Home | Community | Message Board

Everything Mushrooms
Please support our sponsors.

General Interest >> Political Discussion

Welcome to the Shroomery Message Board! You are experiencing a small sample of what the site has to offer. Please login or register to post messages and view our exclusive members-only content. You'll gain access to additional forums, file attachments, board customizations, encrypted private messages, and much more!

Jump to first unread post. Pages: 1
Head Banana

Registered: 10/28/99
Posts: 3,071
Loc: www.MycoSupply.com
Series on Protecting Your Privacy Online
    #1050765 - 11/13/02 11:51 PM (13 years, 11 months ago)

Hello Everyone,
This is a collection of posts taken from Plural of Mongoose. This is a VERY good article which touches on MANY different level. My thanks to Plural of Mongoose for taking the time to write this up. Please know that this is a collection of posts. They are very long but easy to read.



By: Plural
of Mongoose

A Four Part
Series on Protecting Your Privacy Online (Long - 56K BEWARE!)

Part 1: Hardware

Part 2: Software

Part 3: Email

Part 4: Surfing the Net

Original sources for excerpts and related links

The majority of this is excerpted from SFOnline, with additional quotes from
sources listed in the bibliography in the final post.

Securing Privacy:
Hardware Issues.

When asked about
efforts to combat the tracking of Internet users, Scott McNealy of Sun famously
replied, "You
have zero privacy anyway. Get over it."
Despite McNealy?s flippant
attitude towards privacy, it remains a highly contentious issue, with the potential
to affect many aspects of individuals' personal and professional lives. Furthermore,
the ability to protect their own proprietary information, and to ensure the
protection of their customers' crucial data, may mean the difference between
success and failure for many organizations.

While Internet users may not be able or entitled to control information about
them that is held by third parties, they can still take steps to ensure the
protection of their privacy. It's never too late to begin safeguarding your
privacy. Let's first examine hardware-based privacy issues, specifically: hardware
solutions for small networks and wireless devices, hardware-based spyware, and
some attempts by hardware vendors to infringe upon users' privacy.

Hardware-Based Protection ? Firewalls and Routers

The point at which the Internet and a computer network meet form the perimeter,
the key point of network defence. Even if there is only one computer in a SOHO
(Small Office/Home Office) environment, that constitutes a network. In the military,
sentries secure a perimeter by making sure anyone who wants to enter the area
is supposed to be there. Networks require a sentry at their perimeter as well.

That's where a combination router-firewall comes in. Just as a firewall in a
car protects the driver from any flames in the engine area, a firewall on a
network protects the internal network from any unsolicited attempts to get inside.
It's the sentry on the perimeter that won't let allow unauthorized traffic to

A router is more difficult to explain. Let's say there are three separate computer
users on a network. Each, working from his own computer, requests a different
Web page. All three requests go out through the router at the same time and,
a few seconds later, replies pour back in. Since information must be broken
down into individual packets of data to travel over the Internet, and since
those individual packets - hundreds or even thousands of them - can each take
different paths, the packets from the three Web pages are all jumbled together
as they stream back into your network. In the case of a network, a device called
a router is responsible for guiding the packets to their destination: as it
receives the flood of packets that the three users requested, it sends each
packet to the appropriate computer.

Router-firewalls protect the privacy of small network users because they help
to secure the network using a protocol called NAT (Network Address Translation).
Basically, NAT hides the computers from the rest of the Internet and uses the
router-firewall as a mediator for all communication to and from the Internet.
If a cracker can't break into a the network, he can't rifle through the personal
documents, financial records, or other vital information that resides on that
network. Thus the confidentiality of the data stored on the computers on that
network is secured.

The nice
thing about router-firewalls is that they are operating system-independent.
It doesn't matter if the network consists of Windows, Mac OS, & Linux computers
- all will be protected by an efficiently guarded perimeter. Best of all, most
SOHO devices can be bought for less than $100. Better yet, users can build their
own router-firewall using an old computer, two Ethernet cards, and some software.
There are a number of commercial solutions available for Windows users. Linux
users, however, have a wealth of free options available to them. Check out the
Router Project,
a version of Linux designed to fit on a floppy
and turn an old computer into a fast, efficient router-firewall.

Wireless Worries

The wonderful new world of wireless is taking the networking world by storm.
It's not surprising - the combination of a popular standard (802.11x), affordable
prices, and the undeniable convenience of wireless networking has come together
to produce phenomenal growth.

Unfortunately, there's a downside as well. The built-in security standard for
802.11x - WEP (Wired Equivalent Privacy) - has been criticized for poor effectiveness.
Worse, 802.11x networks are being put into place that lack even basic security.
There's even a popular and easy-to-use software tool for Windows called NetStumbler
that searches for open wireless networks. In fact, the latest rage for crackers
is war driving: cruising around in a car armed with a laptop, NetStumbler, and
an antenna in order to look for unsecured wireless networks.

Should you be concerned? Well, if you live in the woods and no one comes near
your house, you're probably safe. But the rest of us should be careful. Fortunately,
there are several things you can do to batten down the hatches.

Wireless Security Solutions

Enable 128-bit WEP. It's not that effective, but it is something. Change the
default password that comes with wireless router-firewalls (the "Access Point"
in wireless-speak). Install software firewalls on all machines to help detect
possible intrusions (more about this in the next article in this series). Audit
your Access Point logs frequently to see who's using the network. Finally, and
safest of all, consider requiring authentication to access and use the wireless
network. (For a more in-depth discussion on securing wireless LANs, see Paul
Sholtz's article in New
Architect Magazine.

Wireless may have security problems now, but it's definitely the future, and
wireless vendors now have an even more urgent economic interest in securing
their products.

Hardware-Based Spyware

So far we've looked at hardware that protects users? security and privacy. But
what about hardware that is deliberately designed to violate their privacy?

The next article in this series will look at software-based spyware, software
that watches what users do and reports their actions back to its creators. However,
hardware can act as spyware too. In fact, hardware-based spyware is even worse
than the typical downloadable spyware. If a user finds out that a favorite file-sharing
program has spyware built into it, he or she can just remove the software, remove
the spyware (often after a protracted struggle with the Windows registry), and
switch to another program that is spyware-free.

But what about spyware that's built into the computer?s processor? The network
peripherals? Or the hard drive? "That's easy!" readers might think, "I just
won't buy it! I'll use something else!" Unfortunately, things aren't that simple.
If powerful interests have their way, privacy-violating hardware will be unavoidable.
Worse yet, owning or using hardware that does not violate your privacy will
be illegal.

The Pentium III

The modern era of hardware spying began with the Intel Pentium III. When Intel
announced the Pentium III, it also announced a new "feature": every new CPU
would include a unique ID number. Although Intel justified the number as a great
new advance for e-commerce, privacy advocates pointed out the obvious: a unique
ID number would make it easy for users to be tracked as they traveled the Internet.
After widespread protests from consumers, and even members of Congress, Intel
relented. The Pentium III shipped with a unique ID number, but it
was turned off by default.
Better still, by the time the Pentium
IV was released in February 2000, the ID number was completely removed.


One type of spying device getting a lot of attention is the keylogger. These
gizmos plug surreptitiously into a computer and track everything the user types.
One type of keylogger is a small beige cylinder, just a few inches long, that
looks like an extension to the PS/2 keyboard's cable. The person spying on the
user unplugs the keyboard from the back of the PC, plugs the keylogger into
the PS/2 port, and then plugs the keyboard into the keylogger. No software installation
is required. At that point, the device begins logging everything the user types
(since the PS/2 port is used, any operating system using PS/2 is vulnerable;
USB keyboards, however, are still safe).

To view what you've been typing, the spy sits down at the computer, opens WordPad,
and types a password, or he moves the keylogger from the victim's machine to
his. It's that easy. These keylogging devices are definitely in use, and right
now, the only cure is vigilance: if you suspect that you're a victim, check
the back of your PC periodically, and make sure you trust your keyboard.

It should be stated that, in some cases, keystroke loggers have legitimate,
legally accepted purposes, such as workplace monitoring (although the ethics
and good business sense of this practice are very much open to debate).


Devices like keyloggers can be seen and easily removed. But what if your hard
drive is the spy tool? This is the most dangerous scenario of all - your hard
drive is absolutely fundamental to your computer, and it's also the main storage
center for all of your files. If your hard drive is compromised, you have no

Unfortunately, this is precisely the scenario we're seeing come to life. In
late 2000, the "4C Entity" ? a consortium consisting of Intel, IBM, Matsushita
and Toshiba - proposed the "CPRM" extension to the ATA
(Advanced Technology Attachment)
standard that governs how hard
drives work. CPRM
(Content Protection for Recordable Media)
would control how digital
files are copied, moved, and deleted. The user?s hard drive would be digitally
signed with a set of encrypted keys, and any attempts to manipulate files on
the hard drive would require approval by a central server. If the user loses
or damages the encrypted keys, he's out of luck. If he wants to view or copy
a file that is controlled via CPRM, and his operating system doesn't support
CPRM (think Linux), he's out of luck. If the user want to back up their data,
but some third party doesn't want them to, he's out of luck.

After a firestorm
of protest,
the CPRM proposal for hard drives was withdrawn in
February 2001. Unfortunately, while CPRM has been temporarily beaten back from
hard drives, it continues its relentless march onto DVD media, smartphones,
and SD cards. All DVD recordable discs now support CPRM for copy protection.
Cell phones based around the Symbian OS are going to rely on CPRM to govern
the behavior of removable SD cards. Microsoft has announced support for CPRM
on SD cards through what it calls the "Windows Media Device Manager", which
transfers Windows Media-encoded music files from your hard drive to your portable
device. CPRM has not gone away - it has just moved to portable devices. We must
keep an eye on CPRM to make sure that it is not re-introduced for hard drives.


Something even worse than CPRM is waiting in the wings. Senator Ernest Hollings
(D-SC) has introduced the Consumer
Broadband and Digital Television Promotion Act (CBDTPA)
the Senate (note that prior to its introduction into the Senate, Hollings' bill
was known as the Security Systems Standards and Certification Act, or SSSCA,
so if have trouble finding information about the CBDTPA, try searching for the
SSSCA instead).The CBDTPA would mandate that a copy-protection standard be part
of "any interactive digital device". VCRs, TVs, DVD players, stereo equipment,
and especially computers - all would fall under the CBDTPA's reach. Users who
disable the built-in copy-protections, or buy or sell a non-CBDTPA-covered device,
will have broken the law and could face up to five years in jail and a $500,000
fine for a first offense.

With the CBDTPA in place, the big media companies will control how users use
their personal computers. Under the rubric of "preventing piracy", the government
will make it impossible for users to exercise their fair use rights to copy
software they own for backup, tape an episode of "Friends" on their VCR to watch
a week from now, or convert their music CDs into MP3's. Open
source software
will either be compromised by the forced inclusion
of proprietary, source-secret copy protection schemes designed to work with
CBDTPA-protected hardware, or it will be illegal. For all of this to work, the
computers of private citizens will have to constantly monitor what the individual
does and compare their actions against "rules" set up by someone else. The privacy
implications of the CBDTPA are grave. (For more information on the CBDTPA and
the efforts to fight it, visit The
Electronic Frontier Foundation (EFF)
or The
Electronic Privacy Information Center.)

As computer users, we're in for a long, constant fight to safeguard our privacy.
On our networks, we need to guard our perimeters with a router-firewall, especially
if we network wirelessly. On our computers, we need to carefully look for any
hardware that may be spying on us. And in the political arena, we have to work
to protect our rights as consumers - even if the CBDTA goes down in defeat,
it's obvious now that the large media companies and their lobbying organizations
are determined to control us as stringently as possible. No one said that protecting
your privacy was going to be easy ... but it can be done.

Privacy: Software Issues

As we shall see,
some software is designed to safeguard privacy, while other software seems designed
to compromise it.

Personal Firewalls

Firewalls are an important part of a privacy protection strategy because they
prevent intruders from gaining access to valuable information that is stored
on a computer. Now let's look at firewalls that run on individual computers.
Known as personal, or PC, firewalls, these are different from hardware firewall-routers
in several ways. The best PC firewalls track incoming and outgoing traffic,
and allow users to set up rules governing what programs on the computer will
be allowed to establish connections to the Internet. Best of all, many PC firewalls
are free, although even if they are available commercially, prices tend to be

There are many different personal firewalls available, for both Windows and
Mac OS. Some of the better known ones are:

Before deciding to use any of them, you should research your options. There
are several resources available to guide firewall shoppers, including: Home
PC Firewall Guide,
GuardianAngel.com Firewall Comparison Chart,
and Firewall.net.

Windows XP's Internet Connection Firewall

A brief note of caution for Windows XP users. Now that Microsoft has started
bundling its "Internet Connection Firewall" into XP, these users might think
that they don't need to look at any of these personal firewalls . However, ICF
is not a particularly secure solution, as it only watches inbound connections
and ignores outbound traffic. If a bad guy is attempting to scan a computer
for vulnerabilities, it should be all right; however, a trojan may be installed
- either unintentionally by the legitimate user, or intentionally by a malicious
hacker - on that system. If the trojan attempts to phone home, ICF won't notify
the user at all. Therefore, it is a good idea to simply turn off Microsoft's
firewall and use one of the third-party personal firewalls listed above.

Common Characteristics of PC Firewalls

Certain things are common to nearly all PC firewalls. The fundamental task of
all firewalls is to monitor all network traffic entering and leaving the protected
computer. If suspicious traffic tries to enter the computer, it will be blocked
and the user will be notified. On the other hand, when a program on the computer
tries to send traffic out to the Internet, the user will be asked if he or she
wishes to allow it. All PC firewalls allow the user to deny or approve the outgoing
connection, and to make those settings permanent. Many also give additional
details that can help the user track down anything suspicious.

PC firewalls typically allow the user to set rules governing network traffic.
These rules can be set using a simple slider, for basic settings, or the user
can specify granular parameters. A good PC firewall keeps logs about incoming
and outgoing traffic, and allows users to examine those logs to look for patterns
that can help them batten down the hatches if needed.

Linux Personal Firewalls

Some Linux users have an effective firewall built into their computers. While
installing Red Hat, users are asked how they want to configure the firewall.
They can configure the firewall further with Lokkit, which both a simple and
a more feature specific interface. Be warned, however, that Lokkit is a pretty
simple tool. If you need something more complicated on your Linux machine, you
might want to look into ipchains
and iptables.
But no matter what you choose to use, the important thing is that you have a
software firewall on your system. Without one, you are inviting potential disaster.

Personal Proxy Software

Even if users have firewalls installed, their privacy is not necessarily secured.
While firewalls can keep nosy hackers out of users' systems, the Web-surfing
habits of the user can be used to harvest a bounty of personal information.
In addition to personal firewalls, users also need to install personal proxy

Proxy software examines all the packets coming in to the user's Web browser.
As a new Web page is requested, the proxy examines the Web page's HTML, scripts,
and graphics. At the same time, it checks the user's preferences so that it
knows what he or she wants to view and what should be discarded. For instance,
if the user tells the proxy that they don't want to view banner ads, the proxy
will filter those ads out.

Some of the most common personal proxies are WebWasher
(Windows, Linux, and Mac OS), Junkbusters
(Windows and Linux), Guidescope
(Windows, Linux, and Solaris), and AdSubtract
(Windows). Each of these programs works differently. Some block ads based on
the URL, path, or file name, and some base their filtering on dimensions (dimensions
are easier to set up, but URLs are more precise). Some proxies have a Web-based
interface for configuration, and some require the user to edit text files. Some
of these tools provide extensive logging, and others provide just a summary
of statistics (see below for an example of WebWasher's statistics). Some software
provides advanced debugging tools that can really help the user figure out why
something isn't working, and other software provides minimal debugging abilities.
Most of the proxies mentioned are free, or available for a minimal charge.

The results of a personal proxy can be seen almost immediately. In particular,
Web pages will load more quickly. But a proxy also protects the users privacy
in the following ways:

By controlling the use of cookies:

A cookie is a small text file that a Web sites store on visitors' hard drives.
Cookies store data about the user. They are intended to help the Web site remember
information about the user, so that customized information can be presented
to them the next time they visit. However, in some cases the data collected
by data may be used for less legitimate purposes, such as creating profiles
of users for targeted marketing. In some cases, companies sell this personal
information for profit without the explicit knowledge or consent of the user.

Whether a cookie is good or bad may be a matter of perspective. For instance,
I like getting cookies from The
New York Times
or Slashdot
- they allow me to instantly log-in to www.nytimes.com
and get personalized content at Slashdot. However, I don't like that DoubleClick,
the giant Internet advertising company, is able to track me on all the sites
on which it has placed banner ads. Proxies allow you to customize your cookie
settings for each Web site, as I've done with The New York Times and Slashdot.

By filtering out advertising:

Advertising can compromise privacy because it allows the companies placing the
ads to track users' movements across many Web sites. As a person visits each
site, the banner ads silently gather information tracking users' trails. By
blocking ads, they make it much harder for third parties to compile a record
of their interests.

With a proxy, users don't ever need to see another banner ad. However, before
filtering out all ads, users might want to consider that many Web sites depend
on ads for revenue, so they shoud consider whether or not you want to filter
out all ads. Some of the smarter proxies can filter out ads on most Web sites,
while allowing ads on sites the user wishes to support.

By blocking pop-up and pop-under windows:

This is a blessing now that advertisers have been carpetbombing the Web with
pop-under ads. Now I never see them (note that users can also block these ads
if they're using the Mozilla Web browser: go to Edit > Preferences > Advanced
> Scripts & Windows, and uncheck the first four checkboxes. For users of
the Konqueror Web browser - open Setting > Configure Konqueror > Konqueror
Browser > JavaScript, and set your "JavaScript web popups policy" accordingly).

This can be a problem, however, on some sites such as Yahoo Mail, which uses
a pop-up window for adding attachments to your e-mail, and Windows Update, which
opens a popup window while it's checking your computer. Users will need to configure
the proxy to ignore those Web sites that use pop-up windows they need.

By hiding the previous Web page visited:

Every time Internet users go from one Web page to another, the browser informs
the new page of the previous page visited. This is required on some sites, especially
search engines. By knowing where people have come from, a Web site can further
target those other sites that consistently send it traffic. However, this information
may also be used to compile profiles of users' browsing habits, data that can
then be used for targetted marketing. Because of this, some people find referer
information to be too revealing. Proxy software can help them hide their tracks.

By squishing "Web bugs":

Web bugs - also known as "clear GIFs", "1-by-1 GIFs", and "invisible GIFs" -
are tiny graphics placed inside Web pages or e-mail messages in order to track
information about the user. Many companies, like WebTrends
, use Web bugs for their log analysis programs. However,
some companies use Web bugs to track whether or not user have read an email
or even forwarded it. Proxy software can remove Web bugs so that companies can
no longer track the user without his or her knowledge.

A personal proxy can really help protect your privacy. After the proxy has been
installed, you may want to make sure it's working. WebWasher has a test
available. Or, Steve Gibson's GRC Web site has a fascinating
test page
that can be used to gauge a proxy's effectiveness.
Just go to these pages and follow the instructions.


Once they've got a PC firewall and personal proxy installed, users will have
much greater control over their privacy. However, their computers may already
be running software that is revealing sensitive information about them ... and
users may not even be aware that this software is running on their machine!

Software that works without the user's knowledge, or that obfuscates what it
is doing, is known as "spyware", or "sneakware". Most of the time spyware gets
onto a computer by piggybacking along with a program that was intentionally
installed. For instance, Audio Galaxy is a popular filesharing program. In January
of this year it was revealed that Audio
Galaxy also installed the "VX2" program
onto users' computers.
VX2 tracks the Web sites that users visit and reports that information back
to the company, which adds it to a database tracking each user. Worse yet, VX2
collects information from the on-line forms that users fill out. VX2 promises
that it won't collect anything sensitive - like credit card numbers or passwords
- but the only contact information available for the company is a Hotmail address
and a PO box in Las Vegas. Does that make you feel safe? (Removal instructions
for VX2 can be found at Counterexploitation)

On April 1, CNET
that Kazaa, an incredibly popular filesharing program,
had bundled software from Brilliant Digital Entertainment for several months.
In fact, users could not install Kazaa without agreeing to also install Brilliant's

Brilliant revealed in a federal securities filing that its software was designed
to link all the computers who had installed it into a new network called Altnet.
Computers on this network would receive advertising, music, and other content
from Brilliant's partners. In addition, Brilliant would make use of members'
computers in order to run programs in a distributed computing system.

Kazaa and Brilliant argued that all the details were made available to users
before they installed the programs, in a "terms of service" contract that users
are required to read and agree to. This contract, however, is 2,644 words, and
has shown
that it is written in an extremely confusing, complex
manner. Most people simply click "I Agree" and don't read the terms.

(The controversy continues. Brilliant's CEO has tried to justify his company's
actions. CNET published instructions detailing how to uninstall
Brilliant's software
. And in the latest turn, a new program called
that provides access to Kazaa's filesharing network without
having to install Brilliant's software has been developed by a Russian programmer
known as "Yuri".)

There are Web sites that can help in the fight against spyware: Spychecker,
and the colorfully named Scumware
are a few of them.


Most spyware problems occur on Windows, but it is also an issue on Macs. However,
Windows is the main battleground, and it's not surprising; after all, Windows
is on at least 85% of the world's personal computers, so it's the main target
for the unscrupulous providers of spyware. Fortunately, there's free software
available for Windows that will check for spyware, and remove any that it finds,
called Ad-aware.
After Ad-aware finishes scanning the computer, it lists any spyware it finds.
Users can check the boxes next to the spyware they would like to remove, click
"Continue", and they're done.

One note of caution: some programs may cease functioning if their spyware is
removed. In this case, users simply need to click the "Backup" button in Ad-aware
before removing the spyware. If the software no longer works after the removal
of the spyware, it can easily be restored. Of course, a better long-term solution
might be to look for different software that doesn't act as spyware.

Users who download and install a lot of software should run Ad-aware every couple
of weeks. Otherwise, every month or so would probably be fine.

Update the OS and Software

New spyware comes out all the time, so Ad-aware constantly updates its database.
If you want Ad-aware to be as effective as possible, download new versions regularly
from Lavasoft.

This is true for pretty much all software. If you want to secure your privacy,
you need to keep your software up to date. First, new vulnerabilities are discovered
in software constantly, and they could compromise your privacy. Second, software
like ZoneAlarm and Ad-aware is constantly being improved, and you need to keep
up with those improvements.

Updating Macs

For users who are running Macs, Apple makes updating its system software easy.
Users running OS X simply need to open System Preferences in the Apple menu
and select "Software Update". They can then connect to Apple's servers, check
to see if there are any updates, and then make their choices.

Windows Update

Microsoft's Windows Update has been available ever since Windows 98. To use
it, users just need to open Internet Explorer (they must use IE - Windows Update
requires technologies built into IE, so it won't work with Netscape), go to
the "Tools" menu, and choose "Windows Update". After the page finishes loading,
they can choose "Product Updates", make their choices, click "Download", and
Windows Update will download and install everything. It's pretty painless. Unfortunately,
Microsoft doesn't give users a lot of information about exactly what it's doing
to their system, but Windows Update is still required for Microsoft operating
systems. Users need to read the updates and ensure that they actually need them
before downloading.

Linux and Red Carpet

People who use Linux have a wealth of options available to them. One of the
best reasons to install Ximian GNOME, which runs on a variety of Linux distributions,
is Red
. Red Carpet is like Windows Update, but it gives the user
far more information. For each item that can be downloaded, Red Carpet displays
the currently installed version number, the requested version number, a summary,
a full description, required files, and provided files. It will also resolve
dependencies, and inform the user if there are any key updates needed for security

Red Carpet is not the only option for Linux users, but it is the slickest. Other
well-known possibilities include the Red
Hat Network
and Debian's
(now ported
to work with Red Hat
). All are worth investigating, as all will
help users keep their system protected against software vulnerabilities.

Updating User Knowledge

Keeping software up-to-date is vital, but it's even more important that users
keep their knowledge up-to-date. New software threats are surfacing all the
time, and it is vital that privacy-concerned users keep abreast of such developments.
Privacy Web sites such as The
Electronic Frontier Foundation
, The
Electronic Privacy Information Center (EPIC)
and Privacy.org
are invaluable. Unfortunately, securing your privacy can feel like a full-time

Privacy: E-Mail Issues

to research
conducted by Neilson NetRatings
, e-mail is by far the most widely
used application on the Internet. Unfortunately, e-mail should also be of great
concern to people concerned about privacy.

If you asked most people what program they use the most each day, it's probably
their e-mail client. For most Windows users, this means Outlook or Outlook Express
(OE). This is problematic, of course, since out of the box both programs are
dreadfully insecure. Fortunately, there are things that users can do to protect
their privacy when using Microsoft's e-mail clients. Please note that I'm only
going to cover aspects of these programs that directly pertain to privacy; going
over the security aspects of Outlook and OE would require an article by itself.

Web Bugs in E-Mail

The biggest privacy danger to e-mail users is that of Web
. Basically, a Web bug is a tiny invisible GIF image that
a spammer or marketer (often the same thing) places into an HTML-formatted e-mail.
With the Web bug, the spammer can tell when the recipient of the e-mail opens
it because his server will track a hit when the Web bug is viewed, this lets
him know that he has a live address. In addition, the spammer can also track
if the recipient forwards the e-mail and when the new recipient opens the e-mail
as well, thus gauging the effectiveness of the spam. Finally, the IP address
of all readers of the e-mail can be transmitted to the spammer, which helps
him link an e-mail address to a specific machine on the Internet.

The Preview Pane

There are several steps that e-mail users can take to block Web bugs; as an
added bonus, some of these steps will help curb (but not prevent) the spread
of viruses, something Outlook and OE make far too easy. First of all, turn off
the Preview Pane function in Outlook. If the Preview Pane is on, a Web bug may
be activated as soon as you select the e-mail from the list of messages in your
inbox. To turn the Preview Pane off in Outlook, go to the View menu and uncheck
"Preview Pane".

Do the same thing if you're using Evolution
for Linux. If you're using Outlook Express, choose the View menu, then select
"Layout ..." in order to open the Window Layout Properties dialog box. Uncheck
the box next to "Show preview pane".

Finally, if you're using either the Mozilla
or the Netscape
e-mail program, choose the View menu, go to "Show/Hide", and then disable "Message

Disable JavaScript Support

To further protect yourself against e-mail spying, disable JavaScript. It's
bad enough that e-mail clients support HTML, but there is absolutely no reason
why they should also run JavaScript embedded in e-mail messages. (For a more
detailed account of why HTML and JavaScript create insecurities in e-mail, please
take a look at A
Quick Guide to E-Mail Security
.) Microsoft allows you to turn
off JavaScript in its e-mail programs; unfortunately, doing so will also disable
JavaScript in Internet Explorer as well, where many Web pages rely on JavaScript
to work. (This is what happens when a company intermingles program functionality
for the sake of "convenience" and marketing instead of technical soundness.)

To disable JavaScript in Outlook, choose "Tools", and then "Options", and then
select the "Security" tab. In the "Secure Content" area, choose the dropdown
menu for "Zone" and select "Restricted Sites".

But wait, you're still not done! Now click the "Zone Settings ..."; button.
A warning box will open informing you that you are about to change settings
that will affect Outlook, Outlook Express, and Internet Explorer. Since we know
that, click "OK". In the "Security" window that will open next, choose "Restricted
Sites". Click the "Custom Level ..." button. Once the Security Settings window
has opened, scroll down to "Active Scripting" and make sure that "Disable" is
chosen. Click "OK" to close "Security Settings", click "OK" to close the Security
window, click "OK" to close the Options window, and you're finally done.

If you use Outlook Express, the process is similar - after all, you're working
with the same parts of the operating system that I described above for Outlook
- but since this is Microsoft and everything has to have a different user interface,
things are a bit different. Start by selecting the Tools menu, then "Options"
and then select the "Security" tab. In the Security Zones section, select "Restricted
Sites Zone (More secure)".

Now we need to set the Zone settings. Open "Control Panel" and choose "Internet
Options". Click on the Security tab and choose "Restricted Sites". Click the
"Custom Level ..." button. Once the "Security Settings" window has opened, scroll
down to "Active Scripting"and make sure that "Disable"is chosen. Click OK to
close "Security Settings", click OK to close the "Internet Properties"control
panel, and you're finally done.

Mozilla and Netscape 6 recognize the fact that many people prefer to enable
JavaScript for Web browsing but disable it while reading e-mail. The preferences
reflect this reality. In either the Web browser or the e-mail program, choose
the Edit menu, then "Preferences", then "Advanced", and then "Scripts & Windows".
At the top of the preferences page, you can set JavaScript as you best see fit.

Going Offline

The best way to stop Web bugs in their tracks is to read your e-mail while you're
not connected to the Internet. After all, if a Web bug can't send information
back to the mothership that spawned it, then it's useless. If you're connecting
to the Internet via a dial-up modem, going offline is easy - just disconnect.
If you're using broadband, like DSL or a cable modem, it's more complicated,
but you can do it. However, do you really want to have to disconnect every time
you read e-mail, and then reconnect when you're finished? If you're using a
modem, the wait can be interminable.

Fortunately, there's a better solution. Several e-mail clients allow you to
take the program offline without taking the entire computer offline. This allows
you to read e-mail and reconnect immediately again as needed. You get the same
effect as a disconnection, but it's far less hassle.

If you don't want to browser your e-mail offline, Evolution can still accommodate
you. Since Web bugs work, by and large, by using tiny, 1x1 pixel GIFs, if you
could block those images, you'd be immune. Evolution has a setting that enables
you to prevent images from loading off the Internet. This is something that
none of the other e-mail clients I'm examining here offer. To use this feature,
go to "Tools", select "Mail Settings...", go to the "Display" tab, and check
next to the appropriate box.

Outlook and Outlook Express don't have Evolution's ability to block images selectively
from the Internet in your e-mail, but they do make it easy to go offline. Simply
go to the "File" menu and choose "Work Offline". Unfortunately, due to the way
Microsoft tied its e-mail programs and Internet Explorer together, your choice
to work offline in your e-mail program also prevents your Web browser from accessing
the Internet. Since Linux doesn't tie programs together in the way Microsoft
does, users of Evolution do not have that restriction. Of course, Windows users
who use the Mozilla or Netscape browsers also don't have that limitation. It's
possible to go offline in Outlook or Outlook Express and still use Netscape
to access the Web.

You can also go offline easily if you use Mozilla or Netscape to read e-mail.
In fact, you have two methods available. In the bottom right corner of the program
is a little icon, similar to the one in Evolution, that enables users to go
on- or offline with one click. Alternatively, you can choose the File menu,
then select "Offline" and highlight "Work Offline".

One caveat: if you go offline in Mozilla or Netscape e-mail programs, the Web
browser will also be taken offline. Since the e-mail program and browser are
really aspects of the same program, this makes sense. But it can still be annoying
if you find a Web address in an e-mail that you want to check out using your
Web browser.


Of course, the best way to protect the privacy of your e-mails as they travel
over the wires of the Internet is to use encryption. If you encode your email
messages, even if a spy got hold of them, he couldn't make sense of the gibberish
he'd have in front of him. Only those who have the proper "key" to decrypt your
e-mail messages will be able to read them. If you use strong enough encryption,
you can feel well protected.

There are many programs you could use, but there are two that bear particular
emphasis: PGP
(Pretty Good Privacy)
and GPG
(Gnu Privacy Guard)
, which is an open source replacement for
PGP. Both are free and incredibly powerful. Both are not that difficult to use.
And both support a wide variety of e-mail programs, including Outlook, Outlook
Express, Netscape, Eudora, or Evolution.

A lot of ink has been spilled on the subject of encryption, so we're not going
to recreate the wheel here. (The relevant links section at the bottom of this
article includes a number of useful resources on PGP.) It's no longer particularly
difficult to encrypt your e-mail. Just remember that the recipient of your message
has to be able to decrypt it, so they need to have installed and configured
an encryption program as well. The best way to learn how is to download PGP
or GPG, create your public and private keys, and send yourself an encrypted
test message. You'll be surprised how easy it really is, and you'll feel a lot


I'm not going to spend a lot of time on the problem of spam. I loathe spam,
and I'm not alone in my sense that it is increasing in quantity and obnoxiousness.
The standard advice concerning spam - never reply to it, create good filters,
and don't patronize companies that use spam - is sound, and I follow it myself.
And there are certainly many Web sites that can help fight against the flood
of junk mail we're finding in our inboxes; two such Web sites are spam.abuse.net
and CAUCE:
Coalition Against Unsolicited Commercial E-mail
. Remember, spam
is often a result of some sort of invasion of privacy, such as tracking which
Web sites a user has been visiting, and too often it uses the tricks I've detailed
above, such as Web bugs, to further threaten privacy.

Find Out Who's Selling Your Info

Even if you read and follow the advice given on anti-spam Web sites, you're
probably still going to get bitten. You're going to get junk e-mail. But wouldn't
it be nice to know who betrayed your information? Who sold your e-mail address?

Here's a tip that may help you. It won't work on every e-mail system, so you'll
need to test it first. But when it does work, it's a powerful way to find out
exactly what Web site sold you out.

Let's say a man's e-mail address is "bob.smith@widgets.com". Bob goes to The
New York Times
Web site and has to register in order to view
the content. In the box that requests his e-mail address, Bob enters the following:
"bob.smith+nyt@widgets.com". At the Slashdot
Web site, Bob uses "bob.smith+slashdot@widgets.com". At Real
Web site, he puts in "bob.smith+real@widgets.com". And
so on. Each time, he adds a plus sign, followed by a word describing the site,
after his e-mail username and before the "@" sign.

A couple of weeks later, Bob finds some spam offering him a cheap cell phone.
Bob groans ... more spam clogging up his inbox. But this time, Bob looks carefully
at the header of the e-mail to see to whom it was sent. Aha! It wasn't sent
to "bob.smith@widgets.com". Nope. Instead, it was sent to "bob.smith+real@widgets.com".
Real Media sold him out!

As you can see, this technique can help you pinpoint exactly how a spammer got
your e-mail address. At that point you can contact the company that sold your
e-mail and change some marketing preferences that enabled it to sell your address,
or you can choose to sever all ties with the company. The important thing is
that people at the company cannot deny your accusation, as you have concrete

There are two caveats about this trick. First, as I said above, it doesn't work
for all e-mail systems. So send yourself a test message first. Bob, for instance,
would send himself a message addressed to "bob.smith+test@widgets.com". If he
gets the message, great. Things should work fine. If he never gets the message,
maybe send one more, and if that one never arrives, assume that my technique
just isn't going to work, at least as long as he uses the e-mail hosting company
he's using.

The second caveat involves remembering what e-mail address you've used with
all those sites at which you've registered. If Bob ever wants to log back in
at The New York Times, he'll need to remember that the e-mail address he used
is "bob.smith+nyt@widgets.com" and not "bob.smith+times@widgets.com". If Bob
only registers at one or two sites, this won't be a problem. But if Bob is like
most people and has registered at many sites, he'll need to either develop an
ironclad system and stick to it, or keep a file on his computer that keeps track
of the e-mail addresses he's used at various Web sites. It's not a huge deal,
but it is something to think about. Many people find that the slight trouble
of keeping such files is more than outweighed by the advantage of knowing exactly
how their e-mail addresses are being used.


E-mail is important to all of us. It's convenient and powerful, and it helps
us communicate in ways that were unimaginable just a few short years ago. However,
we can't just assume that the e-mail programs we use will protect our privacy.
Instead, spend some time and make sure that e-mail, that most powerful of tools,
is working to benefit us in every way possible.

Privacy: General Internet Issues

Internet offers all of us unparalleled access to information, but it also brings
with it unique threats to our privacy.

Web Browser Settings

The Web browser is a tool many people use without ever really thinking about
how it can reveal information about them. If you use Internet Explorer version
5 or above, you should think about whether or not you wish to enable the AutoComplete
feature. Autocomplete allows IE to remember previous entries you've made for
Web addresses, forms, and even passwords. When you start to re-enter the same
information on subsequent visits, the Autocomplete feature will offer the complete
text, thus saving you the trouble of typing out text repeatedly. This undoubtedly
makes using IE easier; unfortunately, anyone sitting down at your computer will
be able to easily see where you've been on the Web and, worse yet, impersonate
you at Web sites that require you to input information. While some people find
the convenience worth the obvious risk, it's a tradeoff you need to weigh carefully.

If you want to disable AutoComplete, you need to go to two places. First of
all, open IE and select the Tools menu, then choose "Internet Options ..." and
the "Advanced" tab. Scroll down and uncheck the box next to "Use inline AutoComplete
for Web addresses".

Next, without closing the "Internet Options ..." dialog box, select the "Content"
tab and then the "AutoComplete ..." button. Here you check or uncheck the boxes
next to the items you want AutoComplete to remember: "Web addresses", "Forms",
and "User names and passwords on forms". If you decide to check next to "User
names and passwords on forms", make sure you also check "Prompt me to save passwords"
so you can tailor your choices for each Web site. Click "OK" to close the dialog
box, and you're done.

The other Web browser with substantial market share is Netscape
and the open source wunderkind it's based upon, Mozilla.
Netscape 6.2 , like Internet Explorer, will store your passwords if you'd like.
Simply open Netscape and select the Edit menu, choose "Preferences ...", then
"Privacy & Security", and "Passwords". Check or uncheck the box next to "Remember
passwords", depending upon your certainty that your machine is secured. If you
decide to enable "Remember passwords", make sure that you also check "Use encryption
when storing sensitive data" in order to prevent snoopers from accessing your
Netscape files, thereby gaining the keys to the kingdom. Furthermore, make sure
you use a good password, which will be discussed below.

Privacy policies

There are additional Internet privacy issues that users should be aware of,
such as privacy policies. Privacy policies are statements made by the owners
of the Web site stating what will and will not be done with the personal information
that users disclose when visiting that site.

If you want to reduce the amount of your personal information that is sold to
on-line advertisers - if you want, in other words, to lessen the data that marketers
gather about you - you need to read the privacy policies on the Web sites you
visit. I know this is tedious. I know many of them are written in a way that
normal human beings don't write. But it is vital, nonetheless.

Most importantly, keep up with the changes companies make in their privacy policies.
Businesses have a nasty habit of "revising" their policies in a way that benefit
them at the expense of their users.

Some Examples of Changing Policies

For instance, AOL
pulled a fast one
in November 1999. In early 1998, AOL unveiled
sweeping policies designed to preserve the privacy of its users. Among the options
detailed in the new policy was the ability for users to opt-out of direct marketing
pitches from AOL's partners, whether delivered via the Web, e-mail, postal mail,
or telephone. Eighteen months later, AOL sent a mass e-mail to its users informing
them that their "marketing preferences" were not permanent, as might be expected,
but would instead expire in a few weeks. If a user wanted to block the junk,
he would have stipulate this preference every year. If a user doesn't get around
to resetting preferences every year, then his settings are automatically set
to "Yes", as in: "Yes, please send me as much junk mail and telemarketer calls
as possible".

eBay has also engaged in this sort of chicanery. In January 2001, eBay sent
e-mails to thousands of customers, informing them of a newly
discovered bug
. When someone registers with eBay as a buyer or
seller, she has to fill out several screens of information. One of those screens
concerns whether the new eBay customer wants to receive e-mail and telephone
offers from eBay and its partners. The series of questions are supposed to default
to "Yes"; however, the bug eBay discovered had caused the default to set to
"No". Apparently panicked that some people were missing out on junk mail and
telemarketing calls, eBay helpfully reset
users' settings to "Yes"
and then sent the e-mails giving people
two weeks to change their settings.

Most recently, Yahoo has been embroiled in controversy since it "revised"
its' privacy policy
. In late March, Yahoo sent e-mails to the
millions of people who had registered to receive one service or another. At
the time they registered, users were asked once to state if they wished to accept
or reject marketing offers from Yahoo and related companies. Now, the e-mails
stated, users would have to choose "Yes" or "No" to a range of questions and
offers. Further, Yahoo had set every user's preferences to "Yes", even if a
user had previously said "No". Users would have sixty days to change their

Myco Supply - Distributors of Mycological Products

The Premiere Source for Mushroom Growing Supplies.
Visit us online or call us toll free

Post Extras: Print Post  Remind Me! Notify Moderator
Pot Head Pixie

Registered: 09/04/02
Posts: 863
Loc: the Oily Way...
Last seen: 13 years, 19 days
Re: Series on Protecting Your Privacy Online [Re: Lana]
    #1077464 - 11/22/02 07:03 PM (13 years, 10 months ago)

Thanks for posting this, security seems to be an increasing concern with 'ili Georgie Hitler and Big Brother Ashcroft seeking to assess every thought that passes through the collective conscious of Amerika now...probably unconscious too.

Post Extras: Print Post  Remind Me! Notify Moderator

Registered: 09/30/02
Posts: 136
Loc: NV, USA
Last seen: 11 years, 8 months
Re: Series on Protecting Your Privacy Online [Re: Lana]
    #1124327 - 12/09/02 11:01 AM (13 years, 10 months ago)

Very nice, but of course anyone interested in anonymity should take a good long look at +Fravia's pages.  The mirror of his old page (still updated) is http://tsehp.cjb.net and his new page is called  Searchlores.  You'll find a wealth of information about anonymity as well as other interesting topics (reverse engineering, coding, reality cracking, etc.).  I hope you like what you find...and anyone who is inspired -- welcome to the world of reverse engineering :smile:


Post Extras: Print Post  Remind Me! Notify Moderator
Jump to top. Pages: 1

General Interest >> Political Discussion

Similar ThreadsPosterViewsRepliesLast post
* U.S. Patriot Act Raises Canadian Privacy Fears KingOftheThing 390 1 10/04/04 11:06 AM
by ekomstop
* Right to Privacy and others not enumerated HagbardCeline 838 17 10/14/05 05:09 PM
by gregorio
* Privacy is not anonymous SeussA 506 5 11/12/07 05:22 PM
by johnm214
* How the government sidesteps the Privacy Act by purchasing commercial data MAIA 600 2 05/23/06 05:46 PM
by zappaisgod
* Abbas Vows to Protect Palestinian Gunmen
979 17 01/05/05 12:33 AM
by mabus
* possible WI state law to protect public breast-feeders MrBump 626 14 10/15/05 05:42 PM
by downforpot
* More FBI privacy violations confirmed zorbman 679 10 03/07/08 10:01 PM
by zorbman
* Patriot Act II, less security, privacy and freedom Ellis Dee 402 1 03/04/03 03:27 PM
by BowlKiller

Extra information
You cannot start new topics / You cannot reply to topics
HTML is disabled / BBCode is enabled
Moderator: Prisoner#1, Enlil
1,619 topic views. 0 members, 4 guests and 3 web crawlers are browsing this forum.
[ Toggle Favorite | Print Topic | Stats ]
Search this thread:
Crestline Sales - MycoPath
Please support our sponsors.

Copyright 1997-2016 Mind Media. Some rights reserved.

Generated in 0.268 seconds spending 0.004 seconds on 14 queries.