Earthlink's Extra HTTP Header 271
Steve Gibson was apparently the first one to look into this browser serial number. I'm a little hesitant to link to that page, since its contents have changed dramatically twice in the last 24 hours. Gibson initially had a page claiming it was privacy-invading unique ID. He changed it to include a disclaimer in a large red box, and has now changed it again to display the information Earthlink provided about the serial number. Earthlink provided much the same information to slashdot after our query.
The header information sent is similar to the codes below. Depending on how logging is set up on a given webserver, they may or may not be logged, but enough server logs are accessible across the net that typing ELNSB50 into any search engine will find examples. (ELNSB50, by the way, apparently stands for "Earthlink Sandbox 5.0".)
ELNSB50::0000411003200258029a012800000000050300280 0000000ELNSB50::0000411003200258029a012d000000000503002a0 0000000
ELNSB50::0000411003200258029a013200000000050300280 0000000
ELNSB50::0000411003200258029a0132000000000503002a0 0000000
ELNSB50::0000411003200258029a013b000000000503002a0 0000000
ELNSB50::0000411003200258029a013d000000000503002a0 0000000
ELNSB50::0000411003200258029a014700000000050300280 0000000
Even a cursory examination should show that these numbers don't have enough uniqueness to be globally unique IDs. Microsoft's GUID had 128 bits; a good hash function might have 160 bits; those serial numbers, culled from widely scattered machines, aren't unique enough.
This is what Earthlink sent us about the codes:
| reserved: | 14 | future growth |
| monitorDepth: | 8 | monitor bit depth |
| browserFontSize: | 3 | browser font -- small to large |
| connectionSpeed: | 3 | One of 4 categories |
| connectionType: | 4 | Modem, high speed, etc. |
| monitorHorz: | 16 | horizontal area |
| monitorVert: | 16 | max vertical area |
| browserViewHorz: | 16 | views horizontal area |
| browserViewVert: | 16 | views vertical area |
| popID: | 32 | numerical POP ID |
| sandboxVersion: | 32 | what version of the sandbox sent this? |
Most items should be self-explanatory. ConnectionSpeed has four possible values: slow dialup (<56K), fast dialup (56K), slow broadband, and fast broadband. The POP ID refers to which of Earthlink's Point-of-Presences you are dialed up to - which bank of modems you called. The rest should be clear. If you assume the codes are a number in hexidecimal, and the above are the number of bits dedicated to each bit of information, they appear to agree well. This table differs slightly from Steve Gibson's version. The differences appear to be minor and reconcilable - Earthlink doesn't seem to like the use of the word "Sandbox" in external publications, but it's their own term for their software and it seems quite appropriate: a closed environment which has all the toys you need and which you don't want to/are not able to escape from. (A screenshot of Earthlink's Sandbox is available.)
While I was looking into this, I also noted (Ethereal strikes again) that Earthlink's Sandbox sends a good chunk of data back to Earthlink's servers upon initial installation - this data is PGP-encrypted, or at least it is preceded by a header indicating that it is. This data is sent whether or not the user is signing up for a new account or just re-installing the software on an old machine. There is no easy way to determine what information is being sent back without performing a comprehensive disassembly of the software. As of press time, Earthlink has not provided any information about what is being sent to Earthlink's servers when their software is installed.
So, there you have it. Is Earthlink's code a unique ID? Apparently not. Does it reveal more information about you when you are browsing the web than is revealed by any other web browser? Yes. Can you turn it off? No, but you could use another browser. Will 99% of Earthlink's users ever know about it? No.
software phones home (Score:1)
Let alone the HTTP header, the installation transmission seems to be an issue. It's not the first time I see software doing it, and I'm getting sick of it. I don't want my software to "phone home" every time it's installed or run. That's when I jumped in the open source/free software bandwagon. I won't run ANYTHING without the source code available. Granted, I will not always CHECK the source code, but at least I can.
CC/PP (Score:1)
CC/PP (Score:1)
Timely article. W3C just advanced a working draft [w3.org] of CC/PP to Last Call.
It stands for Composite Capabilities/Preferences Profiles. It's a language that your browser could use to describe its capabilities and your preferences, e.g. "32-bit display, 800x600 browser window, PPC hardware, no applets."
The idea is, of course you want the server to know what you've got, so it doesn't send you useless content. Like it or not, your browser will be having deeper conversations with servers, pretty soon.
...On the other hand, this language (CC/PP) looks too complicated to use.
I'm a web developer. If I'm on the server, I want to deliver content to the browser and let the browser format it appropriately, taking into account resolution, window size, color depth, user colorblindness, and so on. Heaven knows I don't want to write an IF statement for every possible pipe size.
There just needs to be a way for me to write "you've got a choice-- low-bandwidth or high-bandwidth media; 8-bit or 32-bit images" using tags in my HTML, and the user's browser should decide what to do with that information. Often it can just pick the best alternative for that client. If not, it can always just render two links and let the user choose.
Re:Macintouch shows even more info divulged (Score:1)
A few comments.... (Score:2)
The headers: Well honestly, I had heard about them maybe 48 hours before the story hit
Sky Dayton and Scientology: OK, Sky Dayton is a member of Scientology, and he's our chairman. Now, does that mean the whole bloody company is commited to said belief system? Of course not. From what I know of Scientology, we sure don't run our company based on their ideals. Check: http://www.earthlink.net/about/mission.html [earthlink.net] if you wanna know what kind of beliefs we use in day-to-day business (and we may not be doing our best in all those categories, but damned if we're not gonna fix that). And our people are really cool - Carter Calle, Mike McQuary, our TS managers - they rule.
Re:The real issue (Score:2)
Earthlink could do themselves a big favour by revealing exactly what is being sent.
We can make several guesses based on the fact that it is encrypted. It is encrypted because:
3 is unlikely (why spend money for a totally unnecessary feature). Since I have no idea what sort of information is entered for installation, I'll guess 1.
In the case of 1 or 2, they'll never give enough information to verify any of it. If it is 1, that's with good and honorable reason.
Re:The real issue (Score:2)
Rabid paranoia aside did you ever think that maybe they want to protect their users privacy, and that's why it's encrypted?
Actually, that's exactly what I listed as probability #1 (and my best guess). Now, who's rabid paranoia were you referring to?
Why need this information? (Score:3)
The only thing that it would seem to me is that it is because Earthlink has poor web page design (not browser, their internal web pages!) that they require to know 1) what speed you can handle , as to adjust A/V content as to suit your connection speed, 2) what your screen layout is as to probably used fixed width tables effectively in the HTML layout, and 3) where you are located in the country (via the POP bank info). Neither of which is even necessary if you follow HTML 4 specs, with effective use of the OBJECT tag, relative table sizes, and use of the standard HTTP header and/or cookies, respectively.
In other words, their customized browser appears to be covering up for lame web page designers.
Re:Horrors! (Score:2)
I stand corrected.
Re:Horrors! (Score:3)
They invade your computer, grab some personal information and encrypt it, then send it back to their servers (without your knowledge). You find out about this, and find a way to decrypt it. You find out they've taken a LOT more than anyone would want them to, so you publish your findings. They don't like this (it's bad press) so they sue you under the terms of the DMCA (the material was "protected" by encryption, and decrypting it for any reason is illegal...)
Sad state of affairs in this country. Very, very sad.
Causes Extra Bandwidth? (Score:2)
Re: (Score:2)
for anyone too lazy to do it themselves.... (Score:3)
while(<>) {
($misc, $monx, $mony, $browsx, $browsy,
$popid, $sand) = map {hex} unpack("A8 A4 A4 A4 A4 A8 A8", $_);
$res = ($misc & 0xffc0000) >> 18;
$dep = ($misc & 0x003fc00) >> 10;
$fon = ($misc & 0x0000380) >> 7;
$spe = ($misc & 0x0000070) >> 4;
$typ = ($misc & 0x000000f);
print join("\t", $res, $dep, $fon, $spe, $typ, $monx, $mony, $browsx, $browsy, $popid, $sand), "\n";
}
Re:As A Web Designer (Score:2)
Take a look at www.microchip.com [microchip.com]. On every page they serve, they have a unobtrusive link called "Page Options" at the top where you can choose what page you want to get: text only, graphics or Java frame. As it turns out, I use all three versions from my university ethernet connection, depending on if I want the heavy-duty search in Java (like a MSFT help search, index, etc box), I just want to browse (I'll use graphics) or I really need something fast (text-only). It's not polite to NOT give these choices to the user!
It works great! I don't know how much more it costs them to do this, but it definitely makes for happy customers. Each version is based off a different root directory on the server and all three are probably generated automatically without the web designer having to think twice.
As far as having something else to do, generally it's looking at one or two other active Netscape windows.
Re:More proof we need government intervention (Score:2)
This, unfortunately, is EXACTLY why many of us disagree with your subject line...though your suggestion of a good privacy law is not unreasonable, the fact is, US Govt. Inc. has been showing itself more likely to do harm rather than good when it interferes. After all, the DMCA (for example) and the Indecent Communications Act [Yes, I called it that on purpose :-) ] were both, arguably, intended to protect artists and/or children...but only served to attempt serious harm to the rights of US internet users (and, indirectly, internet users elsewhere in the world). The CDA was fortunately swiftly slammed. I can only hope the DMCA is next, but fear there's too much money pouring in through lobbyists to fix it completely.
Given this track record, I'd be worried that the hypothetical "Internet Users Privacy Act" might contain provisions to, say:
- Require ISP's to send copies of personal data to a new Federal Office of Internet Privacy Protection to be checked for violations [and, "of course", to help track down child pornographers and/or tax evaders. Hey, this IS congress we're talking about...]
- Appropriation of $15,000,000 to investigate possible shady activities of Hormel [a clause tacked on by minimally clueful legislators trying to appear "tough on Spam"...]
- A clause making it illegal to make a left turn on tuesdays during a full moon unless your name is Myrna. [Don't you just love riders?]
- 27 clauses amending the DMCA and making it less comprehensible...
- Details of how complaints of privacy violation should be handled, such as requiring complaints be submitted as Microsoft Word 2001 documents...
Okay, okay, that's enough necro-equine flagellation from me...---
"They have strategic air commands, nuclear submarines, and John Wayne. We have this"
Re:As A Web Designer (Score:2)
I disagree about as strongly as it's possible to disagree. Content negotiation is a Good Thing(tm).
Here's an example: when I go to a web site, I expect (hope?) that the content of the site will be rendered in English. For large web sites with a multi-lingual user base, that's not always a safe assumption. Fortunately, content negotiation makes that possible.
Apache makes on-the-fly decisions about what content to send based on this [apache.org].
Does that mean that webmasters need to be careful about how they set up their sites if they're using this technique? Sure. But it also opens up a wide range of options.
Speaking on behalf of webmasters everywhere: thanks for telling me how to spend my money. Allow me to suggest that doing two versions of the same image - one at a high bit-depth, and another at a lower quality - isn't too much of a strain on my budget.
Content negotiation doesn't have to be like making the choice for the user. Instead, it can work as a reasonable best-guess. Besides which, I've seen plenty of sites which simply assume high bandwidth (or pathetic bandwidth) and make all the design decisions based on that information. In what way is that giving the user a choice, other than to vote with his feet?
-----
"You owe me a case of beer. Sucka'."
Re:As A Web Designer (Score:2)
Yeah, exactly. Content negotiation is a good thing - when you do it the right way. I couldn't tell you why Google has made the decision to use IP address rather than the Accept-Language header to determine what language to serve up files, but obviously, it has a pretty stupid result.
I'll tell you what I'd really like to see (now that it's just occurred to me) - a "Reject-MIME" heading. That way, if I get sick and tired of watching some hack's Flash movies, I could tell the server not to send 'em to me. Or a "Max-Content-Length" heading, so sites wouldn't shoot 5 meg files at me without asking.
-----
"You owe me a case of beer. Sucka'."
Re: is HTTP_ELNSB50 header negotiation? (Score:2)
You're right: not only is the header not a standard HTTP header (standard compliance good! embrace and extend bad!), it's not even easily accessed by the user.
I didn't mean to suggest that this particular header was a good idea: I meant that content negotiation based on bandwidth constraints isn't a bad one.
-----
"You owe me a case of beer. Sucka'."
Re:Earthlink customer service sucks (Score:2)
Stupid cost cutting can happen anywhere, but perhaps you just hit a peak time.
Caution: Now approaching the (technological) singularity.
Re:Why need this information? (Score:2)
Don't design for the maximum possible screen size. That is very bad manners.
Caution: Now approaching the (technological) singularity.
Re:I would love this feature if it was improved (Score:2)
(Okay, so you can only test capability and not preference...)
Cheers,
Tim
Re:Enough bits? (Score:2)
I think they're referring not to just the number of bits but to the amount of variation ( or lack thereof ) between different headers for that number of bits. Sure you've got 192 bits, but they don't change enough between different user's browsers to be usably unique. Compart that to MS GUIDs, that vary drastically from one system to another.
Information revealed (Score:2)
Actually I don't think the Earthlink header reveals too much unpleasant. In any browser that has Javascript active, any Web page out there can pull out the same information. The only thing they can't is the POP ID, and they can infer that from the IP address you're using if they want to. I don't like that they're sending the info without saying they are, but the info itself isn't particularly distressing. Maybe we need something like P3P but working the other way, telling you what information your browser is going to send and making sure that matches your preferences before sending it?
Re:Horrors! (Score:2)
Don't misstate the DCMA which is bad enough as it is. If a Technical Protection Measure is an effective access control (where "effective" dosn't mean that it works well or is hard to crack) protects a copyrighted work, then you may not circumvent it without authorization.
Earthlink would have a very hard time demonstrating that the information they send is copyrightable because it is just a set of facts about your machine. Therefore, the encryption is not a section 1201 TPM. Furthermore, Fair Use is an affirmative defence.
Couldn't be a good GUID???? (Score:4)
I mean fine, I'm willing to believe earthlink here, but your suggestion that it's not long enough to be a GUID seems specious. If you look at the numbers we can clearly see that each number can be at least 0-d which implies that it is probably either an 8 bit character or a 4 bit character (i.e. hexidecimal). So, you say:
Microsoft's GUID had 128 bits; a good hash function might have 160 bits;
Well, if each character in that string was a 4 bit number, then you are talking 4 bits in 48 places which means it is at least a 192 bit number. So, your logic seems somewhat faulty.
---
This does solve one problem.... (Score:4)
Re:As A Web Designer (Score:2)
And this is where I always wonder about web designers, including Earthlink. On the one hand, I could understand how some of this could be important if we were talking about sending full-fledged web apps to the user. On the other hand, it appears that what most web designers really want is the ability to send me content that would be far better off rendered as a pdf file. There are exceptions, but most of those are better handled using CSS (and we know how popular *that* sensible solution is). I mean, I know what my preferred fonts and sizes are. I set them up in my browser, and 98% of everybody who *doesn't* try to give me some kind of special web experience and just sends me html ends up giving me something I'm happy to look at. Again, I really wouldn't mind too much if designers at least used CSS consistently, since I can arrange things there so that nothing too horrible happens.
But that leaves all the rest of you, and I'll guess we'll just have to wait until you either learn or lose your jobs.
whats happening to slashdot? (Score:2)
first they remove a post because of the Scientology movement threatning to sue, now they are researching the stories before posting them!!
I remember the old days when this sort of thing would never happen
Re:This does solve one problem.... (Score:2)
checkout: [jonathanclark.com]
http://jonathanclark.com/where.php
--
Re:The real issue (Score:4)
I'm not the original poster, but...
SysInternals [sysinternals.com] has the goods...
Si
Re:Google.com, from non-US anyone ? (Score:2)
Re:The real issue (Score:2)
Oh yeah? Check out HKCU\Software\Human\BodyParts\Boobs\Parameters, and you'll see a DWORD value for it. If you don't, you probably need to fix your registry, because several MS applications will crash if they can't find it.
Re:Not an HTTP header (Score:3)
Re:As A Web Designer (Score:2)
This is bad for two reasons:
1. It's more expensive to design 2 sets of pages. That money should be spent on more content.
2. Sometimes people with slow modems don't mind waiting - maybe they let your site load in the background while they do something else. It's not polite to make these choices for your users.
Darn it (Score:2)
Re:Google.com, from non-US anyone ? (Score:3)
Re:Excellent news. (Score:2)
While this is true today (I, too, set up M$ DUN manually when dealing with any ISP), it may not be in the future.
There have been persistent rumors over the past month or so that ELNK is about to be bought out by MSN.com.
Earthpink's business goal is to become the next AOL. "Sandbox" is an apt word - they market themselves as "the real Internet" (the anti-AOL), but the reality is that they're trying to be AOL.
Re:I would love this feature if it was improved (Score:4)
"Yes, imagine. Imagine if web designers weren't obsessed with style over content, with special effects over usability, with animated intros over usefulness, with exactly positioned layout over standards that are easily accesible by the visually impaired or degrade well for old browsers."
I think you will find most good web designers do care about these things...It's the marketing droids that want the shiny spinning stuff and the locked layouts
Maybe not. (Also offtopic.) (Score:2)
Possibly not. It was also used (no doubt as a throwaway reference) in a storyline in Phil Foglio's _XXXenophile_ comic. (X rated, so most of the M&FB fans will have to wait a few years to view it.)
Phil throws in a lot of references to other works. It's nice to know where this one came from.
Re:The real issue (Score:2)
Nope.
It's likely that the key used is their public key. That way, only their private key can decrypt.
That's the beauty of PGP.
-Joe
Clams are very active these days... (Score:2)
Seems like the quota-hunters moderate everything down which is remotely critical of their cult... Parent is on-topic: this is the very ISP the article talks about, and was a direct response to the question asked in parent! The article was about a header which could have been used for snooping, and the "cult" would gladly engage in these kinds of activities.
Re:You can get this info with a standard browser (Score:2)
Macintouch shows even more info divulged (Score:2)
At random, I chose the browser ID of "000041100320025802940113000000000502000800000000
I don't want my tracks to be available to everyone. I understand that my perusals are logged in my company's system since that's my net connection, but these aforementioned actions are available publicly. That's not a good thing.
Shady irony. (Score:2)
Given this stuff is not actually tracking anyone, but it does carry more information than is at all necessary (Not than any is really necessary.).
Of course, given the history net companies have with privacy, it really is not surprising.
Damn Straight! (Score:3)
Web Designer: What do you want?
Customer: Information!
Web Designer: You won't get it!
Would Proximitron help? (Score:2)
Re:I would love this feature if it was improved (Score:2)
Remember when most sites had a "text only" link? Maybe if the browsers make it easy to identify text-only users then that kind of duality can come back. Right now I think web designers don't want to have to present the text-only question before jumping to the content. But that's laziness more than anything.
- JoeShmoe
I would love this feature if it was improved (Score:5)
Its possible that based on the connection speed, you could default modem users to the HTML site and broadband customers to the flash site (of course, with links to the opposite choice). You could also arrange the tables so people with smaller screen sizes are scrolling left to right and people with large screen sizes aren't forced to scroll down a website that fits into the first three inches of their screen.
I do think there is something else they should flag...system color scheme. I use a darker scheme where my text is white and my workspace is black. On many websites with hardcoded white background I can't read a thing. I usually end up having to disable them. It would be nice if a website could ask my browser what my default text color is and send out the appropriate background.
Re:As A Web Designer (Score:2)
I understand your position. However, as another web designer, I would love to at least have easy access to your preferences. Typically the browser settings would be a good indication of the user preferences. Possibly a better solution would be a "preferences" header. This way each user could set up things like "prefered size", "prefered resolution", "prefered font and size". These could be transmitted to the server and utilized appropriately.
And frankly, as someone who has done tech support, I KNOW that sometimes the experts do have to do the thinking for the end user...
Re:As A Web Designer (Score:2)
In my experience, Javascript is usually a bad solution to whatever the problem is (others would disagree stongly). With this particular issue you have the problem of passing the information to the server (a page load), keeping up with the information while the user navigates (session management/cookies/user tracking of some sort), and the generally not-quite-completly-compatible nature of Javascript (you have to write scripts to check for and behave differently for just about every browser and browser version).
Sure, there are plenty of prewritten scripts to do just that. But you still have to worry about the possibility that the user's browser does not support Javascript or that it is disabled. You therefore STILL have to have a default "blind guess" (as opposed to a "Javascript guess") version.
The HTML headers would not remove the need for a "blind guess" version, but it would solve all the other problems. If it existed, the web designer could count on it and utilize it easily.
Re:As A Web Designer (Score:2)
That's right. It would be better visually many times as a PDF... Or an easily resizable Flash... or, or, or. Right now though, the best thing we have to work with for display is HTML.
CSS is still in the "maybe one day it could be really useful" stage, but it is mostly broken in different ways on different browsers. PDF isn't interactive. Flash is about 90% supported display-wise, but tools for interactive use (such as the PHP-Ming combo) are still maturing and you still have to be concerned with the other 10% of users.
Don't get me wrong. I think pixel perfect HTML is much more trouble than it's worth. However, it's generally marketing that makes the look-and-feel decisions, not us measly nerdy web masters. A HTML header that would give me as a designer a couple more tools to work with would be extremely welcome.
Personally, I'd like to see HTML completly scrapped in favor of something that works well. It's being used for things it was never intended. I picture it as this huge pile of scrap stuck together with bubble gum and kite string. Like Microsoft, massive chunks of gizmos tacked on from every direction that somehow still manages to (mostly) work. HTML is not the best tool for most jobs, but it's the most common and compatible.
Re:As A Web Designer (Score:2)
That's going to far.
What you're looking for is more ways to push style over substance, and I'm asking you to reconsider that position.
What I'm looking for is a better way to manage display. Let's face it, most websites are little more than interactive ads. Sites like this are the exception, not the rule. What you suggest works fine for a content driven site, not for a corporate site where the marketing department is extremly concerned about presentation.
Yes, everyone has different preferences, so how about giving them content they can use regardless of those choices instead of trying to manage the myriad of different user preference combinations that might want to see your pages?
That's precisely what I would like to do. With a little more information on what their preferences are, I can easily generate pages that give them what they want in a way they perfer. Want just the basics? No problem. Want fancy animated graphics? No problem. Want it converted to PDF and emailed to you? I can even do that. But if I don't know what you want, I have to make trade-offs to serve the lowest common denominator.
You don't have to do jack to give the user what they want given the preferences they have chosen.
I disagree.
you miss the point - graceful degradation (Score:3)
Screen size is a matter of "form". A "short fat screen" has a different form factor than a "tall skinny screen", right? A properly designed web page is not constrained to any one resolution or window size. CSS has provisions for layout boxes defined as a %-age of the parent element and for floating elements. If I resize my browser window, the web page should reflow into the available content area, not be locked to a particular presentation.
Do you really want to build a site 4 times to accommodate 4 different ways a user might access it? What happens if a 5th method is developed — do you retrofit all your existing sites? No! Build the site correctly and you only have to do it once!
There never was a duality, except when lazy web designers were involved. Web content is primarily textual. If you have inline images or other media, you're expected to provide ALT text and similar fallback mechanisms. Graceful degradation [anybrowser.org] and device independence [w3.org] are the key, but the concept seems to have flown right over the heads of an entire generation of dee-zyne-ers.
Flamebait != Disagree
Re:I would love this feature if it was improved (Score:4)
Imagine sending your content in a universally accessible fashion, rather than a proprietary format that requires a plugin. Imagine designing a site correctly so that it automatically fits any size browser with no extra work or finagling on your part.
If you recognize here that people want a choice, why don't you recognize their choices (system preferences) in other areas as well?
See above. A good design accommodates variable screen sizes without the need for "detection scripts" and such. You don't need to know the user's screen size.
Similar functionality exists in CSS. If the site uses your system colors [w3.org] it will behave as you describe.
Flamebait != Disagree
Re:Not a Big Deal (Score:2)
Re:As A Web Designer (Score:2)
...and the other way 'round. I have DSL, but I still hate those big pages with all the text dislayed as gif, and which I can't read, since my monitor is 120 dpi and it's written with 75 dpi...
I always choose "slow connection" for sites, when I have the choice
Re:CC/PP (Score:2)
I just checked, and it seems to be still a working draft. Given that just about all browsers have basic HTTP, HTML4 or CSS2 bugs, CC/PP can probably wait a while.
More proof we need government intervention (Score:5)
There needs to be a law on the books that prevents the transmission of any information without the user's express consent. I'm not talking about the "If you install this software, you agree to these terms" type of consent, but the "we are sending the following information to our central database: connection speed, monitor type, ..." with a OK/Cancel popup. This becomes important when you start sending things like "We are sending the following to the Microsoft database: Your hard drive's serial number, your mother board's serial number, your up-to-date billing statement ensuring you have paid for this week's use of Windows XP,..."
Of course, the odds of such a law happening are slim; the odds of a well-crafted law passing are about zero. We need some Slashdotters in Congress, I guess...
Re:The real issue (Score:2)
90% is too low. No one should believe and report anything they can not verify themselves.
If comments are a guide, the other 10% are making up excuses for the sneaky blood suckers. This is much too high, as are their mutual masturbation +5 scores.
Re:I would love this feature if it was improved (Score:2)
Touch CSS, and watch Netscape 4x become virtually unusable. I would love to use CSS, but I can't for at least another year until NS 4 goes away.
--
Re:The real issue (Score:5)
Yeah, but 90% of /.ers wouldn't believe them anyway.
--
You can get this info with a standard browser (Score:2)
<script language=javascript>
var peek;
peek = getMaxScreenX + getMaxScreenY (etc etc)
document.writeln('<IMG SRC="/cgi-bin/peek.pl?'+peek+'">');
</script>
Nothing fancy, but with 4+ version browsers you have some extra info. You can even get plugin info this way.
Which format are you thinking of? (Score:2)
Imagine sending your content in a universally accessible fashion, rather than a proprietary format that requires a plugin.
What vector animation format doesn't require a plugin? Flash is the most universally viewable vector animation format on the Web today. (This may change with SMIL+JS+SVG but we'll see about that.)
All your hallucinogen [pineight.com] are belong to us.
Enough bits? (Score:2)
It's beside the point, but exactly how many bits do you think are in there?
It looks like you have 48 characters after the colons. That's more than enough bytes to encode the bits you say you need to be a unique ID. If each pair of characters is a hex representation of an 8-bit number, then you have a 192-bit space.
Earthlink & Scientology (Score:2)
The rumour is that the server farm is at an offsite location, which only Scientology has access to. The explanation given to the employees of Earthlink about this offsite facility is that it is an "offsite backup" location.
Just something to think about.
Re:Couldn't be a good GUID???? (Score:2)
Re:I would love this feature if it was improved (Score:2)
Re:I would love this feature if it was improved (Score:5)
I want the old internet back.
Re:Horrors! (Score:2)
I am not a lawyer, get real legal advice if you need it. Or just hide your tracks real well. ;)
Judge "DMCA" Kaplan (Score:2)
Re:As A Web Designer (Score:2)
You mean, like in my (not-so offtopic) post ? (http://slashdot.org/comments.pl?sid=01/03/20/1423 223&cid=87 [slashdot.org])
In a nutshell, in my case, google.com redirects me to the .fr version based on my IP, regardless of my langage settings.
Cheers,
--fred
Re:As A Web Designer (Score:2)
I used to play that kind of tricks (mostly by using junkbuster), than realised that I was making myself a disservice by pushing IE stats. If everybody masquerade as IE, then webmasters will be right to do IE-only pages, as this is the only thing they will see in their logs.
At this point, the User-Agent: rewrite will stop working, because the sites will really be using proprietary IE functionality that will not even exist in Opera. And you will be forced to use IE.
Cheers,
--fred
Re:Browser language preferences (Score:2)
They already provide a bookmarkable link that works for me. It is <http://www.google.com/intl/en>. This one is not redirected, and is in english.
But the big issue, for me, is that they may start to use different databases for various audience, in which case I may not be able to access google.com content from france, only a english version of google.fr.
So I mailed them anyway.
Cheers,
--fred
Google.com, from non-US anyone ? (Score:3)
Since a couple of weeks ago, my home page, which is www.google.com is displayed in french. More precisely, www.google.com send me a redirect to www.google.fr. My browser is set to request only english documents, so I suspected they base the redirect on thIP address.
A quick direct connection show it:
15:36:10|152 [ladybug:~] fred% telnet www.google.com 80
Trying 216.239.37.100...
Connected to google.lb.google.com.
Escape character is '^]'.
GET / HTTP/1.0
HTTP/1.0 302 Moved Temporarily
Date: Tue, 20 Mar 2001 14:59:24 GMT
Server: GWS/1.10
Connection: close
Set-Cookie: PREF=ID=19fe6a8304c33946:TM=985100364:LM=98510036
Location: http://www.google.fr/
Cache-Control: No-Cache
Content-Length: 161
Content-Type: text/html
<HTML><HEAD><TITLE>302 Moved Temporarily</TITLE></HEAD>
<BODY>
<H1>302 Moved</H1>The document has moved
<A HREF="http://www.google.fr/">here</A>.
</BODY></HTML>
Connection closed by foreign host.
15:36:24|153 [ladybug:~] fred%
I beleive they crossed the line here. I really feel that the fact my ISP is in France is none of their business.
Cheers,
--fred
PS: while I am here, is there any way for me to get back www.google.com ?
Re:As A Web Designer (Score:4)
As a web user, I'd love to smash your head with a 21" monitor.
> Then you could do the high/low quality links for them
Please don't. If I want to download a high quality link on a 56k modem, it is my business. If I want only the lowres from my DSL line, it is my business too.
Web designer should stop trying to think for the users, like google that insist that I have the french version of the page.
Of course, you're going to tell me that you would provide a link to the other version of the site, but the truth is that you wouldn't.
Try broswing ati.com with mozilla. Isn't that nice, a 'Web Designer' that make decisions for its users ? (The site sort-of works with Mac OS X Server Omniweb, or lynx, so it is just becasue they are lazy assholes)
If such headers were commons, it'll take a couple of year until:
1/ Users will have only one link and the server will choose what content is best for him
2/ Users with browsers that don't give the info will be redirected to a please-use latest IE page.
It have been that way for most web [mis]features.
Cheers,
--fred
Re:Browser language preferences (Score:4)
You experience don't map mine.
See the log below. It is just a telnet to google port 80. I only sent a 'GET / HTTP/1.0' and google redirects me to the french page. Hardly a user preferences.
This is recent behaviour, started a couple of weeks ago.
15:36:10|152 [ladybug:~] fred% telnet www.google.com 80
Trying 216.239.37.100...
Connected to google.lb.google.com.
Escape character is '^]'.
GET / HTTP/1.0
HTTP/1.0 302 Moved Temporarily
Date: Tue, 20 Mar 2001 14:59:24 GMT
Server: GWS/1.10
Connection: close
Set-Cookie: PREF=ID=19fe6a8304c33946:TM=985100364:LM=98510036
Location: http://www.google.fr/
Cache-Control: No-Cache
Content-Length: 161
Content-Type: text/html
<HTML><HEAD><TITLE>302 Moved Temporarily</TITLE></HEAD>
<BODY>
<H1>302 Moved</H1>The document has moved
<A HREF="http://www.google.fr/">here</A>.
</BODY></HTML>
Connection closed by foreign host.
15:36:24|153 [ladybug:~] fred%
Cheers,
--fred
Re:Couldn't be a good GUID???? (Score:2)
This benefits Joe User (Score:2)
Re:As A Web Designer (Score:2)
It would be cool because the designer could make a more intelligent default choice for the user... lots of artery-clogging graphics, or few artery-clogging graphics?
Then again, considering how shitty 99% of web design is, maybe it's better than designers code their pages in assumption that users have 28.8 modems. I'm freaking tired of graphic design overload and NO content.
Putting your bandwidth in the HTTP request would only be good if...
1. Users could override what goes in the header... for example I have DSL but I hate graphic overload so I'd probably self-identify as a 14.4 modem user
2. Users had the power to switch to the low- or high-bandwidth site.
http://www.bootyproject.org [bootyproject.org]
Re:More proof we need government intervention (Score:2)
I think the original poster came pretty close to hitting it squarely on the head. Note that the suggestion was not that government ban the sending of information. It was proposed that government mandate the revelation of information-mining, so that you can vote with your wallet... intelligently. It's as easy to say "The fewer laws the better" as it is to call for a cradle-to-grave state. Both are failures and abdication of voter responsibility. What we need is the right laws, and their number will fall somewhere between zero and infinity. Though it was said 150 years ago, it's still true:
Sandbox not required (Score:4)
As far as the potential unique serial number not being true, I'm not surprised. Earthlink did stand up against the FBI when it came to installing Carnivore.
BigCat79
Some thoughts on Earthlink... (Score:4)
Secondly, as long as they don't make me use their in house software as a condition of using their service, I don't care what they develop. I like Earthlink because they do actively support LINUX/PPP connections with very little hassle. I understand that these folks are having support issues, especially that they just ate a number of the remaining clueless lusers from mindspring and onemain.com. Oh, and another thing, that Sandbox screenshot is old. Member start pages (that blue page) were changed in Jan/Feb.
Third, has anyone stopped to think that perhaps the PGP encryption during install might be a new subscribers CC number and other personally identifiying information? Wouldn't that make sense?
Re:This benefits Joe User (Score:2)
I agree, but where exactly is that line? And more importantly, is a company going to tell me when they have an itch to cross it? Almost certainly not, which is why we need to nip this kind of behavior in the bud.
--
Re:The real issue (Score:5)
What I end up doing was having a registry monitoring program called regmon to to monitor all registry access, then I loaded up the program and then stopped monitoring registry... I found that they wanted to send a LOT of VERY personal info out.
No real disassembly is needed... load up regmon or filemon (file access monitoring program) and note what it looks at... betcha you would be surprised...
Horrors! (Score:4)
There needs to be some sort of law to prevent these criminals from encrypting our personal information. This is why encryption should be outlawed - since clearly, only outlaws use encryption.
Re:¹Place the link at the top, outside of tables (Score:2)
Re:Browser language preferences (Score:2)
Re:The real issue (Score:2)
Great googly-moogly, a Slashdot editor researches? (Score:5)
The real issue (Score:4)
Earthlink could do themselves a big favour by revealing exactly what is being sent.
As A Web Designer (Score:5)
Do your math (Score:2)
Even a cursory examination should show that these numbers don't have enough uniqueness to be globally unique IDs. Microsoft's GUID had 128 bits; a good hash function might have 160 bits; those serial numbers, culled from widely scattered machines, aren't unique enough.
There are 48 (presumably) hex digits there. Each hex digit represents 4 bits. So the number is a 192 bit value.
Re: It's not even "much" more they find out. (Score:3)
- horizontal and vertical screen resolution/ usable resolution
- monitor depth
What you can't find out with default JavaScript funcions is:
- connection speed
- font size (maybe.. dunno)
- POP ID
- Sandbox Version
What you can find out whith a little use of brain:
- connection speed (not hardware.. but true speed)
- font size (not sure about this.. signed scripts should make it possible)
- POP ID - well, they provide your service, so they surely know about it
- sandbox version - if you don't use it, they can't find it out.
What they in fact do, is to pool their incoming information into one channel. That's much easier then to collect, analyze and join all the logs from their different dialups and proxies.
So it's not really a bad thing they do. Just a little bit naughty. Not more evil then banner- and counterhosts detecting your resolution and stuff..
Could have published the spec first (Score:2)
1. Notification
I think Earthlink should have published the spec in advance, if for no other reason than to protect their shareholders from privacy scares. Earthlink has invested millions in its 'serf at AOL' campaign. They need to protect their pro-geek branding.
Another reason for publishing is so people can make use of the tag.
2. Standards Approach
As one of the original designers of HTTP the tag as specified sucks. It is fixed field after fixed field, no extensibility. I think that the idea is fine, but the syntax choosen is not.
First off a non-standard header should have an X- prefix.
Secondly, the scheme does not work for text to voice displays, or for that matter very high definition displays (>100dpi) that are on the horizon. It would be handy to be able to give the monitor size and also the gamma. These are all real needs for real people today, and will be mainstream in a couple of years.
Now there have been folk who have created similar schemes from time to time, none has taken off due to apathy at Netscape and Mr Softy. But that is no real excuse for earthlink. If they don't like the schemes on offer they might at least state why.
GUIDs (Score:2)
Re:As A Web Designer (Score:2)
I wanted to try the free Earthlink service about a year ago, and when I installed it, it automatically installed their IE5.0 browser over top of what I already had. I was pissed! Their install program never asked me if I wanted to do that. To this day, that old computer of mine has the crappy Earthlink browser installed. I never use it, but I also haven't figured out a way to get rid of it other than a complete reworking of the registry (not a good idea!) to make sure I've irradicated Earthlink crap.
Re:I would love this feature if it was improved (Score:2)
As one of the lead web developers for a large and successful e-commerce site (who will remain unnamed because I'd like to keep my job) I can attest to this fact. The typical concept-to-implementation for a project starts out with our designers having created low-bandwidth, user-friendly, but still good looking designs, our developers having coded it browser-inspecific, and the database people having given us good structure on the back-end.
Then the marketers and upper-management get their hands on it. "Can you change this feature?" "Can we add flash to that page?" "Can we get that in cornflower blue?"
Not to mention if we ever present multiple design concepts, they never want all of one, they want bits and pieces from all of them, resulting in a frankenstein monster that is not only hell to write, but hell to maintain and hell to use.
It doesn't help that our designers are constantly looking for ways to stretch themselves (you'd get bored doing GIF and JPG banners all day, too) and jump at any opportunity for huge flash projects.
The end result is a meeting room with three or four developers voices about feasability, usability, and scalability lost amid a sea of excited voices about what a fancy, exciting site it's going to be once we implement all the new features.
Most developers really do have good intentions, but we're not given the freedom to implement any of them.
And, because we have a team of top-notch developers, we actually are capable of building the frankenstein monsters they want, and when we succeed in building it, they only want more just like it. Our earlier protests are forgotten, many marketers grumbling quietly that we must just be lazy and not want to do more complicated web design. In the end, to the their minds, we're just their trained monkeys.
Damned if you do, damned if you don't.
Devil's Advocate (Score:3)
I'd hate to play devil's advocate here, but to be honest I rather like this idea. The information isn't any more identifiable than, say, an IP address. One big benefit is if other browsers begin to include this type of information: PHP could use this information to choose the "best" version of a webpage, video stream, etc to send you. I know I personally get annoyed when a webpage is designed for a much higher resolution than I have set. Similarly, inexperienced internet users shouldn't be allowed to attempt to stream 1Mb/Sec of video through a 56K modem. Sure, it'll look like crap and it's all the end-user's fault but marketing people will tell you that if the end-user screws up you can lose customers because of it (they can go elsewhere, you can't).
Not an HTTP header (Score:5)
An HTTP header is e.g., Content-type: text/html; this is just changing the value of an existing one.
And, what is more, the User-Agent header is an informative header, so it's just adding more information about the user agent. So what?
Excellent news. (Score:3)
I have an Earthlink connection; it's the best I can do because of my location. Anyway, I had written an HTTP proxy Perl script, simply for my own educational purposes. You can imagine my surprise when I noticed this extra header! I could not find a reference to HTTP_ELNSB50 in any of the rfc's or manuals I consulted and I noticed that it never changed.
I did in fact email Earthlink about this, because I feared it might be an invasive identifier. I am disappointed, though, to report that even after repeated emails, I received no answer regarding my queries. I do not grudge Earthlink for this, but I do not think it is the best customer service. I nearly cancled my account when I could not discover what this mysterious header was.
Suffice to say, though, I am very grateful to Slashdot for answering my questions!