Kuro5hin.org: technology and culture, from the trenches
create account | help/FAQ | contact | links | search | IRC | site news
[ Everything | Diaries | Technology | Science | Culture | Politics | Media | News | Internet | Op-Ed | Fiction | Meta | MLP ]
We need your support: buy an ad | premium membership

[P]
BBC scaremongering over "web bugs"

By Vila in News
Fri Jul 21, 2000 at 01:30:19 PM EST
Tags: Security (all tags)
Security

This BBC story on "web bugs" discusses the practice of using invisible 1x1 pixel images to track users. Whilst there is some truth in the story, I'm more concerned that this is yet-another-web-scare-story, when there are far more insidious threats to privacy in the form of the RIP Bill which is about to become law, and even such mundane things as supermarket loyalty cards.


Sponsors

Voxel dot net
o Managed Hosting
o VoxCAST Content Delivery
o Raw Infrastructure

Login

Related Links
o This BBC story
o RIP Bill
o Also by Vila


Display: Sort:
BBC scaremongering over "web bugs" | 36 comments (26 topical, 10 editorial, 0 hidden)
just silly (3.66 / 3) (#1)
by rusty on Thu Jul 20, 2000 at 03:19:44 PM EST

While web bugs are real and annoying, that story is just idiotic. "HTML code hidden in the image"? WTF? I hate reading stories like this in the "mainstream" media-- you can always tell when they're written by someone who really doesn't understand the technology involved. This is one of those.

____
Not the real rusty
[somewhat o/t] Re: just silly (none / 0) (#9)
by jay.gatsby on Thu Jul 20, 2000 at 09:59:27 PM EST

I hate reading stories like this in the "mainstream" media-- you can always tell when they're written by someone who really doesn't understand the technology involved. This is one of those.

Yes, oh yes . . . here in Raleigh, NC, our local paper (the Raleigh N&O) published a rather lengthy article about cookies and the threat to privacy. Among other things, the article insisted that cookies were "programs" that web sites "installed" on your computer that were continually collecting information about what sites you visited, and seemed to hint that they might even be watching your feeding habits through the vent holes in your computer case, and recording telephone conversations to boot (well, not exactly, but it was almost that ridiculous).

Granted, there are issues to be concerned about (witness the DoubleClick mess), but there is no excuse for allowing any article as full of misinformation as these into print. If a given media outlet is covering a baseball game, they send out somebody who knows something about baseball. Ditto for financial news, and other subjects. If they didn't, the general public would boo them out of business. ("Look yonder! That feller what with the big stick done knocked that ball past that thar fence! I b'leive thisyer feller done scored a touchdown! This might just be the end of the first half of this game. Now if the fellow on that second white thing will punt the ball, they might score a free throw to boot. Wait a minute! Here comes the coach, and he's gonna pull out the guy that I think might be the halfback! Looks like it's off to the penalty box for him . . . ")

OK, I'm done with my rant now . . .

-------
A fool does not delight in understanding, but only in revealing his own mind."
-- Proverbs 18.2
[ Parent ]

Re: [somewhat o/t] Re: just silly (none / 0) (#19)
by Anonymous Hero on Fri Jul 21, 2000 at 02:47:07 PM EST

So did you write an incensed letter to the editor and set the record straight? YOu should have.

[ Parent ]
Re: [somewhat o/t] Re: just silly (none / 0) (#20)
by jay.gatsby on Fri Jul 21, 2000 at 03:00:30 PM EST

So did you write an incensed letter to the editor and set the record straight? YOu should have.

Yup, but it didn't get published. I was pleased, however, to see that they did publish a letter from another reader who attempted to correct some of the mistakes. However, I'd prefer to see the mistakes corrected BEFORE the article goes to press in the future . . .

-------
A fool does not delight in understanding, but only in revealing his own mind."
-- Proverbs 18.2
[ Parent ]

Re: [somewhat o/t] Re: just silly (none / 0) (#22)
by the coose on Fri Jul 21, 2000 at 04:08:01 PM EST

What do ya expect from the News and Observer? ;-)

[ Parent ]
So whats new? (3.00 / 4) (#2)
by Eldritch on Thu Jul 20, 2000 at 03:53:32 PM EST

Any you think that the Ad banners (including K5's) don't gather information like this?

Example - the majors of K5 users click on banners that advertises free beer. This enables the server hosting the Ad to get some basic info from their PCs in exactly the same way as described above. Only no-one complains about it because its out in the open.

As the free beer banner was clicked by loads of K5 readers, the ad server learns to post more ads with 'free' or 'beer' in them to K5.



Re: So whats new? (none / 0) (#23)
by Anonymous Hero on Fri Jul 21, 2000 at 05:54:27 PM EST

I don't like it. People should know about good sites and bad sites; there should be a service that block's or filters these bugs like MAPS RBL and ORBS(some issues but OK). I can live with banners and (might) live with cookies, but this really sucks. artturi_s@yahoo.com

[ Parent ]
Ack! (5.00 / 1) (#5)
by Percible on Thu Jul 20, 2000 at 05:04:53 PM EST

I voted +1, because it's an interesting topic - the BBC may have it all wrong, but having read coverage on other sites, the places they're using to gather this information from sucks rather a lot (medical sites and porn sites, the two places you'd rather not be tracked on).

Having said that, there's a rather more interesting subject going on in the UK at the moment - the RIP bill - more infomation can be found out about this at STAND.

Bleh. Doubleclick et al suck. :)


~P
submit (1.00 / 3) (#13)
by evro on Fri Jul 21, 2000 at 03:53:53 AM EST

I submitted this to slashdot a couple of days ago but they didn't run it. I wonder if this is because they themselves have plenty of 1x1 gifs in their code to track everybody.
---
"Asking me who to follow -- don't ask me, I don't know!"
Re: submit (none / 0) (#17)
by ejf on Fri Jul 21, 2000 at 11:26:41 AM EST

<g> Maybe they use it because of DESIGN reasons ? I haven´t looked, but I suspect the "bugs" come from the same server as the images ? Or the content ? You know, you CAN use these thingies for alignment purposes ... Slashdot doesn´t need those to track you. They have extensive weblogs :-)
--- men are reasoning, not reasonable animals.
[ Parent ]
Re: submit (none / 0) (#30)
by tonyP on Sat Jul 22, 2000 at 08:42:27 AM EST

Or maybe it was more because they already covered it Here amongst other places ?



[ Parent ]
Web bugs inside HTML emails (3.00 / 1) (#15)
by ntagonist on Fri Jul 21, 2000 at 05:16:35 AM EST

One use of web bugs that I find interesting is the ability to track who reads your emails. Of course, I don't want any more spammers, but a lot of people voluntarily forward each other mails with jokes, pictures, and stuff like that. Often you get the same mail more than once.

So I was thinking of doing some experiment with this to see where the hell these emails end up. Unfortunately, this means putting the name of your own webserver into the IMG tag, so anyone reading the mail can figure out who's eavesdropping. Unless, of course, you get yourself a free web account and one of these free page counters :-)

mp3.com/mothergoose
How to strip web bugs (none / 0) (#21)
by mcelrath on Fri Jul 21, 2000 at 03:29:25 PM EST

<plug type=blatent>

FilterProxy strips web bugs (and ads) by examining HTML, and removing or rewriting portions. It's fast, stable, easy to configure (web forms or editing perl), and free (GPL). There's another article on this topic from the Washington Post from a few months back. (For some reason the Washington Post's story server doesn't like the URL. It will give you an error, but hit reload a couple of times and it will show up.)

</plug>

--Bob
1^2=1; (-1)^2=1; 1^2=(-1)^2; 1=-1; 2=0; 1=0.

Re: How to strip web bugs (none / 0) (#35)
by orabidoo on Mon Jul 24, 2000 at 03:09:28 PM EST

FilterProxy looks *very* promising, but for those of us who don't like the slowdown and extra indirectness of using a web proxy, there's John LoVerso's technique of using Netscape's (and IE's, I think) technique of Proxy Auto-Configuration to decide, at run-time and in the browser itself, whether a URL should be loaded via a proxy, or using a direct connection. You just set up a fake proxy that returns "not found" errors on all requests, and a simple JavaScript module (which works even with JS off in the browser) that redirects banner hits to the junkproxy.

For more info, read my web privacy hotfix primer, and John LoVerso's page about Proxy AutoConfiguration.

[ Parent ]

It's the scripts that are evil (5.00 / 1) (#24)
by dim on Fri Jul 21, 2000 at 06:04:50 PM EST

Normally, these 1x1 gifs are used as a kludge to make designers happy, ie. to force browsers to a certain layout. But what I'm encountering more often these days is JavaScripts like the following:

<SCRIPT LANGUAGE="javascript">
if (test==0) { var dt, sv=10, ss="na",sc="na",ln="",pl="",rf,bn,ja,bv,x1,x2,x3,arg;
rf=escape(document.referrer)+"";if((rf=="undefined")||(rf=="")){rf="bookmark";}
bv=Math.round(parseFloat(navigator.appVersion)*100);bn=navigator.appName;
if(bn!="Netscape"){dt=(new Date()).getHours();};if(bn.substring(0,9)=="Microsoft"){bn="MSIE";}
if((bn=="MSIE")&&(parseInt(bv)==2)){bv=302;};ja="na";
x2="<img src='http://hg1.hitbox.com/HG?hc=w125&cd=1&hb=WQ56CJGXNXX9NUEN3&n=StatMarket+Home";
x3="&cd=1&bt=2' border=0 height=1 width=1>"; 
arg="&bn="+bn+"&bv="+bv+"&ss="+ss+"&sc="+sc+"&dt="+dt+"&sv="+sv;
arg+="&ja="+ja+"&rf="+rf+"&ln="+ln+"&pl="+escape(pl);document.write(x2+arg+x3);}</SCRIPT>

This looks pretty much unreadable, eh? That's precisely the point: the makers of these scripts would NOT like you to know what this is doing, namely pulling out all statistics possible via JavaScript, attaching these to some bogus URL and fetching a 1x1 GIF from there. Of course the URL points into their site, and so they can easily send cookies, because the URL of the IMG tag refers to their site, not to the site you are really visiting.

I can already hear you say "Just turn off JavaScript, it's evil anyway", and I wholeheartedly agree, but there are many websites which I need to visit, which are not usable without it. So I'm kinda stuck here... Maybe the previously mentioned FilterProxy can do something about this?


--
cat ~/.signature

Re: It's the scripts that are evil (none / 0) (#25)
by Perpetual Newbie on Fri Jul 21, 2000 at 10:57:49 PM EST

I can already hear you say "Just turn off JavaScript, it's evil anyway", and I wholeheartedly agree, but there are many websites which I need to visit, which are not usable without it. So I'm kinda stuck here... Maybe the previously mentioned FilterProxy can do something about this?

So fla^H^H^Hcomplain to the author of the site. No web site should require Javascript to be navigatable. Point him towards the anybrowser.org design guide.

[ Parent ]

Re: It's the scripts that are evil (none / 0) (#28)
by dim on Sat Jul 22, 2000 at 07:39:20 AM EST

So fla^H^H^Hcomplain to the author of the site. No web site should require Javascript to be navigatable. Point him towards the anybrowser.org design guide.

As I said, I wholeheartedly agree with such a standpoint. I've not written much web pages myself, but when I do, I always try them in different browsers, and run them through the W3C validators, etc.

But the fact remains, that compaining, flaming or anything like that will not change the attitude of most webmasters. Would you really think that, for instance, Microsoft will adapt their site so that it is properly viewable from any non-IE browser? The same goes for the millions of sites out there generated by FrontPage, GoLive and the like, or web "designers" which are more concerned with pixel-fucking than accessibility. Some might say that this is Netscape's fault, for making it impossible to make an interoperable page without resorting to script tricks...

This could be a much longer rant, but it's really offtopic here, maybe it's an idea for a separate posting. But since something like this is already being flamewarred over at /., maybe there isn't any need.


--
cat ~/.signature

[ Parent ]
Re: It's the scripts that are evil (none / 0) (#32)
by Skapare on Sun Jul 23, 2000 at 05:24:14 AM EST

I have complained to webmasters of major sites. While I don't know whether they changed just because of my complaint, or for other reasons, I do know that in at least a couple of cases they really did change what I complained about. The 2 sites were Alta Vista and CNN. My complaint was regarding their choice of small font and my need for vision accessibility. While with normal HTML I can tell my browser to resize the fonts larger, they were using stylesheets which inhibited the browser font resizing. While I didn't specifically threaten to complain about accessibility, I did let them know that to purposefully block my ability to make their site accessible with my visual challenge, was not something that would generally be looked upon favorably, especially when the technology existed and was standardized for avoiding it. Those sites are not perfect, but at least I can read them now (CNN still has some miscalculated table cell sizes that don't fit the objects placed in them).

My next complaint target will be Kuro5hin itself for having such a small font on the comment input area box and making it not get larger with the increased font preference I did set for my userid. I'm sure they will fix this minor oversight when I get around to writing to them about it.



[ Parent ]
Re: It's the scripts that are evil (none / 0) (#26)
by mcelrath on Sat Jul 22, 2000 at 12:13:37 AM EST

<plug type=blatent take=2>
So I'm kinda stuck here... Maybe the previously mentioned FilterProxy can do something about this?
Indeed it can. The ad/bug you quote has:
<img src='http://hg1.hitbox.com/HG?hc=w125&cd=1&hb=WQ56CJGXNXX9NUEN3&n=StatMarket+Home"; x3="&cd=1&bt=2' border=0 height=1 width=1>
Which is enough to identify it as a bug. FilterProxy then grows the match to include the enclosing <script> block, and replaces the whole thing with a <spacer> tag. (or you could use a <img src=file://...> if you wanted to keep a 1x1 transparent gif around for this purpose) It does a similar thing for ads, and can remove the vast majority of javascript ads.

</plug>

--Bob
1^2=1; (-1)^2=1; 1^2=(-1)^2; 1=-1; 2=0; 1=0.
[ Parent ]

Re: It's the scripts that are evil (none / 0) (#27)
by dim on Sat Jul 22, 2000 at 07:30:49 AM EST

This would be a problem, because the JavaScript is generated on the fly, and written to the document with document.write(). The thing starts with a JavaScript tag which loads a .js file from the server, and that file generates the previously mentioned piece of code.

It would be quite difficult to analyze JavaScript, maybe there's even some halting problems involved...

I don't think your proxy would ever see the img tag pass by, since it is hidden inside a script. Or am I missing something?


--
cat ~/.signature

[ Parent ]
Re: It's the scripts that are evil (none / 0) (#31)
by mcelrath on Sat Jul 22, 2000 at 05:19:02 PM EST

This would be a problem, because the JavaScript is generated on the fly, and written to the document with document.write(). The thing starts with a JavaScript tag which loads a .js file from the server, and that file generates the previously mentioned piece of code.
If the page loads a js file via <script src=...> then I can't filter it (I have no intention of trying to figure out what a bit of javascript is doing...as you say...the halting problem gets involved...). However this is pretty rare, and often the contents of the src attribute are identifiable as an ad, or coming from a known ad serving domain (doubleclick.net), so I can strip the script tag. For in-line scripts, I find the tag I'm looking for, and then expand to include the script block. This is easy for things that use document.write(), and often the match is the quoted parameter to document.write(). I don't attempt to obey document structure until after I've found a match, since parsing every tag and obeying every comment is much slower.

Another trick I exploit is the common presence of a <noscript> block preceeding or trailing a script block. Identifying the contents of the noscript block is easier than the script block (usually), so if I identify a noscript block as an ad, I also expand the match to include the script block (only if it is adjacent to the noscript block).

This works for 99% of the sites out there. Sometimes I'm amazed at the huge blocks of convoluted javascript that this algorithm is able to strip. However, I've seen sites which use a script block to write a script block. Now that's a bitch. I've also seen sites that break up the img tag (or ad, or web bug) into a bunch of variables and then assembles them in the argument to document.write(), which is just impossible to detect. But again, their use of noscript still allows it to be stripped. A very small number of sites get mangled by this algorithm (and I consider that a bug, and try to fix it when I find it), but I have run into one or two sites (in the last 6 months!) that get mangled and I just don't see a way to fix. For example, look at the source for abc.go.com. Those people need to have their heads examined. But it's easy to configure the proxy not to filter sites that it mangles. (BTW, abc.go.com is the only one I'm aware of right now)

--Bob
1^2=1; (-1)^2=1; 1^2=(-1)^2; 1=-1; 2=0; 1=0.
[ Parent ]

Web Bugs yadda yadda (3.00 / 1) (#29)
by Anonymous Hero on Sat Jul 22, 2000 at 07:39:47 AM EST

Seriously, who cares? If a company wants to collate statistics using webbugs let them. Ignore it. The statistics they generate will be so devoid of any meaning that you don't need to worry about it.

It's the people who know what they are doing with their logs you need to worry about. And those using Cookies. Without Cookies webbugs are totally useless.

It's like counters. For ages everyone was saying "Look at my counter!" and then others said "Yeah, but that counter means nothing, here's why", and you don't see many counters any more.

Similarly, the people that use webbugs might eventually realise that they mean nothing, and then they start using better techniques (combinations of cookies and weblogs and non-cacheable pages) and that is bad.

I'd rather people thought they knew stuff about me than people actually knowing stuff about me

Paranoidfish (still can't be arsed to login)



1x1 Invisible Images.. (3.00 / 1) (#33)
by makolee on Sun Jul 23, 2000 at 11:44:38 AM EST

This seems kind of funny...

The place I use 1x1 invisible PNGs is with Junkbuster to keep the ads off my desktop and to try and STOP people from tracking me.
--
Mako Hill

Red Web Bugs (4.00 / 1) (#34)
by crick on Mon Jul 24, 2000 at 10:32:31 AM EST

Check out RedMeasure brought to you by Australian newcomer Red Sheriff. This nasty little fella is bumps up web traffic stats for you site by transmitting a "hit" every time the page is opened, i.e. from your web browser cache. The stats aren't stored on the web server, however, but on a "trusted" third party, i.e. Red Sheriff's. Don't worry, it only works on Internet Explorer 4+ and it simply forces other browsers to reload content through CGI, thereby circumventing the Internet caching system.

I believe this is going to become a trend as marketing departments demand more accurate (read fudged) web server usage reports. My own company was considering using RedMeasure until I carefully pointed out its flaws.

blah (2.00 / 1) (#36)
by Anonymous Hero on Tue Jul 25, 2000 at 03:24:30 PM EST

web bugs, web schmugs

What's the big deal anyway? (none / 0) (#37)
by J'raxis on Sun Nov 05, 2000 at 03:18:26 AM EST

First off, I'd like to say this article was damn near the most brainless, dumbed-down article about anything on the Internet I've seen in a long time. HTML code "hidden" in images? I'm surprised they even used the term "HTML"...

Anyway, I don't understand why people find cookies to be so disturbing in the first place. All cookies can tell a website, unless you've intentionally logged in to something (like K5), is that "some user visited page x, then he went to page y, then page z..."

The only "personal" information they can gather from you is your IP/hostname (sometimes, not always - I'm a perfect example, my ISP uses a webcache and all requests coming from all users show up as cacheflow.ici.net, not as my dialup IP address), and what browser you're using. Unless you're on a static IP, this information in no way can identify you as you.

Cookie tracking, in my opinion, is actually a good thing, because it allows marketers/advertisers/whatever to gather all the aggregate information they could ever want for statistical purposes without ever connecting that to your real name or address. Otherwise their only option would be to require people to create accounts so they can track you.


[ J’raxis·Com | Liberty in your lifetime ]

BBC scaremongering over "web bugs" | 36 comments (26 topical, 10 editorial, 0 hidden)
Display: Sort:

kuro5hin.org

[XML]
All trademarks and copyrights on this page are owned by their respective companies. The Rest © 2000 - Present Kuro5hin.org Inc.
See our legalese page for copyright policies. Please also read our Privacy Policy.
Kuro5hin.org is powered by Free Software, including Apache, Perl, and Linux, The Scoop Engine that runs this site is freely available, under the terms of the GPL.
Need some help? Email help@kuro5hin.org.
My heart's the long stairs.

Powered by Scoop create account | help/FAQ | mission | links | search | IRC | YOU choose the stories!