
kill spon
kill D=yahoo
kill advert
kill [^(gnu)]cash
kill ban.clk
#kill doubleclick
kill linkexchange
kill hitbox
kill banner
#kill mostcash
kill \.sbean
kill webmappro
kill [Pp]layhard.net
kill [Cc]ount
kill rush4gold
#kill click-through
kill [^d]track
kill asacp
kill rsac.org
kill netnanny
kill cyberpatrol
kill surfwatch
kill /ad[s\.lvt/]
kill whispa.com
kill eads.com
kill [Ff]lycast.com
kill imgis.com
kill [kcC]lick
kill /ctc/
kill redir
kill sexswap
#kill ntrack.com
kill extreme-dm
kill account=
kill newclient
kill cash
#kill candidcash
kill /warped/
kill /jump/
kill raw_
kill alladvantage
kill enter.cgi
kill log.cgi
kill go.cgi
kill hitme.cgi
kill visit.cgi
kill amkingdom
kill gold.link
kill /xct/
kill adlink
#kill tracker.cgi
kill fourohfour
kill maximumpcads
kill statthru
kill /pbx/
kill jws
kill vts-pro
kill focalink
kill fly01.exe
kill w3bstart
kill link_id
kill link4link
kill out.cgi
kill rankem
kill stat.net
kill (top([0-9]*).cgi)
kill index[^/]*\?[0-9]
kill nedstat
kill statman
kill taboo
kill stats
kill revenue
kill coupon
kill /clq/

<B> You are done!</B>

Re:My 127.0.0.1 list

[Money__]

127.0.0.1 www.doubleclick.net
127.0.0.1 ad.preferances.com
127.0.0.1 ad.doubleclick.com
127.0.0.1 ads.web.aol.com
127.0.0.1 ad.doubleclick.net
127.0.0.1 ad.preferences.com
127.0.0.1 ad.washingtonpost.com
127.0.0.1 adbot.theonion.com
127.0.0.1 adpick.switchboard.com
127.0.0.1 ads.doubleclick.com
127.0.0.1 ads.doubleclick.net
127.0.0.1 ads.i33.com
127.0.0.1 ads.infospace.com
127.0.0.1 ads.msn.com
127.0.0.1 ads.switchboard.com
127.0.0.1 ads.washingtonpost.com
127.0.0.1 adforce.imgis.com
127.0.0.1 ads.enliven.com
127.0.0.1 Ogilvy.ngadcenter.net
127.0.0.1 oz.valueclick.com
127.0.0.1 doubleclick.net
127.0.0.1 ads.doubleclick.net
127.0.0.1 ad.doubleclick.net
127.0.0.1 ad2.doubleclick.net
127.0.0.1 ad3.doubleclick.net
127.0.0.1 ad4.doubleclick.net
127.0.0.1 ad5.doubleclick.net
127.0.0.1 ad6.doubleclick.net
127.0.0.1 ad7.doubleclick.net
127.0.0.1 ad8.doubleclick.net
127.0.0.1 ad9.doubleclick.net
127.0.0.1 ad10.doubleclick.net
127.0.0.1 ad11.doubleclick.net
127.0.0.1 ad12.doubleclick.net
127.0.0.1 ad13.doubleclick.net
127.0.0.1 ad14.doubleclick.net
127.0.0.1 ad15.doubleclick.net
127.0.0.1 ad16.doubleclick.net
127.0.0.1 ad17.doubleclick.net
127.0.0.1 ad18.doubleclick.net
127.0.0.1 ad19.doubleclick.net
127.0.0.1 ad20.doubleclick.net
127.0.0.1 ad.doubleclick.net
127.0.0.1 ad.ch.doubleclick.net
127.0.0.1 ad.infoseek.com
127.0.0.1 ad.linkexchange.com
127.0.0.1 banner.linkexchange.com
127.0.0.1 adcount.hollywood.com
127.0.0.1 ads*.focalink.com
127.0.0.1 ads.imdb.com
127.0.0.1 www.ad-up.com
127.0.0.1 bannerswap.com
127.0.0.1 commonwealth.riddler.com
127.0.0.1 globaltrack.com
127.0.0.1 globaltrak.net
127.0.0.1 nrsite.com
127.0.0.1 www.nrsite.com
127.0.0.1 ad-up.com
127.0.0.1 ad.adsmart.net
127.0.0.1 ad.atlas.cz
127.0.0.1 ad.blm.net
127.0.0.1 ad.dogpile.com
127.0.0.1 ad.doubleclick.net
127.0.0.1 ad.infoseek.com
127.0.0.1 ad.linkexchange.com
127.0.0.1 ad.net-service.de
127.0.0.1 ad.preferences.com
127.0.0.1 ad.vol.at
127.0.0.1 adbot.com
127.0.0.1 adbot.theonion.com
127.0.0.1 adbureau.net
127.0.0.1 adcount.hollywood.com
127.0.0.1 add.yaho.com/
127.0.0.1 adex3.flycast.com
127.0.0.1 adforce.adtech.de
127.0.0.1 adforce.imgis.com
127.0.0.1 adimage.blm.net
127.0.0.1 adlink.deh.de
127.0.0.1 ads.criticalmass.com
127.0.0.1 ads.csi.emcweb.com
127.0.0.1 ads.filez.com
127.0.0.1 127.0.0.1 ads.i33.com
127.0.0.1 ads.i33.com
127.0.0.1 ads.imagine-inc.com
127.0.0.1 ads.imdb.com
127.0.0.1 ads.infospace.com
127.0.0.1 ads.jwtt3.com
127.0.0.1 ads.lycos.com
127.0.0.1 ads.mirrormedia.co.uk
127.0.0.1 ads.msn.com
127.0.0.1 ads.narrowline.com
127.0.0.1 ads.newcitynet.com
127.0.0.1 ads.realcities.com
127.0.0.1 ads.realmedia.com
127.0.0.1 ads.smartclicks.com
127.0.0.1 ads.switchboard.com
127.0.0.1 ads.tripod.com
127.0.0.1 ads.usatoday.com
127.0.0.1 ads.washingtonpost.com
127.0.0.1 ads.web.aol.com
127.0.0.1 ads.web.de
127.0.0.1 ads.web21.com
127.0.0.1 adserv.newcentury.net
127.0.0.1 adservant.guj.de
127.0.0.1 adservant.mediapoint.de
127.0.0.1 adserver-espnet.sportszone.com
127.0.0.1 advert.heise.de
127.0.0.1 banners.internetextra.com
127.0.0.1 bannerswap.com
127.0.0.1 customad.cnn.com
127.0.0.1 dino.mainz.ibm.de
127.0.0.1 ganges.imagine-inc.com
127.0.0.1 globaltrack.com
127.0.0.1 globaltrak.net
___

Need something MORE than Junkbuster.

[Anonymous Coward]

I don't just want to lock out the net trackers, I want to screw them up and make their life as difficult as they make mine. How about cookie MANGLERS that send back 100K cookies with lots of funky characters (maybe crash their server)? Or cookie swappers that send back cookies to make you look like you surf random sites. Puting in the spammers administrative and zone contact email addresses into other spam sites that ask for an email address (Get their ISP to TOS 'em for burdening their staff unduly). Turn the tables people. Turn the tables. The best defense is a good offense.

Here it is.

[Leonel]

Now, what I'm really waiting for is for someone to write a proxy that can dynamically rewrite pages as they come through an http tunnel

What about WebWasher [webwasher.com]? That's what I have been using and it does a great job on literaly striping out of the html most banners, pop-up ads, and is quite configurable.

Slashdot uses "Web Bugs" as well.

[Kozz]

But what are they used for? I'm not sure. But look at the source code of almost any page here, and you'll see them:

<IMG SRC='http://209.207.224.245/Slashdot/pc.gif?/comme nts.pl,962468080410' WIDTH=1 HEIGHT=1>

<IMG SRC='http://images.slashdot.org/pagecount.gif?/com ments.pl,962468080410' WIDTH=1 HEIGHT=1>

<IMG SRC='http://images.slashdot.org/banner/gate5002en. gif?962468081680' WIDTH=1 HEIGHT=1 BORDER=0>

Maybe one of the slashdot staffers could answer this.


Quidquid latine dictum sit, altum viditur.

Re:Junkbusterize it!

[kris]

Now, what I'm really waiting for is for
someone to write a proxy that can dynamically
rewrite pages as they come through an http
tunnel.

But Siemens Webwasher [webwasher.com] already does that.

© Copyright 2000 Kristian Köhntopp

Re:New Idea. Spam free DNS service?

[FooRat]

"you can use the /etc/hosts method to block sites on pretty much any computer"

Sort of; the problem I encountered last time I tried this was that the clients (Win9X) were configured with the Linux masquerading box as the default gateway, but with the real dial-up DNS IP's for DNS, so /etc/hosts was completely bypassed by the clients (doh!). The Windows hosts file sucks because as far as I can tell it doesn't understand wildcards (for those servers with ads00.whatever through to adsXX.whatever ..). Nonetheless I think I'd like to have a stab at setting up a caching nameserver on the Linux box, soon as I get some time, and to use the above hosts file on the clients anyway. That ought to kill most ads. (Thanks for the link BTW)

I'm kind of surprised that companies like doubleclick haven't started using actual IP addresses. I guess it'll happen eventually when enough people start learning how to block ads.

Re:Double CLick has an opt out.

[QuMa]

Ok, that would make the chances of user error slightly smaller, but still, it's the most likely in my mind... I mean, why would they only do that to some people?

DoubleClick's Fatal Error

[Effugas]

I was waiting for that.

Most people don't understand the need for data privacy. Even social security numbers are presumed to be pretty public, since we're forced to give them out all the time.

But they started messing with medical sites. Wrong move.

People fear their medical records getting out for all sorts of reasons--not the least of which it the concept of ownership of one's own body. Medicine is probably the one of the least networked industry when it comes to end product status, simply because the end product isn't too comfortable with firewalls being trusted to keep their personal health data secure.

There's an entire host of psychological issues that come once your health status becomes a commodity to be traded; one of the scarier endgames of no health privacy is that, since what is unknown by everyone cannot be unreported to anyone, people will refuse to inform their doctors about their health nor search online for others who have been in their predicament.

DoubleClick's antics, then, will lead to more expensive and less effective medical treatment.

DoubleClick just entered the realm of Life and Death, and that was the biggest mistake they could have ever done. Death is the ultimate liability, and it's guaranteed to happen. Be found liable for a death, and as a company, you may die yourself.

Any physician who works with DoubleClick will violate Do No Harm; I fully expect the AMA to issue a statement to this effect and will be disappointed when they don't.

It truly boggles the mind as to what kind of idiot at DoubleClick came up with the idea of spreading to medicine; when you get email regarding buying a computer while going computer shopping, you might think it's a pleasant coincidence. When you start getting Viagra spam after asking Dr. Koop about Erectile Dysfunction, you feel violated, as well you should.

Have we reached the point where DoubleClick style cross-site spies need to be suppressed, by default, in the browser?

Yours Truly,

Dan Kaminsky
DoxPara Research
http://www.doxpara.com

Re:What about NT?

[swright]

On WinNT, the file is called HOSTS.SAM and lives in winnt/system32/drivers/ or thereabouts On Win9x, its also called HOSTS.SAM and lives in windows/

Blatant lie

[themushroom]

One of the sites listed as having an invisible GIF is www.metamucil.com -- looked, found the tag, laughed, then closed the View Source window. Then laughed harder when I saw the button on Metamucil's site for the "Privacy BBBOnline" link... say what?? Contradiction!

Re:How I fight the great satan

[spudboy]

You don't need to write a new zonefile. You can use the "db.local" or "named.local" zonefile. [zgp.org]

Re:Need something MORE than Junkbuster.

[Jonathan C. Patschke]

Network Solutions have recently split the whois database across several hosts to deal with the issue of multiple registrars. Thus, you need to give the hostname on the command line. Look for a line that says "Whois Server:". For example, if you look up "slashdot.org", the Whois server is "whois.networksolutions.com" The actual format of the whois command differs by operating system/distribution. On Solaris, type: whois -h whois.networksolutions.com slashdot.org On most Linux distributions: whois slashdot.org@whois.networksolutions.com

Re:Hmm..

[rifter]

Actually Playboy has some of the best damn articles in the business, and by that I mean the business of journalism. Their news reporting beats the hell out of that of Time or Newsweek, because they report things which are curiously absent or underreported in such "publications."

And unlike some web "news" sites, they actually WRITE ARTICLES.

Re:Not quite

[bharlan]

Thanks. I copied my linux /etc/hosts file to C:\WINNT\SYSTEM32\drivers\etc\HOSTS and immediately doubleclick.net went away forever.

Re:Need a Data Protection Act

[Firefalcon]

I'm afraid that paper (or transparencies in your proposal) fall under the new DPA which, I believe, is currently in the 'phasing-in' point, but will apply fully soon.

Re:Can't this be turned off at the browser?

[spudboy]

If Doubleclick starts hiding behind hostnames in many domains, the cookies from doubleclick.foo.com won't go to doubleclick.bar.com, and they can't track. [pigdog.org] They have to use one domain to get their cookies back. And that makes them vulnerable even if you don't have an armored backhoe to dig up their net connection. [uwa.edu.au]

Hmm..

[Stskeeps]

Only thing i can think of here, adding ad.doubleclick.net to /etc/hosts as 127.0.0.1 (or c:\windows\hosts for windows users), or disable image loading. I mean, I don't want some multibillionare patentfreak company to see what pr0n sites I go to, or if I go to any other site. This scares me, because what if they sold that information to other companies - wouldn't it be evasion of privacy?. We haven't agreed to let them spy on us - so let's fight it - either by the solution first, or use lynx ;)

Re:Big Brother Moderate This Up!

[Firefalcon]

Not necessarily - just been unnoticed by moderators. 0 is the default for Anon posts.

Too Stupid, But Not For Long

[Syn.Terra]

Here's the meat of the article, and DoubleClick's defense:

"While DoubleClick does indeed record, [it] does not know that room 5 is equivalent to girls home alone." This explanation comes down to saying that while DoubleClick collects the information, it does not have the technical skill to understand it an assertion that Smith and others nd hard to believe.

The problem is, while they don't have the knowledge to link room 5 with girl-girl fetish porn, some *other* company would have no problem doing it. As we all remember, DoublClick has no problem "allying" itself with other companies; at least until their stock price plummets.

I just have to question whether these "web bugs" are really the work of DoubleClick, or just some crafty porn site administrator trying to get paid for posting ads, but keeping them at 1x1 pixels so nobody has to be bothered by them.

---

useful cron job (this one's not empty, honest)

[lord kiwano]

#!/bin/sh

if [ -f ~/.netscape/lock]; then
exit
fi

for i in `cat ~/undesirable_cookies`; do
cat ~/.netscape/cookies | grep -v $i > ~/.netscape/cookies
done

# It has a race condition to it
# Please patch in replies gotta leave soon

Can't this be turned off at the browser?

[jlusk4]

Ok, dumb question #1: isn't it (theoretically) possible to turn off the retrieval of things from sites that differ from the original URL host or domain, in the browser? Like, if I request a URL from www.flibbertygibbit.com, can't the browser be smart enough not to request further resources from, say, ad.doubleclick.net (but be smart enough to request resources from pix.flibbertygibbit.com)? Wasn't this capability in Mozilla until recently? How hard is it to put back in?

John.

Re:My 127.0.0.1 list

[TangoChaz]

Nice idea, but that doesn't account for URL's with plain IP addresses.

If I'm not mistaken, the Web Bug on the example yahoo page already used that strategy.


TangoChaz

--------------------

Re:What I want...

[gfxguy]

Agreed - I posted a wishlist last fall. I guess it also bears repeating. There were lots of good followup suggestions, too. Most of it had to do with privacy, and putting what I consider common controls within easy reach (instead of edit->preferences->advanced->cookies).

The following should be a single click away:

• Toggle Cookies
• Toggle Java/Javascript
• Toggle Images
• Load only from document's server
• Allow/Don't Allow/Ask before opening a new window!!!

With lot's of other customizations (stealth features), like: telling your browser what browser it should be tellling sites it is (no more "You need IE to view this site" when you know damn well you don't). Also let you control wether or not you actually send your username, and other information the browser happily provides that you may not even know about. You should also be able to control, from within the browser, junkbuster-like features. "Accept cookies from" list, and "block these sites" (with address lookup to prevent some aforementioned problems...keep the name and number blocked with one entry).

Mozilla may hold some of the answers, but if it's released by AOL I'm betting it won't (by default) contail anything remotely useful to protect privacy. They already ruined it's first release by including all the extra crap they do, and while they're not MS they're also not a particularly benevolent company (and I work for what will be AOL/Time Warner, so let's keep that last thought between you and me). I laughed when they offered us free AOL - it's surprising how many won't even take it for free!

----------

Anonymity to the rescue...

[krystal_blade]

What about cookies? They take information from you as well, and hand it back. Hell, sometimes you can't even go to sites if you don't allow cookies.

The concept of information grabbing (like with cookies) has been a hot debate on the internet for years, yet no one has done anything. Until something drastic happens to someone, THEN you'll see a change. DoubleClick may have gone too far, and if so, that's a problem that needs to be addressed.

DoubleClick can gain no information if you don't give them any. Web porn sites and Medical sites rely on customer traffic to finance themselves. Those who are security conscious should probably stop going there. There will always be the panting raving idiots with knuckle herpes who goes to the sites, but, the downward trend in business will cause the site owners to notice.

If you hit them where they hurt the most, (their wallet) you have their complete attention.

It is a democratic society, and you have the right to take your business elsewhere.

krystal_blade

Re:Hmm..

[Abigail]

What would be the point of going to pr0n sites in lynx, since you wouldn't be able to look at the pictures/movies?

You don't know lynx. It's missing ability to *inline* images doesn't mean it's unable to show images. All it does is using an external program, just like Netscape would do for, say, a PostScript file.

-- Abigail

Once again...junkbuster to the rescue!

[gfxguy]

It's been said a million times, here on slashdot, but it bears repeating:

Junkbuster will not only allow cookies from specific sites you want, but can disable downloading anything from any site you don't want.

When we all use something like junkbuster, maybe someone will get a clue. Now it's only punishment for the uninformed.
----------

Re:Can't this be turned off at the browser?

[TangoChaz]

Yeah I've seen that. An ad server was having trouble, and the page wouldn't display until the ad showed, so I went elsewhere.

I guess the solution would be to re-map the ads to some local graphics. A little tricky to do on the client side, but the server could simply be set to return the graphic when the link wasn't found.


TangoChaz

--------------------

Re:and here's is what is going on at Double Click

[babbage]

"Geez this guy is sick, 39 minutes on one picture"

Actually, this doesn't tell you much of anything at all. Examples:

• Browsing in two windows. Load picture in window #1. Open Slashdot in window #2. Spend half an hour wishing Katz would shut the hell up, wanting not to hear any more about grits or trousers or Portman. Close window #2, remember that window #1 has been open with that picture all this time, and close it too after following a link or two and deciding that you aren't interested in this site.
• Load page. Get invited to lunch. Turn off monitor and leave. Come back, rememmber that you left Netscape on, and reload the page, then think better of it and decide you'll take a look after work.

Those are just obvious examples. More than that, I don't think the HTTP protocol really allows you to gather the sort of information you're talking about. All these people could find out was that you loaded their image once at, say, 10:00, and then you loaded another at 10:39. What you did between those two clicks is a complete mystery to them. You could have, for example, hopped over to Google, searched for whatever for a while, then came back to what you were doing previously. This example is only different in that it doesn't mean you weren't paying attention to the browser & the tagged page -- you were.

This isn't to say that there aren't frightening Big Brother aspects of this all. Certainly, I'm sure it's possible to make some more or less accurate guesses about what people are doing. But because of the basically stateless nature of HTTP (neverminding cookies for a minute), the most these peopel can get is an imperfect view of your travels, and everything else is just statistics, probabilty, and educated guesswork.

Privacy [slab.org] is, of course, very important, and it's important to know what information you are giving away whenever you use the web. But it's also important to know what you aren't giving away, at least with current technology, and to use that as a starting point in trying to defend your privacy.

Re:Hmm..

[talonyx]

Just like when I read playboy!

Can't they just track us at the server ?

[lazarus_]

Maybee this is a stupid question... if so not the first..

But is it enough that we stop the request from our compter?
So many of these sites are generating the pages on the fly - can't the server track the request? - and even if we block the actuall add, the server can log that it was going to send one.
Do we even need to see the ad for travels to be logged?

sick!

[nocent]

what kind of sicko goes to a pr0n site to read the html source? that's some fetish.

"errr... yes, i was doing research and stumbled across the site and noticed a web bug in the code."

Re:Once again...junkbuster to the rescue!

[Abigail]

When we all use something like junkbuster, maybe someone will get a clue.

Then a lot of websites lose their income, and that will be the end of them - including your beloved slashdot. You *do* realize that the ads on slashdot can be used for exactly the same thing doubleclick is using them for, don't you? And I hope you've spotted the 1x1 invisible gifs on the slashdot pages as well. (Like from the nameless host 209.207.224.245).

-- Abigail

Re:Junkbusterize it!

[Abigail]

Now, what I'm really waiting for is for someone to write a proxy that can dynamically rewrite pages as they come through an http tunnel.

I've done that years ago. Tom Christiansen has made the tarball available for that, somewhere on perl.com.

-- Abigail

Re:The unthunk gets thunked more

[Abigail]

Guess someone could add a scrubber component to the browser's which'd truncate the URL's at the ?, but chances are lots of requests would fail if that would happen...

But even then, just lose the ? and replace it with a /, or a Q or whatever you feel like. It's up to the server anyway to map a URL to an object. But beside the URL, there are more things in the HTTP protocol that can be used to track people, and that aren't immediate obvious, unless someone tells you. The last modified field, for instance, which on return visits to the URL, is reported back to the server. ETag is another example. Browsers typically allow you to disable cookies, but find a browser that lets you disable ETags....

-- Abigail

Re:How I fight the great satan

[Abigail]

the other is images.slashdot.org/pagecount which you'd think would have a valid purpose.

You mean, the slashdot maintainers aren't smart enough to grep through the accesslogs to find out the pagecount? (Which is not only far more efficient on both the server and clients ends, and the network in between, it's also more meaningful)

-- Abigail

Odd..

[mosch]

having read that I quick checked my cookies file and discovered that my id was no longer opt_out.

i'm not implying some sort of conspiracy theory, but i am curious as to how this happened (linux netscape 4.7 on freebsd 3.5)

i quick wrote a little app to check the cookies file and tossed it in a cron job so i can try to find out what causes this, but in the meantime, anybody have any ideas other than user error?
----------------------------

Re:DoubleClick's Fatal Error

[bridgette]

I can't wait until some insurance company allies w/ double click to get at peoples medical site profiles.

Even if my medical records are safe on dead trees in my physician's filing cabinet, knowing that I've been looking up information on "chest-pains" or "HIV treatments" would be worth money to comanies looking to insure me.

It will be tons-of-fun explaing that the chemotherapy article wasn't for me but for a friend and no I won't name names.

Hey, maybe doubleclick can merge with TRW or Expirian so they can mege "browsing profiles" with credit reports. Then they can offer lists of say "sports car enthusiasts" and filter out the ones that can't affor a ferrari.

And when some lawer decides to supeona doubleclick during the discovery phase of some totally unrelated case, things will get really interesting. Oh wait! They already subpeona medical records for cases as minor as arguing a speeding ticket. nevrmind.

Two wrongs don't make a right

[FascDot Killed My Pr]

No, do NOT deliberately make bad software. That's unethical. In fact, I would even argue that dragging your feet or lying about the real cost would be unethical.

A better solution is:

Step 1) Understand what you are being asked to create. Maybe your unease is caused by a misunderstanding.

2) Talk to the relevant manager (or as high as you can get access to). Explain your concerns. If there are channels, go through them. Document all conversations/memos/emails/etc.

3) If asked to implement anyway you have several choices:

a) If the action is illegal you can refuse to do it and "blow the whistle". There are laws that no action can be taken against a whistleblower so you are theoretically safe (I don't know how well this works in practice, though).

b) If the action is merely unethical the situation is murkier. If the business you are working for is part of a professional association, check their code of ethics and procedures for compliance. For instance, if a doctor wants you to write software that transmits medical data over an unsecured channel, you might be able report him to the AMA. (warning: this is only an example)

c) If your situation still hasn't been covered by the above, you may have to go it alone. Personally I would quit and maybe publish information (Internet, other media outlets, etc) regarding the proposed action. Yeah yeah, "I have mouths to feed". But a child is more than a mouth. I'd rather have my child miss a meal than seeing Daddy doing something wrong. Besides, programmer's (and engineers of all kinds) have no problem finding work. Even at McDonald's.
--

Updated junkbuster blockfiles

[fialar]

Can anyone offer URL's for constantly updating junkbuster blockfiles? I'd like to keep mine up to date.

Another nice thing I have going is I have a VPN to my home machine from work. When I browse from work, I use my home machine as my web proxy (Junkbuster). The result: completely anonymous and encrypted web browsing from work. Pretty slick, eh?

Fialar

Web bugs on slashdot

[Alan Shutko]

So, what's with the 1x1 pixel bug on all slashdot pages?

http://209.207.224.245/Slashdot/pc.gif?/comments .pl,962470762278

Re:My 127.0.0.1 list

[psin psycle]

I combined this list with a pervious one posted here. There are now 96 unique values.

0.0.0.0 javascript-of-unknown-origin.netscape.com
127.0.0.1 localhost
127.0.0.1 127.0.0.1 ads.i33.com
127.0.0.1 ad.adsmart.net
127.0.0.1 ad.atlas.cz
127.0.0.1 ad.blm.net
127.0.0.1 ad.ch.doubleclick.net
127.0.0.1 ad.dogpile.com
127.0.0.1 ad.doubleclick.com
127.0.0.1 ad.doubleclick.net
127.0.0.1 ad.infoseek.com
127.0.0.1 ad.linkexchange.com
127.0.0.1 ad.net-service.de
127.0.0.1 ad.preferances.com
127.0.0.1 ad.preferences.com
127.0.0.1 ad.vol.at
127.0.0.1 ad.washingtonpost.com
127.0.0.1 ad10.doubleclick.net
127.0.0.1 ad11.doubleclick.net
127.0.0.1 ad12.doubleclick.net
127.0.0.1 ad13.doubleclick.net
127.0.0.1 ad14.doubleclick.net
127.0.0.1 ad15.doubleclick.net
127.0.0.1 ad16.doubleclick.net
127.0.0.1 ad17.doubleclick.net
127.0.0.1 ad18.doubleclick.net
127.0.0.1 ad19.doubleclick.net
127.0.0.1 ad2.doubleclick.net
127.0.0.1 ad20.doubleclick.net
127.0.0.1 ad3.doubleclick.net
127.0.0.1 ad4.doubleclick.net
127.0.0.1 ad5.doubleclick.net
127.0.0.1 ad6.doubleclick.net
127.0.0.1 ad7.doubleclick.net
127.0.0.1 ad8.doubleclick.net
127.0.0.1 ad9.doubleclick.net
127.0.0.1 adbot.com
127.0.0.1 adbot.theonion.com
127.0.0.1 adbureau.net
127.0.0.1 adcount.hollywood.com
127.0.0.1 add.yaho.com/
127.0.0.1 adex3.flycast.com
127.0.0.1 adforce.adtech.de
127.0.0.1 adforce.imgis.com
127.0.0.1 adimage.blm.net
127.0.0.1 adlink.deh.de
127.0.0.1 adpick.switchboard.com
127.0.0.1 ads*.focalink.com
127.0.0.1 ads.criticalmass.com
127.0.0.1 ads.csi.emcweb.com
127.0.0.1 ads.doubleclick.com
127.0.0.1 ads.doubleclick.net
127.0.0.1 ads.enliven.com
127.0.0.1 ads.filez.com
127.0.0.1 ads.i33.com
127.0.0.1 ads.imagine-inc.com
127.0.0.1 ads.imdb.com
127.0.0.1 ads.infospace.com
127.0.0.1 ads.jwtt3.com
127.0.0.1 ads.lycos.com
127.0.0.1 ads.mirrormedia.co.uk
127.0.0.1 ads.msn.com
127.0.0.1 ads.narrowline.com
127.0.0.1 ads.newcitynet.com
127.0.0.1 ads.realcities.com
127.0.0.1 ads.realmedia.com
127.0.0.1 ads.smartclicks.com
127.0.0.1 ads.switchboard.com
127.0.0.1 ads.tripod.com
127.0.0.1 ads.usatoday.com
127.0.0.1 ads.washingtonpost.com
127.0.0.1 ads.web.aol.com
127.0.0.1 ads.web.de
127.0.0.1 ads.web21.com
127.0.0.1 adserv.newcentury.net
127.0.0.1 adservant.guj.de
127.0.0.1 adservant.mediapoint.de
127.0.0.1 adserver-espnet.sportszone.com
127.0.0.1 ad-up.com
127.0.0.1 advert.heise.de
127.0.0.1 banner.linkexchange.com
127.0.0.1 banners.internetextra.com
127.0.0.1 bannerswap.com
127.0.0.1 commonwealth.riddler.com
127.0.0.1 customad.cnn.com
127.0.0.1 dino.mainz.ibm.de
127.0.0.1 doubleclick.net
127.0.0.1 ganges.imagine-inc.com
127.0.0.1 globaltrack.com
127.0.0.1 globaltrak.net
127.0.0.1 nrsite.com
127.0.0.1 Ogilvy.ngadcenter.net
127.0.0.1 oz.valueclick.com
127.0.0.1 www.ad-up.com
127.0.0.1 www.doubleclick.net
127.0.0.1 www.nrsite.com

Re:How I fight the great satan

[Tony Shepps]

The /. 1-pixel image is a weird one. It's right at the top of the page, in a 2-pixel wide table to the left of the banner ad (from doubleclick.net BTW). There are two single-pixel images in that table; one's the off-site "bug" and the other is images.slashdot.org/pagecount which you'd think would have a valid purpose. There's another 2-pixel wide table to the right of the banner ad, with a single pixel image referencing images.slashdot.org.

I'll be generous and suggest that these images are there to count doubleclick banner impressions, and that the third-party off-site bug is a third-party offsite counter of banner impressions. But who knows? It doesn't resolve any reverse DNS. Traceroute has it going through Verio. It could be anything.

Andover has a privacy policy linked from every page which reads in part: "If you choose to give us personal information via the Internet that we or our business partners may need -- to correspond with you, process an order or provide you with a subscription, for example -- it is our intent to let you know how we will use such information. If you tell us that you do not wish to have this information used as a basis for further contact with you, we will respect your wishes."

I'll give them the benefit of doubt and not block it, but it is curious.
--

Re:Slashdot uses "Web Bugs" as well.

[jamiemccarthy]

But what are they used for? I'm not sure. But look at the source code of almost any page here, and you'll see them:
<IMG SRC='http://209.207.224.245/Slashdot/pc.gif?/comme nts.pl,962468080410' WIDTH=1 HEIGHT=1>
<IMG SRC='http://images.slashdot.org/pagecount.gif?/com ments.pl,962468080410' WIDTH=1 HEIGHT=1>
<IMG SRC='http://images.slashdot.org/banner/gate5002en. gif?962468081680' WIDTH=1 HEIGHT=1 BORDER=0>

Maybe one of the slashdot staffers could answer this.

The first one is a page-counter graphic that's apparently on a machine at Slashdot's old hosting location, Digital Nation (since the traceroute to it goes through dn.net). I'm not that familiar with the technical end of Slashdot and so I can't speculate why it's loaded from dn.net instead of from our main servers.

The second one is a page-counter graphic (obviously) on our main servers.

The third one I'm not sure about. Like I say, I know little about the tech end of Slashdot and even less about the ad system.

In short, these guys are harmless. "Web bugs" allow a site other than the one you're currently reading to check up on your behavior. Obviously you're leaving footprints all over slashdot.org's logs every time you load our homepage!

Jamie McCarthy

Re:Web bugs on slashdot

[amjohns]

That's exactly my question. That IP is unregistered. Tracert from my DSL shows it much closer to me than slashdot (15 hops), and going through a verio router (my info left off for obvious security reasons):
4 32 ms 31 ms 31 ms t3-customer.qwest.net [205.171.52.242]
5 31 ms 32 ms 31 ms ge1200.ca2.wdc.dn.net [209.207.190.33]
6 31 ms 31 ms 32 ms 209.207.224.245

dn.net is owned by Verio, and since I live just outside DC, we can assume wdc.dn.net is in washington. Since this mystery IP is only one hop from that router, it's most likely on Verio's backbone somewhere. So who owns it, and what's it doing tracking slashdot?

Re:Web bugs on slashdot

[pirodude]

here's a tracert from inside dn's network:
traceroute to 209.207.224.245 (209.207.224.245), 30 hops max, 40 byte packets
1 fe0410.ca2.wdc.dn.net (207.226.170.1) 1 ms 1 ms 1 ms
2 209.207.224.245 (209.207.224.245) 1 ms 1 ms 1 ms

and here's one from my server at dn:
traceroute to 209.207.224.245 (209.207.224.245), 30 hops max, 40 byte packets
1 ge0400.ed2.wdc.dn.net (216.167.2.67) 0.659 ms 0.573 ms 0.572 ms
2 fe0910.ca2.wdc.dn.net (209.207.190.25) 1.573 ms 1.775 ms 2.029 ms
3 209.207.224.245 (209.207.224.245) 2.890 ms 2.323 ms 2.350 ms

and here's ur standard nmap:
Starting nmap V. 2.3BETA9 by Fyodor (fyodor@dhp.com, www.insecure.org/nmap/)
Interesting ports on (209.207.224.245):
Port State Protocol Service
9 open tcp discard
13 open tcp daytime
21 open tcp ftp
22 open tcp ssh
37 open tcp time
80 open tcp http
111 open tcp sunrpc
873 open tcp unknown

Nmap run completed -- 1 IP address (1 host up) scanned in 1 second

Re:Junkbuster: Too slow

[crow]

What Junkbuster does do is provide a sample list of advertising sites. This can easily be converted for use as an ad-blocking /etc/hosts file. (Then you just set up a web server that sends back a 1x1 transparent png for any request--or better yet redirects you to a 1x1 transparent png so as not to pollute your cache.)

Now what we need is a nice package that installs such a web server (possibly a stripped-down Apache) and updates the /etc/hosts for you. Then if we could get distributions to start installing it by default...

Opt-Out from Doubleclick! I have allready... :-)

[CptnHarlock]

I thought I'd mention that there is a way to Opt-Out [doubleclick.net] from DoubleClick. I don't really know if they are trustworthy regarding how they've behaved before though... But it seems to be for real. If it weren't and someone would find out - they'd be sued to oblivion...

Thank you.
//Frisco
--
"At the end of the journey, all men think that their youth was Arcadia..." -Goethe

Re:Double CLick has an opt out.

[Tackhead]

> [someone mentions Doublefuck's "opt out" cookie]

Oh, sure, and Doubleclick would never continue to collect data on people who've clicked on their opt-out cookie.

'Cuz that'd be, like, not honest, and they've got a Trust-E seal on their site, which means they never lie!

(Irony: The state of being highly enriched in iron.)

Data miners can have my privacy when they pry it from my cold, dead fingers. Opt-out is a cop-out.

[OT] Annoying /. policy no. 638

[A Big Gnu Thrush]

I agree. This is silly. If Signal 11 has pissed everyone off so bad that mod points a used against him and him alone, then maybe something's wrong with Signal 11.

Never mind, we're the problem.

Doubleclick is no worse than hitbox.com

[Everyman]

Try surfing a few porn sites, and then look at your cookies from hitbox.com. You will discover that hitbox.com saves the URLs and/or titles of some of the pages you surfed in plain text in your cookie.

So you can end up with plain text such as "Wild_Bondage" in your cookies.

I asked the general counsel and chief privacy officer of hitbox.com's parent company to at least start encrypting this info in the cookie, on the grounds that cross-domain cookie reading is possible for anyone (86 percent of the online population) who uses Explorer. That was a month ago. They checked out the demo I recommended, according to the logs, but never answered my e-mail. The demo is at http://www.pir.org/nocookie.html (toward the bottom of the page).

Re:Et tu, Altavista?

[pirodude]

use google..faster and has indexed over 1 billion sites
www.google.com - use it f00!

Re:Junkbusterize it!

[Anonymous Coward]

Remember: no company can survive without people
Even people who commit acts of sabotage?

Civil disobedience is not to walk away. The civil rights movement in the US being a classic example, by your standards civil disobedience would be for black people to boycott restaurants that refused to server them. My, that would have been effective.

Sabotage is proactive. It's the one way that a person who doesn't have any power can make their convictions felt. And honestly, in this corporatized world, how much power does one programmer have?

Sabotage might not be the most dignified thing to do, it may not satisfy your ideals of honor, it may not seem like strong conviction. But unlike quitting, sabotage actually does something. Sabotage actually changes something. Quitting just means you're no longer part of the problem, but it doesn't make you part of the solution.

Someone who commits sabotage doesn't get much respect, and does not receive recognition (at least if they don't get caught). But isn't that actually more selfless? Doing something not because of what people think of it, but because you know it's right?

Create a censoware-type hack?

[jmorse]

OK, we at /. all know how to edit our HOSTS files to take care of this. But what about John Q. User, who would be hard pressed to save a file in a text editor? What we need here is a piece of software similar to, dare I say it, CyberPatrol, that maintains a list of privacy-encroaching hosts and edits the HOSTS file(s) for you. Hell, there could be a central repository of host names that routinely track peoples' habits online, and the software could run periodic updates. Of course, there would have to be some way to allow the user to disable certain hosts, but I don't think this would be too tough to write.

Re:Updated junkbuster blockfiles

[Mr Z]

Who the f**k moderated this 100% valid and relevant question as a troll?

There are some good sites out there for keeping your Junkbuster block lists up to date. Although I can't vouch personally for the following, here's what my blocklist has to say: (I actually got this file from the second link below. The comments below are from the block-list's author.)

# I got this from http://mind.learning.cs.cmu.edu/blockfile [cmu.edu]
# and changed it a little bit. Note that my junkbuster is compiled
# to understand full Posix regular expressions.
# Send suggestions to boldt (at) math.ucsb.edu.
# Home page: http://math-www.uni-paderborn.de/~axel/ [uni-paderborn.de]
# Other blockfiles are available elsewhere, try searching
# documents that mention "junkbuster" and are called "blocklist"
# altavista.digital.com/cgi-bin/query?pg=q&what=web& fmt=.&q=%2Bjunkbuster+%2Burl%3Ablocklist [digital.com]

Hope that helps.

--Joe
--

How can "webbugs" track your time?

[jonathanclark]

John Q. Doe, personally spent 12.2 minutes at a girl-on-girl fetish page

How can a webbug track your time? I've seen that 30% of people or more only look at one page on a site and then go away. So you can measure the time between clicks? Also, people might click on Page 1 then Page 2 and then use the back button to read Page 1 more.

One way I can see of tracking time is to use an IMG tag to load an image on a remote server. Instead of sending the data to the client the server "stalls" the connection feeding just enough data so that it doesn't time out. When the client goes to another page, the browser will close the connection and you can record the time.
The problem there is the borwser will never report the page has been loaded (i.e. the spinny thingy keeps going). Plus, I don't know if the browser will try to reload the image when the client comes to that page again.

An approach I've been playing with is to use a tiny Java app. The start() function records the time and the stop() sends a message to the server with the clients time. This works perfectly, but a good number of people have Java turned off (including myself). Plus if the user doesn't have a JVM loaded then your page can look like it is very slow to load.

Anyhow, I admit it's a bit on the devious side - but I'm only using it on my personal website to find out what types of information people are interested in - so I can focus my attention in a productive manner. A page hit doesn't really tell you that kind of information, and very few people take the time to provide feedback.

In the last 2 days, people have spent an average of 97 seconds per page on my web site (of those running Java). However, people who don't stick around long enough for the java app to be loaded aren't counted. If you want to see the applet in action click on my sig.

Well, What do you expect from Doubleclick?

[Tri0de]

I am of two minds about this. On one hand, if you *DON'T* take pains to anonymize your travels on the web you are only asking for trouble; much like getting money out of an ATM in a sleazy part of town alone after dark. As it appears that there is more money to be made than risk to be faced by behaving the way Doubleclick does the result is not suprising.Not that we know of any software companies that have made a similar calculation. OTOH, I would dearly love to see them get their clock cleaned in some sort of class action lawsuit. If the Feds have to deal with the Freedom of Information Act then why should any business be invunerable? Of course the really interesting questions are Who owns the information about you, and towhat nefarious purposes could it put?

Need a Data Protection Act

[Nemesys]

The UK has something called the Data Protection Act. It utterly frustrates strategems like the one described here: all subjects of electronic data have the right to see what is being stored about them, and there are penalties for holding inaccurate data and for transferring the data to separate organisations.

The DPA has many flaws too, of course (e.g., effectively banning fingerd and log files), but that is a separate issue.

Re:Can't this be turned off at the browser?

[pigret]

As far as I know, the excellent iCab browser for the Mac (limited javascript support, but otherwise pretty standards compliant) can switch off the sending of "http referrer" data - which I assume limits the data that can be gleaned at the server end (a little....). icab is at http://icab.de/

Re:Hmm..

[clearcache]

either by the solution first, or use lynx ;)

why would I want to visit a porn site using lynx??? ;)

Re:Can't this be turned off at the browser?

[Eric S. Smith]

Mozilla [mozilla.org] currently has a preference setting for loading only images that come from the same domain as the page, as well as a "Warn me before loading an image" option. This is by analogy with its cookie-handling. It should be possible to defeat "bugs" using either this feature or a more convenient adaptation of it.

Presumably, this feature will appear in Netscape 6 and the AOL client, but you never know what marketing will object to...

Re:Hmm..

[Danse]

Gotta agree with you on that. While the vast majority of people don't buy Playboy for the articles, they are missing out if they don't bother to read them somewhere along the way.

Re:Can't this be turned off at the browser?

[titus-g]

It's possible that junkbuster does identify itself in the HTTP_USER_AGENT field, although you'd of thunk they would have gone for identifying it as MSIE 5 or something to avoid that.

Apart from that I guess it is possible that they are using Javascript to load the info on the page, could try turning it off and looking for references to .js files in the code. makes things complicated though, as you then have to get the .js files and read through the code to find what you were looking for.

Another thing (most probable) it could be is that the links are made via an ad server e.g. http://ad.doubleclick.net?click.pl?sender=some.sit e&goingto=another.site this stops the link from working as you can't get the redirect from the ad server. http://www.x10.com (wireless web cam) is a good example of this all their images and links are via an ad server.

Re:Create a censoware-type hack?

[PigleT]

"OK, we at /. all know how to edit our HOSTS files to take care of this. "
Editing your /etc/hosts file isn't the way to do it, surprisingly enough. Far better to run either
a) a filtering proxy and/or
b) a local name server, pointing *.doubleclick.net to an unrouted IP# (eg localhost, 192.168.x.y, and so on).

"But what about John Q. User, who would be hard pressed to save a file in a text editor?"
What indeed? Let him be caught surfing for pr0n by all means ;)

What you really want is WWWoffled [demon.co.uk], which has a very nice web-based admin CGI frontend, allowing you to edit your filter list from the comfort of your own browser...
~Tim
--
.|` Clouds cross the black moonlight,

Re:Need something MORE than Junkbuster.

[rjh3]

If you really feel the need, junkbuster has the option of sending wafers. These are cookies with some entertaining legalese that are designed to fit within the rules for a cookie. Or you can invent your own wafer.

But the issue with 1x1 web-bugs is not cookies. These web-bugs are already encoded with the tracking information so that the mere attempt to load the image provides the tracking information to the perpetrators.

I thought IE used to barf on this sort of stuff

[pridkett]

Doesn't IE dislike this sort of stuff? I remember back when IE 4 came out we used to send cookies to remote domains via 1x1 gifs and IE started to make it so a 1x1 gif couldn't set a cookie if it was loaded from another domain. Anyone else remember this? Netscape will still let you set a cookie with a 1x1 gif from another domain, but when, for the time being, IE has won the browser war you cater to them.

Re:A little confused

[/]

Only if you trust them to be running the same exact code they've released, which would be unreasonable for even innocent reasons, like the inevitable delay between making modifications and incorporating them into the public release. For example, the "bitchslap" function isn't in the latest open version of slash, IIRC, but I haven't looked very closely.

1x1 is a 'counting' gif

[Builder]

The 1x1 pixel gif is used by many adserving products. They normally deliver it with every ad, and the cookie that the adserver sets is normally attached to this gif. This gif is used to count how many ads are delivered. Clicking on the main image / flash feature will then count the click, by having an href that normally looks something like :
A Href="http://bad.evil.adserver.com/Software/ads/cl ick_an_ad.cgi/SITENAME/PAGENAME/CAMPAIGN NAME?_REDIRCT_TO="http://theadvertiserssite.com""

The sitename, pagename and campaignname are normally variables in whatever ad tag code you are putting on your page. These are then parsed by the adserver when it serves the ad and filled in with data that is meaningful to the server. This data can normally be completely meaningless to the web server that is serving it. The pagename doesn't have to match the pagename on the webserver, but merely the commonly agreed upon name. So I could lable a page as www.mysite.com/apage and schedule ads to that. But the site itself, would actually be www.mysite.co.uk/anotherpage.html and would just ask the server for an ad for www.mysite.com/apage

When you click on an ad, that data is sent back to the adserver so that it knows what ad you are trying to click through on, and what campaign to assign the click-through to.

This is all from memory and may be slightly flawed. But if you can read passed my garbled wording and see the idea, you'll have the picture.

DISCLAIMER: I used to work with web adverting but I'm just an (ab)normal sysadmin now.
/* Wayne Pascoe

Junkbuster: Too slow

[crow]

I installed junkbuster this week, and I found that it really slowed down web page loading. I turned it off after a short time--I just couldn't stand waiting twice as long for pages to load.

Perhaps people with modem connections won't notice the extra delay.

I also didn't like how pages that had load errors came up with junkbuster-generated pages instead of the same info they normally would come up with.

Re:My 127.0.0.1 list

[/]

Yes, Junkbuster is a more full-featured package, but there's a world of difference between telling someone/anyone "here's a file, name it 'blah' and put it in 'blah folder'" and "he's a site, spend a while downloading junkbuster over your dialup connection, install it, set it up correctly, and maintain it". Ideally, everyone should do the latter, but it'd be a wonderful start for more people to do at least the former.

DoubleClick's not the worst "Big Brother"

[Anonymous Coward]

Check out Naviant [naviant.com] - they're doing the same thing - teamed with 24/7 Media [247media.com] and Matchlogic [matchlogic.com] to actually serve the ads. But they have a huge database of names and addresses and match these up with the cookie IDs used by the advertisers. So while DoubleClick will know that a particular computer frequently visits Asian foot fetish sites, Naviant will be able to tell that it's really Bob Shemolie at 1212 Main Street and then send him a catalog in the mail. So block those cookies, everybody!

Junkbusterize it!

[Signal 11]

Just drop *.doubleclick.net into junkbuster's blockfile, and doubleclick cannot track you any longer.

Now, what I'm really waiting for is for someone to write a proxy that can dynamically rewrite pages as they come through an http tunnel. Then, we can block ads, the associated javacrap, and other stuff - like pages containing the string "MAKE MONEY FAST!" I prefer not to get involved with the ethical side of business - business long ago proved to me they have no real ethics, hence I focus on creating technical solutions which either force them to be ethical, or force them away from me.

I think the technical community should make a stand and say we will not tolerate this, and then proceed to distribute easy-to-use software which blocks companies money-grabbing attempts. Remember: no company can survive without people. If a company is being unethical, solve the problem via technical means. If you work for the company, stall, drag your feet, and if you have to engineer the privacy-invading feature, remember these words "Yes, it's possible, but it would cost too much to do it".. and if they try anyway, make sure you're very well paid and that the product develops all kinds of bugs.. like suspicious dialog boxes in spyware that give your company's URL along with a "please report this error: Error collecting data on ${USER}, please contact sales@mycompany.com".

Civil disobedience.

The unthunk gets thunked more

[__aaanwh8370]

These "web bugs" are nothing new, and do nothing more insidious than can be done with ANY other type of HTTP request.

Any web resource can be used to track you. You could have web bug *.jar's, web bug *.js's, web bug *.htm's, web bug *.php's, or web bug *.pl's ALL DAY LONG but we wouldn't call 'em web bugs. We'd call it information accumulators being a little more aggressive we're particularly comfortable with.

The problem is not with images, but rather that you can include just about anything you like in the query search portion (the part after the ?) of the URL of any HTTP request.

I develop opt-in marketing automation software (ummm...the pay's good?;), and we've been gathering info for years. To this point, our high-ups don't know much about it, but we developers use it as an easy way for the browser to communicate back to the server without having to do full submissions. Used this way, it can save lots of unnecessary traffic. Can be a very handy, and useful feature.

Of course it's going to be capitalized on, tho.

Don't see of much way around it, since the "web bug" doesn't have to come from a different server at all. Once processed, the original request can be forwarded to any server the original recipient likes.

Guess someone could add a scrubber component to the browser's which'd truncate the URL's at the ?, but chances are lots of requests would fail if that would happen...

Lame excuse...

[Leonel]

More people should try that one :

Even though we decrypted copy-protection on your dvd, we do not have enough inteligence to watch the movie after we do it...

Yeah right.

How I fight the great satan

[Anonymous Coward]

I have been maintaining a junkbuster proxy for long enough that I haven't noticed how commercialized the web has become, because I never see it. Maybe once a week, usually when visiting a new web site, a blinking banner ad gets through, and my innocence has made me very sensitive to them, so I immediately block it.

Lately, I've gone to reading the HTML source, because often the image's URL comes from a redirector which does the actual logging, and I want to block it before access to the redirector.

(By the way, do you know that slashdot has a web bug [209.207.224.245] on its pages? I have it blocked. You should, too.)

Anyway, a while ago I noticed that doubleclick.net was getting some ads past my filters, despite the fact that their domain (and various IP addresses) are at the top of my blockfile.

The sneaky bastards were using https. Proxies generally ignore than and pass it straight through. With 128-bit encryption, too; better than most of the e-commerce sites. (I would have noticed; I have everything 56 bits and below turned off.) I had to admire their ingenuity.

However, I still had to put an end to this. I told my DNS server that it was now authoritative for doubleclick.net, and that the zone was empty, so any address lookup attempt will fail. And I fetched the zone from their servers and added it to the firewall rules. Each was tested as adequate independently. Both is backup.

As I've been reading over that last year what a bunch of nosy bastards they are at doubleclick, I'm more and more glad that my computer hasn't deigned to send a packet to them for a very long time.

Although it'll probably make them change tactics again, I thought I'd share the DNS trick. It works pretty well. (And it gives you reason to learn about DNS zone files - I carefully haven't given an example, even though it is trivial.)

Re:Can't this be turned off at the browser?

[jamiemccarthy]

Like, if I request a URL from www.flibbertygibbit.com, can't the browser be smart enough not to request further resources from, say, ad.doubleclick.net (but be smart enough to request resources from pix.flibbertygibbit.com)?

Yes; the trouble is that many sites have offsite images load from a perfectly normal and harmless third-party server. Akamai [akamai.com] is the best example; companies from Altavista to Apple to Andover store their graphics on Akamai's distributed servers for faster load times. If you prohibit all third-party graphics, you prevent these graphics from loading, thus breaking many pages.

Wasn't this capability in Mozilla until recently? How hard is it to put back in?

Yes, it was; see this older slashdot story [slashdot.org] for details. The good news is that Mozilla retains the capability to block off-site cookies, which doesn't totally eliminate the web bug problem but does take a huge bite out of it (along with the whole DoubleClick-privacy problem in general).

Personally I suspect that the offsite image problem could be 99% solved with a little special-casing and some creative DNS work. But I don't know that for certain.

The bottom line is that, because of this one incredibly simple feature, Mozilla [mozilla.org] is currently the most privacy-friendly off-the-shelf browser that I know of. Of course, if you are really concerned about privacy, you could try add-ons like Junkbusters [junkbusters.com] or IDcide [slashdot.org].

Jamie McCarthy

Re:Once again...junkbuster to the rescue!

[Signal 11]

Of course, a link [waldherr.org] is often helpful.

We did stuff on the business end

[Fervent]

I began to notice this when I worked for Refer-it, an "ecommerce" site. A lot of Doubleclick's add banners contained code for a 1x1 clear pixel that sent code along (some kind of CGI script on Doubleclick's servers).

Problem was the stupid thing wrecked havoc with our banner code (we were using Cold Fusion and it didn't like dealing with the banner and 1x1 pixel in one shot), so I cleverly "omitted" the pixel. :) My boss never knew about it.

Re:Opt-Out from Doubleclick! I have allready... :-

[cybaea]

The opt-out [doubleclick.net] option from DoubleClick is reasonable for what is does:

It does not stop tracking of visited web pages, it simply stops associating that tracking information with you.

So DoubleClick will still know that somebody visited the lesbian p0rn site (or whatever the original example was) and it will know the IP address that the request came from (I always go through a web cache that my provider [demon.net] supplies: this provides some degree of anonymity) but it will not know it is "you" and will not be able to associate this visit with the one you made yesterday (and the day before and the day before that, ...)

It's fairly easy to check that the opt-out is working by simply checking the cookies for DoubleClick. If you are using Netscape 4.x and are unfortunate enough to use it on Windows NT, then look for the file:

drive:\Program Files\Netscape\Users\Your User Account\cookies.txt

Search in here for .doubleclick.net. (Other systems will find a similar file somewhere.)

Re:nasties.reg - Link inside to original post

[M1000]

http://slashdot.org/comments.pl?sid=00/06/23/12402 14&cid=46