Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
Privacy Your Rights Online

Microsoft: The Biggest Web Bugger 188

An unnamed reader writes: "A recently released web bug report shows that Microsoft (via Link Exchange) is bugging more web sites than any other organization. Less surprisingly, however, the same report shows that by making some rough traffic estimates, DoubleClick is probably bugging more web traffic than anyone else. (Except of course those big ISPs running proxy servers...wonder how long it will be before the ad agencies get into bed with the ISPs?)"
This discussion has been archived. No new comments can be posted.

Microsoft: The Biggest Web Bugger

Comments Filter:
  • by Anonymous Coward
    This is so brazen it is breathtaking in scope.
    Complain to your browser software company that there is *no* justifiable reason an IMG tag URL should return a cookie and the browser should store and serve said cookies.

    And the incredibly sad part is that you are too late to "undo" the theft of your privacy. Hard drives never forget.

    Web Advertisers and web-bugs are just another Napster network trading _your_ personal information instead of MP3s.

    They're your cookies. If you *have* to keep them in order to use a website, then feel free to *ALTER* them. It's *your* disk drive, and your EULA clearly states that you retain the right to alter any information stored on your media, and do not allow encrypted data to be stored on it, right?

    If a company insists upon storing data on your hard drive, you have a right to require they disclose any encryption used and provide a decrypted version of the data they are storing on *your* hard drive.

    Work the DMCA - Your EULA for hard drives state that is your policy. Any encrypted data is a "circumventing device" intended to violate your EULA.

    Diclaimer - IANAL but isn't the law for *everyone* to obey?
  • by Anonymous Coward
    If you use Internet Explorer, it's easy to block these. Just add any suspicious domains (e.g. *.doubleclick.net) to Restricted Sites in the Security tab of the Internet Settings control panel, disable everything (most things are already disabled for restricted sites), and that's that.
  • Web standards are for *both*. If web browsers didn't render incorrect HTML, then web pages would stay clean.

    However, I'd be happy if browsers even had the *option* to enforce compliance.

    For instance, if browsers could actually obey the </HTML> tag, then the fascist disclaimer that is automatically appended to all of my pages at NCSU wouldn't show up. :)
    pb Reply or e-mail; don't vaguely moderate [ncsu.edu].
  • I didn't know at first if this referred to "Buggy" web pages, or "Bugging" web pages.

    Microsoft is surely responsible for more buggy web pages, such as any HTML generated by Word or FrontPage, and the creation of their own Windows-only character set that often render what should be simple ASCII punctuation into question marks, or worse. Also, their webpage fonts are incredibly small on any system that doesn't support *their* fonts.

    Doubleclick also is responsible for buggy code, specifically something known *as* a "web bug" or a "GIF bug", but that's also used to track people, so that would count as "bugging" as well.

    The short answer for that would be to simply install JunkBuster. As for fixing Microsoft's sloppy HTML, I bet a proxy server like Junkbuster could detect a "GENERATOR" tag or maybe an undefined character code and just run the page through the Demoronizer.

    But I wish people actually implemented the web standards we had originally, or put such compliance in the web browsers we have now. Netscape and IE are much prettier than Amaya, but they still read past a closing HTML tag...
    pb Reply or e-mail; don't vaguely moderate [ncsu.edu].
  • Doubleclick is reputed to have amazingly accurate profiles of nearly every American household with internet access.

    For "normal" user yes certainly, but all of us here usualy optout [doubleclick.net], or you can have some cookies filter.
    Anyway I don't know really if optout works, as they could use your IP address to collect info on website you go. Anyway I use for doubleclick.net :)
  • I wish I had mod points to mod that back up.
  • Jason Kersey removed all ads from mozillazine.org, and I think he did that because people complained about that ad so much

    Well, there's also the issue that there's been numerous Java install glitches with Mozilla, which probably is the primary browser hitting the site. So, it's possible the ad network figured out that half the hits they got didn't even load the ads.

    I thought it funny that I could only see Mozillazine's ads in IE, anyway. (Eventually a massive JVM purge and reinstall sorted the issue out.)
  • I signed up for that and I put the msiepiss.gif up on my page. Their stupid bot couldn't tell the difference and it let me in anyways. For those of you who never saw it, it was an animated gif with a man who runs across the browser, drops his pants and pisses all over the MSIE logo (splash and all). I guess if it's good enough for MS, then why not?
  • If you want to talk about it amongst the rest of us well educated adults, then learn to hack English appropriately!
    That's 'well-educated adults'. Does this matter? No. I knew what you meant. Just like you knew what the good commander meant. So while the grammar may have been a little, shall we say, tacoish, the message - the important bit - got through loud and clear. Lighten up.
    And I'm pretty sure the verb is 'to lose', not 'lose'.
  • Of course. It follows the standard adage: Be strict in what you emait. Be forgiving in what you accept.

    Although, it would be really nice if IE, Netscape, etc, had a -strict switch.
  • completely offtopic.

    Where do you get your information? check out netcraft. It shows that Apache is most definitely NOT losing ground to IIS. They're staying roughly the same. Apache~60%; IIS~20%
  • Hardly. Netscape keeps it's cookies in memory until you exit it, so all cookies work perfectly as long as you don't quit netscape. What I do is add the cookies I want to .netscape/cookies, then chmod 440 it... You get all the site logins etc you want, but all the non-approved cookies go away as soon as you quit netscape...
  • Well, they bugger everything else. Why not the Web?

  • By sending out a lot of spam with webbugs they can match email addresses to their webbugs. Then if they link up with e-commerce sites like amazon, ebay etc they can link the email address to a real address.
  • Thanx D.B. for the plug for my war on spam page [lenny.com]

    Spammers sre scum!

  • see post #23

  • It is not trivially easy to associate web bugs you encounter while surfing with your email address, only ones in spam. And then you have to read the spam while online, and allow it to load images.
  • I use Konquerer under KDE and set it to alert me for any cookie. If a site tries to set a cookie that I don't want, I click "Deny all cookies from that domain." That way I never get bugged about cookies from that site again. It also forces me to only allow cookies from sites that I explicitly allow.

    You should use the same philosophy for cookies as you do for access lists: Anything that isn't explicitly allowed should be denied.

    By the way this comment was posted in Konquerer, the coolest web browser on the planet.
  • Right, and I'm so sure they don't log that information.

    I lost 50 pounds!!! Ask me how. Sucker.

    Boss of nothin. Big deal.
    Son, go get daddy's hard plastic eyes.

  • Right, it's not trivial. It works best if you put bugs into pages where the user enters the email address and you pass it through a query string, and you collect other info too, then you buy a major consumer marketing database named after a simple calculating tool, and turn around and make all your claims about aggregate information only into a big fat steaming load of shit.

    Boss of nothin. Big deal.
    Son, go get daddy's hard plastic eyes.
  • Well, thankyou Security Space for letting me know which addresses/sites to block at the firewall!

    I've been too lazy to actually set it up, now I have a nice neat little list that will make my web browsing "crap free".


  • BTW, the IP is: 23.75.345.200

    Instead, they should have used, say, 192.168.x.x?

  • by Anonymous Coward
    Start off with akamai.net... now there's a WHOLE BUNCH of web bugs there! Man, I can't even go to cnn.com without those damned Akamai people knowing exactly what I'm doing!

    And that wunderground.com place... what kind of shady organization is the Weather Underground? Are they the people who always make sure that it rains right after I go through a car wash because I carry a cellphone with me? The feds should shut them down!!

    Seriously... all they did was search through a bunch of web sites and counted the number of resources (images, frames, etc) pulled down from other sites. This means nothing, because the original web site already has access to everything the other sites do, if not more! If your goal is hiding from marketing people, I suggest the following acl:

    access-list 100 deny tcp any any 80
    access-list 100 permit ip any any

    This will block most traffic that could cause your Web privacy to be breached, protecting you, yourself, from the distant chance that someone, somewhere, might want to know what your computer, in specific, is doing. And note that I said "your computer" -- the web site has no idea who you are, where you are, how to contact you personally, or how to distinguish you (as in, yourself) out of all of this.

    'sides, the worst that'll happen is your computer will start getting USEFUL banner ads that you'll WANT to click on, because it's for something you'd like. And what's the problem with THAT?

    Whew. First slashdot post in awhile. I think I'll leave this one anonymous ;-)
  • As my hostname contains the following information; Where i study, and therefore which town and country and more importantly it also contains my whereabouts down to my roomnumber, so I'm not that hard to track based on it, I find it rather relevant.
  • If someone responsible can find out who is visiting a site that posts illegal information, then they can get better data on how to fight that particular crime.

    From there it's not too long until someone realizes that someone "responsible" can find out who is visiting a site that posts unpopular informaiton so they can get better data on how to fight that thought crime. It's just a another step until unpopular becomes "unamerican," and suddenly your curious browsing of, say, the World Socialism [worldsocialism.org] pages lead to you answering the question, "Are you now, or have you ever been a communist?" You need real privacy to listen to free speech. Without privacy, free speech is worthless.

  • ...that the US DoJ's hotshot young lawyer is going to use the Little Doctor on them?
  • Bundle, package and commoditize your own personal information into a privacy object that can be sliced into smaller sub objects and sell or lease that package to whomever wants to pay you for it.
  • You are making your living in an unethical manner. The sooner that you "get out of dodge", the better.

    You are aware that "I'm just following orders" is known as the Nuremburg defense? It is not an excuse for actions that are deeply harmful to society. As for "mak[ing] enough to feed myself", being on welfare is more honorable than being a spammer, and the unemployment rate is still so low that most warm-blooded life forms should be able to find a better job than that.

    In my view you do not have "something decent on your resume". You have a black mark. Your resume identifies you as a professional spammer.

  • That should be "Microsoft: The Biggest Web Buggerer"

  • There are other causes as well. For example, people who have set up a web site on GeoCities, Xoom, or wherever frequently make copies of their site by saving pages with their browser. This includes any code that was inserted by that service, whether for advertising or for site features such as counters and statistics, or even clip art. When they decide to move their site to another service they upload these copies -- including all the stuff the old service inserted into the pages. As long as nothing overtly breaks, this sort of stuff just accumulates as pages get moved or updated.

    If you're asking youself why anyone would be so stupid, recall that all these page hosting services provide tools for building web pages; the average person with a web page knows little or nothing about HTML, and so doesn't have the slightest idea that some JavaScript appended to their page isn't necessary, and in fact wasn't actually part of the stored page in the first place.

    For example, GeoCities inserts a web bug to give each user statistics concerning their web pages and to provide an optional counter. The bug is useless outside of GeoCities, yet I see it fairly frequently on other services. The same with Xoom's counter code, and so on. I suspect in most cases the "foreign" appearances of these bugs just represent noise to the site of origin.

  • is equal to when I go buy ZeroKnowledge or full anonymizer services, less five minutes. Frankly, I'd be surprised if there isn't some of that already going on (naturally, NetZero and the like, but I mean normal, paid ISPs)

  • This was probably on the same level as using 555 as a telephone exchange on TV.
  • Hey Lenny! Great anti-spam page. Spammers are up to $4.50 on goto.com [goto.com]! Slashdotters, start clicking the link below to make spammers pay. Click this link to make spammers spend money! [goto.com]

    Obligatory on-topic message:

    Visit Junkbusters [junkbusters.com] and view information on Web Bugs [junkbusters.com].

    The industry uses the euphemism "clear GIFs" to describe web bugs. Search for "clear gifs" in a search engine as well as "web bugs" if you're after more information. I use TopClick [topclick.com] because it is a privacy-respecting search engine that doesn't use cookies and I have found it to be very good.

    *** NEWS FLASH ***
    Congress to investigate Web Bugs. More details here [internetnews.com] at intenetnews.com [internetnews.com].
  • Oh, kinda like how phone numbers in most movies start with 555 (an invalid prefix, or at least it used to be, not sure if it still is)

    Instead of using numbers above 255 for fake IP addresses, they should use numbers like 192.168.X.X, 10.X.X.X or other similar numbers assigned to local networks. The clueless won't know the difference. The clueful will appreciate the 555-like nature of the address and won't embarrass themselves for apparently laughing incongruously in a serious scene.

  • actually, for a second when i saw the title of the story, i thought it was talking about buggering web pages.

  • They can't be mapped to your physical address, phone number, etc. without a call to your ISP

    Umm... and what do you think happens when you oder something online from one of these sites that has the web bug?

  • The above post is a Micro$oft troll. Typical M$ - turn the facts on their heads and assert the opposite of the truth: enough folks will believe you, if you _sound_ sincere.

    In fact, Linux based (i.e. Apache) Internet servers gained market share _faster_ than M$ last year, according to IDC. It has been well reported here and elsewhere.

    What's worse, this same approach seems successful in pulling the wool over the eyes of a whole US Appeals Court on the DoJ vs M$ antitrust case!

    Anyone got the email addresses of the US Appeals Court judges hearing the DoJ vs M$ Antitrust case?

    Is there any process available for impeaching Federal judges for rampant cluelessness in office?

  • FYI: the correct English verb for loss of money, market-share, whatever, is "lose" not "loose" despite Slashdot's spelling dysfunctionalities. Cmdr Taco is guilty of this.

    If all you children want to hack software, fine. If you want to talk about it amongst the rest of us well educated adults, then learn to hack English appropriately!
  • Well, if you know that they not only surf blowjob-related pages, but also interracial hardcore pages, you can recommend the oral "services" of a "talented" immigrant from your favorite ex-commie or capitalist dictatorship nation.

    And don't you think your wife wouldn't pay for that info, too (if you give me a twenty, I'll tell you what she paid for it).

    Boss of nothin. Big deal.
    Son, go get daddy's hard plastic eyes.

  • AC said: "I have done some things before I didn't agree with, but it bites being myself what I just about hate the most. A spammer. I'm sorry folks."

    If you e-mail me your snail mail address and agree to sell out your company - that is, take as much proprietary information from them as you can and put it on the web, publish their name, basically be a real whistle-blower, I'll mail you a check for $50. It's not much, but it's what I can do right now.

    Just following orders is not an excuse and never has been. You're making a moral choice, and by your own admission, you're making the wrong one. You're not only hurting your company's targets, but your own sanity by doing something you know is wrong. Ghandi said: "Almost everything you do is meaningless, but it is still important that you do it." These are words to live by.
  • It is like those darn marketing people. Always wanting numbers and statistics from people like me. I work in a good sized (250000+ users) ISP and this is always a hot topic. Maybe if we follow people around on the web, we can market things at the more effectively. It makes me sick. What do you do with these marketing people anyways?
  • Iframes will probably allow cookies for a short amount of time after browsers fix a similar problem for images

    I also heard someone tell me that some linkexchange ads were at some point in order to allow linkexchange to update the entire banner code whenever they needed to

    Actually, the main reason for the script src seems to be the same as for iframes: allow the ad to set cookies, where a simple image couldn't. Just try it in netscape: In Edit->Preferences->Advanced, check the box labeled "Only accept cookies originating from the same server as the page being viewed", and watch how it still lets pass cookies attached to all kinds of includes, such as scriptsrc, iframe etc. Seems only cookies from offsite images are blocked.

  • ...as in, I say there old chap, bloody Microsoft seems to have gone and buggered my web page again.

  • Oh great.. Now microsoft is gonna invent a cure for the common cold, and prohibit anyone from making their own boogers..

  • Web Standards are for content creators to adhere to, not for browsers to enforce. Browsers should show standard compliant HTML according to the standard, and everything else, they should make their best guess on. Because when it comes right down to it, Joe User (such as, oh, for instance, me) just wants to read the page. They don't want to hear "We could render this page, but won't because there's no </html> tag." Not that many people complain "I hate this product. It doesn't break when it's supposed to."

    I agree that web tools should output standards copliant HTML, for precisely the same reason - people don't want to fuck around with this shit, they just want it to work. The best way to do this is to only output well-formed files, but load and display any mess of angle brackets that you can figure out.
  • I parsed it as `Microsoft biggest web - bugger'.

    `Bugger', asides from referring to someone who sodomizes others, is also colloqially used in Australia as a curse.

  • On http://truc.hypermart.net/ [hypermart.net], a "random" link exchange site, I see an iframe, not just image. Iframe ads are annoying for several reasons, although I doubt advertisers use them just to be annoying.

    - IE4 (but not later versions) will replace an entire page with a placeholder page if you go to a site with a missing iframe.

    - If you try to block the hoster of an iframe using a "hosts" file and you use Mozilla as your browser, you get an alert each time you visit a site with a missing iframe. Hopefully this will be fixed in bug 28586 [mozilla.org] by implementing placeholder pages for all missing pages.

    - Iframes will probably allow cookies for a short amount of time after browsers fix a similar problem for images, simply because it takes more coding to fix the problem for iframes. (Have any major browsers fixed the cookies-on-images bug?)

    - Iframes allow Java ads, such as the infamous punch-the-monkey ad. (Jason Kersey removed all ads from mozillazine.org, and I think he did that because people complained about that ad so much.) LE doesn't seem to use Java ads at this point, although I have seen several "fake dialog" ads there.

    I also heard someone tell me that some linkexchange ads were <script src="something.linkexchange.com"> at some point in order to allow linkexchange to update the entire banner code whenever they needed to. I think this might have just been a rumor -- can you imaging what a cracking target that would turn linkexchange into? Can anyone confirm or deny this rumor?

    Btw, why is it that when I click a linkexchange banner, the site linked to almost never has a linkexchange banner itself?
  • However, Microsofts Booger would undeniably be placed behind a glass case, where we may only look at it, and marvel at the massive size. However, the booger of your average open source company would be completely moldable and customizable.. You could choose your own color, wetness, and basic shape, plus, it would come with free instructions on how to make your own boogers! Yay!
    -Dan Posting without reading what I just typed, or checking for any coherent message, or spelling, or anything since... 3 minutes ago.
  • So, how do you "customize content" without "tracking where people go"?

    By doing exactly what they say they are doing... "accurately identifying the geographic location from which users access your Web site".

    Akamai has servers distributed around the world; whenever there is an incoming request, it gets passed to the server closest to the user. Simply looking at which server is handling the request allows akamai to customize content based on the geographic location of users.
  • The trend is moving away from individual rights. This stuff has been going on for some time, and the marketing droids are just getting better at it. I'm sure MS uses this to "make their sites and products better" but it's a bad sign that users just don't seem to care.

    Get ready for hooks in the os that work with web site tracking tools. Not far away.
  • You can find a good article on web bugs here. [foxnews.com] If you do a Slashdot search on web bugs, it'll come up with some previous articles [slashdot.org] on them.

    Hope this helps.

  • Just because an image doesn't come from the same server as the page doesn't make it any more or less likely or more or less capable of tracking your usage. These stats are fully bogus and give you no real idea of who is tracking what. More information is tracked on the same server that hosts the page than is tracked on the ad server I will nearly garuntee that.

    Basically people you need to realize that marketing knows what you are doing and they use this to make more money off of you. Furthermore you need to realize that they make more money off of you by providing you advertising of something you actually want. Is this awful?

    Another thing to realize is that none of these companies does a very good job at using the stats they collect. Few if any companies provide an automated targeted ad system. Few if any have solved the problem of sorting these large lists of numbers.

    I mean how scared can you get when you get 3 calls a week from the phone company asking you to order phone service that you already get. They don't know what you are doing because there is just to much info.

  • Proof positive I need to drink at least one cup of coffee before reading /. after waking up. The thought of M$ being invovled in some sort of webcam-of-giant-booger, and what nefarous reasons they would have, dude, that's just wrong. :-)

    News for geeks in Austin: www.geekaustin.org [geekaustin.org]
  • You are kidding, right? It is trivially easy to associate web bugs with your email address at the very least. Of course, it requires that your email client supports HTML, but most do these days.

  • You should. see this [arsdigita.com] missive from Phil Greenspun. Scan down to the section that says "I want to know the age, sex and zip code..."
  • For all those worried by this, head to Freshmeat and grab Junkbuster. I've been running it for over a year now. A select few sites are permitted to set cookies (Slashdot for example), the rest are blocked, as are 99% of the banner ads on all sites. Browsing heaven!


  • If you feel the need, use a proxy program that can "fix" the incoming HTML to recognize web bugs and "neuter" them.

    I use this feature with the Proxomitron, [cjb.net] a proxy that greps incoming HTML for bad stuff and replaces it with good stuff. I now have my copy looking for web bugs, and modifying the HTML to eliminate them. Specifically, I have it searching for IMG tags that include height and width components that are both five pixels or less. Instead of removing the image (which would cause severe image alignment problems) I simply replaced the SRC= with SRC=.\black.gif, which is just a small black image that gets stretched to fit the requested space. Extra benefit: no waiting for the HTTP connection to the web bug server! The local .GIF loads instantly.


  • I remember Microsoft used to offer certain levels of access to MSDN (The Microsoft Developers Network) as long as you put a IE Logo on your web page in the form of a link to theirs. I used to think it was an exchange of information that should already be available for free and free advertisement. Now I finally see their real reason for doing this - maybe.

    P.S. TANSTAFL == There aint no such thing as a free lunch

  • Notwithstanding all the previous posts that pointed out the foolishness in assuming 'anonymous' tracking will stay 'anonymous', I think you're missing the real point...

    'Anonymous' tracking isn't harmless by any stretch of the imagination.

    60% of people who visit the SMAP fanclub homepage visit pages on ecstasy parties within 2 hours afterwards.
    Omigod. Call your congressman. SMAP causes drug abuse!
    28% of visitors to the XYZ health center visit pages on abortion access.
    Where do you get your funding, XYZ?
    And, of course, there is a 93% correlation between readers of /. and visitors to the pages of the SPCJK (society for the promulgation of cruelty to jonkatz).

    *They* don't care about *You* anyways. *You* are insignificant.
    But if they could learn how to manipulate/control/smear the whole lot of you, now that would be worth something.
  • From what I understand, it's more of the same cookie=bug nonsense, although they have a good reason to think so.

    To elaborate on that, they are talking about those lovely cookies that places such as amazon.com and banner ad hosts such as doubleclick put place on your drive in order to indentify you for whatver reason (to track buying patterns in order to serve up custom-talored ads is the first thing that comes to mind).

    As for an actual "bug" that tracks every site you visit and then processes or sends it somehow in order to do something such as physically locate you and find out who could be "trouble", well, that's just hype.

  • Well, you could put them all in a line and test out how many people a real railgun [mtu.edu] could shoot through.

    It's not without purpose either! Based on the result, iD Software would be able to make the next Quake's railgun more realistic.

  • Sup guys... my ISP, @home, has a proxy installed as my default proxy for web traffic and I am wondering if this could cause a problem--eg: they watching everything I do, etc. Also, would anything "necessarily" bad happen if I choose to disable this? I would worry that they log all my traffic for use in some huge conspiracy, but its much more likely they use it for advertisements... any aid with problems with the @home proxy and if there is a problem with disabling it?
  • feeding the trolls again, I am.

    Since you've convinced yourself that the real value you and your employer seek can only be found in paid for systems, excluding BSDI, may I recommend you look further at AIX?

    At least IBM is contributing to the community that does find value in open-source/free-software, while continuing to improve the AIX offering. Technologies like LVM and JFS, for instance, and others, make AIX a great system. Granted, it still uses CDE, but I expect that'll change, and you can always load your own, or go with that free one, GNOME, like Solaris is choosing to use.

    Thanks for voicing your opinion, now go and spend your employer's money. Spread your deathknells for BSD elsewhere, we don't need 'em.

    See, you can't kill a free-software (or alternatively, BSD licensed) operating system as long as people continue to use it or work on it. A proprietary operating system can be killed by the company that sells it, but as long as one person uses the system, and one person develops for it, it's a live system.

    Now excuse me, I'll be installing Darwin for Intel and OpenStep 4.2 as dual-boot on the same machine. Not exactly free software, but definately open-source, and certainly not dead.

    A host is a host from coast to coast, but no one uses a host that's close
  • I'm not all that worried about the connection of MS to web bugs, etc. I am not even that sure that they are the largest benefactor, although this makes sense.

    After all, they give me plenty else to worry about [slashdot.org]. (My thoughts here [slashdot.org])

    Don't worry, just a bad case of caffiene deficiency syndrome.

  • How alarmist can you get without actually providing any facts?

    Even if they are able to track everything perfectly, no one has time to sift that information for anything other than the blandest types of information. Given that all the marketing efforts in the world don't seem to be able to consistently deliver well-targeted ads to either my real mailbox (most of these don't even have my name spelled correctly) or my emailbox assures me that it will be some time before there is really an issue here.

    I'm far more worried about the very real news that the FBI engages in constant stings (and in the process may be one of the major providers) for child pornography. I'm a lot more concerned that European police are actually arresting people for "crimes" like using Napster or writing software like DeCSS. In the end, we have much bigger privacy worries with police forces using extremely sensitive infrared, microwave, and other devices to scan our houses (so much for curtains) and maintaining computerized, nationalized databases on citizens (just wait until some hacker manages to get a few good FBI or IRS files).

    You say you're glad to not live in the US, so which country can I join you in where freedom is eternal, easy, and government mandated?
  • At least in Los Angeles they've started using it. Not sure about other places.

    Is that what the girl at the bar told you when you asked for her number?

  • A recently released web bug report [securityspace.com] shows that Microsoft (via Link Exchange) is bugging more web sites than any other organization.

    From the data presented, it seems LinkExchange is the most common "web bugging" service. But that's what it is, a service. The companies paying for LinkExchange ads are the ones driving the "bugging". Without companies wanting to advertise and do business cheaply on the web there would be no LinkExchange/bCentral. Just because LinkExchange seems to be the most popular of web ad services doesn't mean it's some evil MS plot to bug the world. It just seems to be doing good business. If you ran an ad service, wouldn't you dream of the same?
  • YES, it slows my surfing. I have to DNS lookup the server, contact it, make a GET and retrieve the image.
    It sums up to a lot of packets.
  • All I know is that Andrew Wiggin has the best shot at taking out the damn things once and for all.

  • Those aren't equivalent. An octet greater than 255 is just outright impossible. Someone keying in a non-routable IP address (e.g. 10.x.x.x or 192.168.x.x) during a flick would be more equivalent to a phone number starting with 555, and less likely to be laughed out loud at :).
    • Then don't watch cable/satellite TV. Those companies all know EXACTLY what you're watching at every second of the day.
    • Then don't use a credit card. Those companies know exactly what you buy, where, and when you buy it.
    • Then don't use a bank. They know exactly how much money you make and where it comes from.
    • Then don't use a telephone. The telephone companies knows exactly who you call, when, and for how long.
    Get the idea? Lots more more personal, and more in-depth information is gathered about you EVERY DAY from MANY sources. Ad banners are NEGLIGIBLE when compared with any one of these other sources of information gathering.

  • One of the other summaries was server market share theft/upgrades - or how many servers were switched from one type of web server to another.

    The interesting thing was that while Apache still has the lion's share of web servers in the survey, it has been losing ground to IIS. Given all the hacks on IIS-based servers recently, this is an unsettling trend.

  • Where does "free" as in open information end, and private information begin?

    The ISP is doing this service: connects me to the internet, hosts a lot of the sites I am reading, protects me from spam.

    Knowing traffic on certain sites helps my ISP do that.

    This information, if properly anonymized, is a useful commodity to other net firms as well, and helps them to provide us with better service.

    If someone responsible can find out who is visiting a site that posts illegal information, then they can get better data on how to fight that particular crime.

    It is up to users to determine where this technology is applicable. But I wouldn't dismiss web-bugging as a tactic out of hand.

  • Imagine being a programmer developing a dynamically generated page. Frankly, I'm more interested in seeing if the output is correct -- the last thing I want is to have the page not render at all because it's "invalid". What if you actually did produce a valid document, and the browser's validator was buggy? It's much easier for everyone if the browser just renders the damn page.

    But that leads to the worst outcome of all: unpredictable results.

    The one way you can be sure that a web page will work properly everywhere, is if all browsers follow the standard (any standard; I don't particularly care whose). Otherwise there are going to be pages that break some places and not others, and that means higher development costs, testing costs, and lost visitors. An awful thing for the industry (though perhaps a great thing for amateur-hour FrontPage mavens).

  • my ISP, @home, has a proxy installed as my default proxy for web traffic and I am wondering if this could cause a problem--eg: they watching everything I do

    If they cared what you do, they could watch your traffic with roughly equal ease whether or not you used the proxy.

  • This is quite bogus, as evidenced by the #2 ranking of akamai; the fact that many high-traffic sites have their images served from akamai's network does not mean that akamai is tracking where people go.
    What exactly do you think Akamai does, aside from providing infrastructure? Do you think any MBA in his right mind would go for such a one sided business model? As long as you're delivering content, you might as well track it, or so the thinking goes.

    And now for a highlight from akaikai.com -- In today's fierce competition for Internet eyeballs, customized Web site content is big news. Customizing your content to individual end-users makes your site more relevant, enticing visitors to stick around longer-and come back more frequently. Akamai's EdgeScape service enables you to make customization a reality by accurately identifying the geographic location from which users access your Web site and the network origin of the user's request. So, how do you "customize content" without "tracking where people go"?

  • True, but even without a webbug, anyone with access to the server logs could do this....so why the fuss about webbugs?
  • Wouldn't it be possible to patent or copyright your surfing habits? You could say that your surfing habits are an artwork made by you, and therefore belongs to you. If the web ad companies use the information of your surfing habits, you would be able to sue them for copyright infringement or make them pay you licencing money for using you patent. Stranger things have been patented lately, so it doesn't seem *too* impossible.

    This would not only make it possible for us normal web users to make a few bucks, but should also shut down this act of privacy violation rather quickly!
  • by ChaosDiscord ( 4913 ) on Thursday March 01, 2001 @08:34PM (#390917) Homepage Journal
    Advertisers are very interested in connecting those anonymous statistics to real people. DoubleClick actually did so [usatoday.com], but stopped after a public backlash. But they will try again, it's just a matter of time. In the meantime, whenever you enter contact information for a web site, that site may decide to sell that information to someone like DoubleClick. Advertisers really want this information, and they'll keep trying until they get it.
  • by ChaosDiscord ( 4913 ) on Thursday March 01, 2001 @08:43PM (#390918) Homepage Journal
    Perhaps because they have an effective wall between the editorial staff and the advertising staff, thus ensuring that editorial policy (as much as Slashdot has such a thing) is not tainted by advertisers?
  • by ottffssent ( 18387 ) on Friday March 02, 2001 @12:03AM (#390919)
    Microsoft: The Biggest Web Bugger, eh?

    Yeah, I think we can all agree that Microsoft has buggered the web...
  • by B.D.Mills ( 18626 ) on Friday March 02, 2001 @02:09PM (#390920)
    You are correct.

    Another way would be to put a web bug in the e-mail that the site uses to confirm the order.

  • by Malcontent ( 40834 ) on Thursday March 01, 2001 @10:17PM (#390921)
    You may be right. After all It's not like Microsoft is some giant corporation with hundreds of subsidiaries, thousands of programmers, or terrabytes of storage at their disposal.

    How could they ever muster enough money, processing power, database space, and brain power to try and corrolate the information they get from web bugs, sales at one of their subsidiaries, registrations at popular web sites like MSN or hotmail or msnbc, and product registrations of office and IE.
    Why that would take millions of dollars and I really don't think MS can afford such a large outlay even if it means making tens of millions selling that information to others.

  • by ahaile ( 147873 ) on Friday March 02, 2001 @08:20AM (#390922)
    Actually, it doesn't even take a form with a GET request. Rather than use a cookie, many sites now encode a unique user id in the URL, often after a '$', like http://company.com/page.htm$USERID. (Sites do this so that they can track session data on you even if you deny their cookie and even if you move across servers or domains.) Since WebBugsAreEvil.com gets this full URL, they now have your USERID at the site you visited and can connect their data with the data collected by the site.
  • by Mojojojo Monkey Inc. ( 174471 ) on Thursday March 01, 2001 @08:40PM (#390923)
    A 1x1 pixel image slows your surfing? You still on a 9600 baud modem there?
  • by Syllepsis ( 196919 ) on Thursday March 01, 2001 @06:51PM (#390924) Homepage
    Whatever...in a toltalitarian police state crime effectively drops to zero, but who wants that?

    By invading the private lives of every american household, and doubling the world's incarceration rate, the US can effectively wipe out marijuana use completely.

    By warehousing consumer data large corporations can market more effectively, that is, convince you that you are not happy w/o their product.

    Time to wake up the populace: Your well being is not a univariate function depending only on GDP growth. Crime prevention will not help your well being if the means outweigh the ends. Does nobody care about search and seizure rights?

  • Particularly problamatic

    from the web bugs FAQ [privacyfoundation.org]
    11. Why are Web bugs used in "junk" Email messages?
    To measure how many people have viewed the same Email
    message in a marketing campaign.
    To detect if someone has viewed a junk Email
    message or not. People who do not view a
    message are removed from the list for future mailings.
    To synchronize a Web browser cookie to a
    particular Email address. This trick allows a Web
    site to know the identity of people who come to
    the site at a later date.

    Spam sucks
  • by miracle69 ( 34841 ) on Thursday March 01, 2001 @05:09PM (#390926)
    They made a movie about it with Sandra Bollock. Industry just got smart after that and made it to where you couldn't see the pi, even if you held down control shift. ;)

    God, that was a bad movie. Thankfully, I don't remember the title.
  • by look ( 36902 ) <look@recursion.org> on Thursday March 01, 2001 @06:23PM (#390927) Homepage
    Yeah, I noticed Google was on the list, too. A lot of people put the canned HTML code that Google provides on their pages to provide search capability. That includes an image, but it doesn't mean Google is tracking users. I think this survey needs more meat. I shouldn't be whether a page includes images from another domain, but only if cookies from other domains are going to the user from a page.

    I could probably whip up a Perl script to do this with libwww pretty easily. I can't believe whoever did this survey didn't!
  • by Anonymous Coward on Thursday March 01, 2001 @11:15PM (#390928)
    This is mostly work related so I am posting anonymously and am leaving out names. I've been with this company for a couple of years and I am working for one of thier clients who wants us to send email to customers as an advertisement. We are supposed to ask the customer first, but heres where problems come in. First of all we have to meet like a quota on this. This is often hard to do because of many reasons including but not limited to people not wanting the email sent to them or not having an email address. You get written up for not making quota, which may get you fired, so it goes without saying that people send the email without asking the customer's permission, or to send multiple emails to a customer so thier count increases and other craziness. When I learned of this policy I asked a friend what they do about this and they said I should do what everybody else does. Send them out to everyone because you'd get in more trouble for not sending them. I am very against the idea of sending people junkmail and I had already started getting in trouble for only sending to those who can get it and want it and missing my quota so I'm emberassed to say I've been doing the same thing as the others so that I can keep my job. I have done some things before I didn't agree with, but it bites being myself what I just about hate the most. A spammer. I'm sorry folks.

    So, I was thinking about this and that today while I was sending my stupid spam off and something came to me. I know there was a proposal or something not too long ago that had to do with a unique identifier tagging unsolicited email. Now, if ISP's and telco's are supposed to be equivalent (right?), why is it that I hear you can block unknown callers/telemarketers and stuff on your telephone, but I can't block unsolicited email without trying to filter them individually with a spam filter which seems the equivalent of using your call blocking (which by the way has a limit of a few numbers at least in my area). Even if these aren't the same things I still believe it would be best if there was a unique ID on junk email because it is just as much of a problem to me when a phone rings and its junk or when my mail notify goes off and it's junk. How in the hell these two are different is beyond me but looks like that idea just didn't float anyway.

    As far as web bugging goes, I could care less whatever doesn't steal from me or interfere with my time. Wading through junk does and it's just not fair. I may sound like a hypocrite for saying all this because of what I do at work, but I'm just following orders so I can make enough to feed myself and have something descent on my resume. I may have a fancy job with email, but i don't make much money and I'm a veteran employee. I'm not a moron, just stuck growing up in kind of a redneck area (with scarce IT jobs) and being taken advantage of by the hi tech that came to town. Cheap labor we are for them. I fully intend to get the fsck out out of dodge.

  • by Wakko Warner ( 324 ) on Thursday March 01, 2001 @05:36PM (#390929) Homepage Journal
    ... why have I seen Doubleclick banner ads on Slashdot, if Web Bugs Are Bad?

    - A.P.

    * CmdrTaco is an idiot.

  • by Squeamish Ossifrage ( 3451 ) on Thursday March 01, 2001 @09:48PM (#390930) Homepage Journal
    My goodness. This headline truly made my day.

    It's worth noting that Bugger [dictionary.com] has a few other meanings than "One who plants bugs."

  • by B.D.Mills ( 18626 ) on Thursday March 01, 2001 @09:19PM (#390931)
    Suppose I have my own advertising web site, "WebBugsAreEvil.com", and your e-mail address is YOUR_EMAIL_ADDRESS@yourhost.com.

    I place my bugs all over the internet. You visit a site with one of my bugs on it. This sends a new cookie to you. You now have a cookie from "WebBugsAreEvil.com" on your hard drive. Every time you visit another site with one of my web bugs in it, your cookie is sent to my host "WebBugsAreEvil.com" including the URL of the page that you are viewing. Thus, I build up a detailed profile of your web surfing habits.

    Now suppose you place an order on one of these sites and leave your e-mail address and other personal information. The site sells your e-mail address and other personal info to "WebBugsAreEvil.com". I now have your personal information and your cookie, but the cookie ID is not yet associated with your personal information because these were collected by two different servers. I need to do one more thing to put them together.

    I do a mass mail out with all the new e-mail addresses. The e-mails are HTML-enabled e-mails. Embedded at the bottom of the e-mail is this web bug:

    <IMG WIDTH=1 HEIGHT=1 border=0 SRC="http://track.WebBugsAreEvil.com/cgi.bin/ping? email_ID=YOUR_EMAIL_ADDRESS@yourhost.com & sequence=1928d4ae1228">

    It's a 1x1-pixel GIF that has a single clear pixel in it; this is where the euphemism "clear GIFs" comes from. You cannot see this GIF.

    When you open the mail, this new web bug is sent to WebBugsAreEvil.com. Because the URL has your e-mail address in it, and it also sends your "WebBugsAreEvil.com" cookie with the HTTP GET request, I can now associate your personal details with your surfing habits.

    In short, it is very easy to remove anonymity.

    I don't know about you, but I find the idea of anyone having this amount of knowledge about me and my browsing habits to be uncomfortably close to Big Brother's surveillance from George Orwell's novel "1984". Is your telescreen on, Winston?

  • by B.D.Mills ( 18626 ) on Thursday March 01, 2001 @06:31PM (#390932)
    Web bugs are usually used in conjunction with cookies to profile your surfing habits. I find this to be a gross invasion of privacy, so I have chosen to fight back.

    It's not hard to stop a site from using cookies as a tracking tool. If they cannot store a cookie on your hard drive, that cookie cannot be used to profile you.

    The way to defeat this is to prohibit the web sites that use web bugs from storing cookies on your computer. A good browser will have security settings that can be customised. I place all web sites that I trust in my collection of trusted sites. These sites can store cookies on my machine. Sites that are not in my collection of trusted sites must go through the default setting where I must approve each cookie with a click before it can be stored on my hard drive. Persistently annoying sites get placed in my collection of restricted sites, which are prohibited from storing cookies. Sometimes, a trusted site that I have omitted gets added to the trusted list.

    If you want to start a database of restricted domains, a good place to start is your cookie collection. You will find a lot of sites that you never visited in that list. Add anything suspicious to the restricted list before deleting the cookie.

    I have only been doing this for a few weeks, so I haven't got any good results to report so far. I'm sure I'll get good results doing this, and I invite others to try it. It does involve a little work, but eventually I hope to have reasonable web-bug-free privacy online.

  • by bradfitz ( 23252 ) on Thursday March 01, 2001 @05:03PM (#390933) Homepage
    See the web bug FAQ:

    http://www.privacyfoundation.org/education/webbug. html [privacyfoundation.org]

  • by cyberdonny ( 46462 ) on Friday March 02, 2001 @12:21AM (#390934)
    Now suppose you place an order on one of these sites and leave your e-mail address and other personal information. The site sells your e-mail address and other personal info to "WebBugsAreEvil.com". I now have your personal information and your cookie, but the cookie ID is not yet associated with your personal information because these were collected by two different servers. I need to do one more thing to put them together.

    I do a mass mail out with all the new e-mail addresses. The e-mails are HTML-enabled e-mails. Embedded at the bottom of the e-mail is this web bug:

    Actually this extra step of sending a web-bug infested spam is not even needed in most cases. It's enough if the surfer enters his e-mail address into any form on the web which uses the GET method, and which leads to a page having a web bug/banner ad from WebBugsAreEvil.com. The site serving the form does not actually need to be in cahoots with WebBugsAreEvil, apart from the obvious contract for serving its banners. Indeed, with the GET method, form data (containing your E-mail address) will be part of the URL, and thus will be sent to WebBugsAreEvil in the Referer header field. Much more discreet and reliable than sending a webbugged spam, and much more far-reaching too: using the same method, WebBugsAreEvil can collect all kinds of interesting info: First name, last name, home address, all kinds of demographic info such as age, yearly income, hobbies (if user ever participated in a survey having such a form), credit card number (if merchant was foolish enough to have his order form submitted via GET rather than POST). N.B. Even https doesn't protect against this, as this is data that is "intentionnally" sent to WebBugsAreEvil, rather than intercepted...

  • I mean, they have better means.

    Like forcing you to use cookies in Internet Explorer, or rather, transmitting cookies to *.msn.com sites no matter what you configured, containing personal information about your windows installation.

    See also here (http://slashdot.org/yro/00/11/02/1639247.shtml) [slashdot.org]:

    Think that's bad? How 'bout msid.msn.com cookies set as part of your install, and re-created even after deletion?

    Grab a hex editor or other file viewing tool (e.g. LIST.COM) and examine MSIE's cookie files, you'll see that msid.msn.com has a cookie set even if you don't use IE. (Reproduce: Delete - from within DOS, not Windoze, all MSIE cookie files. Reboot. Do not connect to the 'net.

    Observe that IE has re-created cookies pointing to msid.msn.com with your information in 'em, even though you never connected to the 'net. They're there on a clean install from CD-ROM, and they come back every time you delete 'em.

    For the sake of the privacy of those who must use Internet Explorer: Firewall msid.msn.com. Forever.

  • by cperciva ( 102828 ) on Thursday March 01, 2001 @05:07PM (#390936) Homepage
    Looks to me like they are classifying any inline link to a different server as a "web bug".

    This is quite bogus, as evidenced by the #2 ranking of akamai; the fact that many high-traffic sites have their images served from akamai's network does not mean that akamai is tracking where people go.
  • by ziplux ( 261840 ) on Thursday March 01, 2001 @05:07PM (#390937) Homepage
    So, they collect some *anonymous* usage statistics. So what? They can track your web surfing. Who cares? These stats are *anonymous*, people. They can't be mapped to your physical address, phone number, etc. without a call to your ISP and a good reason. These stats help advertisers market products to you more efficently. It saves them money, and you get the see ads that might encourage you to buy something that is really useful to you. So my question is, why do you care?

"We don't care. We don't have to. We're the Phone Company."