Welcome to the Shroomery Message Board! You are experiencing a small sample of what the site has to offer. Please login or register to post messages and view our exclusive members-only content. You'll gain access to additional forums, file attachments, board customizations, encrypted private messages, and much more!
Hello Everyone, This is a collection of posts taken from Plural of Mongoose. This is a VERY good article which touches on MANY different level. My thanks to Plural of Mongoose for taking the time to write this up. Please know that this is a collection of posts. They are very long but easy to read.
By: Plural of Mongoose
A Four Part Series on Protecting Your Privacy Online (Long - 56K BEWARE!)
Part 1: Hardware
Part 2: Software
Part 3: Email
Part 4: Surfing the Net
Bibliography: Original sources for excerpts and related links
The majority of this is excerpted from SFOnline, with additional quotes from sources listed in the bibliography in the final post.
Securing Privacy: Hardware Issues.
When asked about efforts to combat the tracking of Internet users, Scott McNealy of Sun famously replied, "You have zero privacy anyway. Get over it." Despite McNealy?s flippant attitude towards privacy, it remains a highly contentious issue, with the potential to affect many aspects of individuals' personal and professional lives. Furthermore, the ability to protect their own proprietary information, and to ensure the protection of their customers' crucial data, may mean the difference between success and failure for many organizations.
While Internet users may not be able or entitled to control information about them that is held by third parties, they can still take steps to ensure the protection of their privacy. It's never too late to begin safeguarding your privacy. Let's first examine hardware-based privacy issues, specifically: hardware solutions for small networks and wireless devices, hardware-based spyware, and some attempts by hardware vendors to infringe upon users' privacy.
Hardware-Based Protection ? Firewalls and Routers
The point at which the Internet and a computer network meet form the perimeter, the key point of network defence. Even if there is only one computer in a SOHO (Small Office/Home Office) environment, that constitutes a network. In the military, sentries secure a perimeter by making sure anyone who wants to enter the area is supposed to be there. Networks require a sentry at their perimeter as well.
That's where a combination router-firewall comes in. Just as a firewall in a car protects the driver from any flames in the engine area, a firewall on a network protects the internal network from any unsolicited attempts to get inside. It's the sentry on the perimeter that won't let allow unauthorized traffic to pass.
A router is more difficult to explain. Let's say there are three separate computer users on a network. Each, working from his own computer, requests a different Web page. All three requests go out through the router at the same time and, a few seconds later, replies pour back in. Since information must be broken down into individual packets of data to travel over the Internet, and since those individual packets - hundreds or even thousands of them - can each take different paths, the packets from the three Web pages are all jumbled together as they stream back into your network. In the case of a network, a device called a router is responsible for guiding the packets to their destination: as it receives the flood of packets that the three users requested, it sends each packet to the appropriate computer.
Router-firewalls protect the privacy of small network users because they help to secure the network using a protocol called NAT (Network Address Translation). Basically, NAT hides the computers from the rest of the Internet and uses the router-firewall as a mediator for all communication to and from the Internet. If a cracker can't break into a the network, he can't rifle through the personal documents, financial records, or other vital information that resides on that network. Thus the confidentiality of the data stored on the computers on that network is secured.
The nice thing about router-firewalls is that they are operating system-independent. It doesn't matter if the network consists of Windows, Mac OS, & Linux computers - all will be protected by an efficiently guarded perimeter. Best of all, most SOHO devices can be bought for less than $100. Better yet, users can build their own router-firewall using an old computer, two Ethernet cards, and some software. There are a number of commercial solutions available for Windows users. Linux users, however, have a wealth of free options available to them. Check out the Linux Router Project, a version of Linux designed to fit on a floppy and turn an old computer into a fast, efficient router-firewall.
The wonderful new world of wireless is taking the networking world by storm. It's not surprising - the combination of a popular standard (802.11x), affordable prices, and the undeniable convenience of wireless networking has come together to produce phenomenal growth.
Unfortunately, there's a downside as well. The built-in security standard for 802.11x - WEP (Wired Equivalent Privacy) - has been criticized for poor effectiveness. Worse, 802.11x networks are being put into place that lack even basic security. There's even a popular and easy-to-use software tool for Windows called NetStumbler that searches for open wireless networks. In fact, the latest rage for crackers is war driving: cruising around in a car armed with a laptop, NetStumbler, and an antenna in order to look for unsecured wireless networks.
Should you be concerned? Well, if you live in the woods and no one comes near your house, you're probably safe. But the rest of us should be careful. Fortunately, there are several things you can do to batten down the hatches.
Wireless Security Solutions
Enable 128-bit WEP. It's not that effective, but it is something. Change the default password that comes with wireless router-firewalls (the "Access Point" in wireless-speak). Install software firewalls on all machines to help detect possible intrusions (more about this in the next article in this series). Audit your Access Point logs frequently to see who's using the network. Finally, and safest of all, consider requiring authentication to access and use the wireless network. (For a more in-depth discussion on securing wireless LANs, see Paul Sholtz's article in New Architect Magazine.
Wireless may have security problems now, but it's definitely the future, and wireless vendors now have an even more urgent economic interest in securing their products.
So far we've looked at hardware that protects users? security and privacy. But what about hardware that is deliberately designed to violate their privacy?
The next article in this series will look at software-based spyware, software that watches what users do and reports their actions back to its creators. However, hardware can act as spyware too. In fact, hardware-based spyware is even worse than the typical downloadable spyware. If a user finds out that a favorite file-sharing program has spyware built into it, he or she can just remove the software, remove the spyware (often after a protracted struggle with the Windows registry), and switch to another program that is spyware-free.
But what about spyware that's built into the computer?s processor? The network peripherals? Or the hard drive? "That's easy!" readers might think, "I just won't buy it! I'll use something else!" Unfortunately, things aren't that simple. If powerful interests have their way, privacy-violating hardware will be unavoidable. Worse yet, owning or using hardware that does not violate your privacy will be illegal.
The Pentium III
The modern era of hardware spying began with the Intel Pentium III. When Intel announced the Pentium III, it also announced a new "feature": every new CPU would include a unique ID number. Although Intel justified the number as a great new advance for e-commerce, privacy advocates pointed out the obvious: a unique ID number would make it easy for users to be tracked as they traveled the Internet. After widespread protests from consumers, and even members of Congress, Intel relented. The Pentium III shipped with a unique ID number, but it was turned off by default. Better still, by the time the Pentium IV was released in February 2000, the ID number was completely removed.
One type of spying device getting a lot of attention is the keylogger. These gizmos plug surreptitiously into a computer and track everything the user types. One type of keylogger is a small beige cylinder, just a few inches long, that looks like an extension to the PS/2 keyboard's cable. The person spying on the user unplugs the keyboard from the back of the PC, plugs the keylogger into the PS/2 port, and then plugs the keyboard into the keylogger. No software installation is required. At that point, the device begins logging everything the user types (since the PS/2 port is used, any operating system using PS/2 is vulnerable; USB keyboards, however, are still safe).
To view what you've been typing, the spy sits down at the computer, opens WordPad, and types a password, or he moves the keylogger from the victim's machine to his. It's that easy. These keylogging devices are definitely in use, and right now, the only cure is vigilance: if you suspect that you're a victim, check the back of your PC periodically, and make sure you trust your keyboard.
It should be stated that, in some cases, keystroke loggers have legitimate, legally accepted purposes, such as workplace monitoring (although the ethics and good business sense of this practice are very much open to debate).
Devices like keyloggers can be seen and easily removed. But what if your hard drive is the spy tool? This is the most dangerous scenario of all - your hard drive is absolutely fundamental to your computer, and it's also the main storage center for all of your files. If your hard drive is compromised, you have no recourse.
Unfortunately, this is precisely the scenario we're seeing come to life. In late 2000, the "4C Entity" ? a consortium consisting of Intel, IBM, Matsushita and Toshiba - proposed the "CPRM" extension to the ATA (Advanced Technology Attachment) standard that governs how hard drives work. CPRM (Content Protection for Recordable Media) would control how digital files are copied, moved, and deleted. The user?s hard drive would be digitally signed with a set of encrypted keys, and any attempts to manipulate files on the hard drive would require approval by a central server. If the user loses or damages the encrypted keys, he's out of luck. If he wants to view or copy a file that is controlled via CPRM, and his operating system doesn't support CPRM (think Linux), he's out of luck. If the user want to back up their data, but some third party doesn't want them to, he's out of luck.
After a firestorm of protest, the CPRM proposal for hard drives was withdrawn in February 2001. Unfortunately, while CPRM has been temporarily beaten back from hard drives, it continues its relentless march onto DVD media, smartphones, and SD cards. All DVD recordable discs now support CPRM for copy protection. Cell phones based around the Symbian OS are going to rely on CPRM to govern the behavior of removable SD cards. Microsoft has announced support for CPRM on SD cards through what it calls the "Windows Media Device Manager", which transfers Windows Media-encoded music files from your hard drive to your portable device. CPRM has not gone away - it has just moved to portable devices. We must keep an eye on CPRM to make sure that it is not re-introduced for hard drives.
Something even worse than CPRM is waiting in the wings. Senator Ernest Hollings (D-SC) has introduced the Consumer Broadband and Digital Television Promotion Act (CBDTPA) into the Senate (note that prior to its introduction into the Senate, Hollings' bill was known as the Security Systems Standards and Certification Act, or SSSCA, so if have trouble finding information about the CBDTPA, try searching for the SSSCA instead).The CBDTPA would mandate that a copy-protection standard be part of "any interactive digital device". VCRs, TVs, DVD players, stereo equipment, and especially computers - all would fall under the CBDTPA's reach. Users who disable the built-in copy-protections, or buy or sell a non-CBDTPA-covered device, will have broken the law and could face up to five years in jail and a $500,000 fine for a first offense.
With the CBDTPA in place, the big media companies will control how users use their personal computers. Under the rubric of "preventing piracy", the government will make it impossible for users to exercise their fair use rights to copy software they own for backup, tape an episode of "Friends" on their VCR to watch a week from now, or convert their music CDs into MP3's. Open source software will either be compromised by the forced inclusion of proprietary, source-secret copy protection schemes designed to work with CBDTPA-protected hardware, or it will be illegal. For all of this to work, the computers of private citizens will have to constantly monitor what the individual does and compare their actions against "rules" set up by someone else. The privacy implications of the CBDTPA are grave. (For more information on the CBDTPA and the efforts to fight it, visit The Electronic Frontier Foundation (EFF) or The Electronic Privacy Information Center.)
As computer users, we're in for a long, constant fight to safeguard our privacy. On our networks, we need to guard our perimeters with a router-firewall, especially if we network wirelessly. On our computers, we need to carefully look for any hardware that may be spying on us. And in the political arena, we have to work to protect our rights as consumers - even if the CBDTA goes down in defeat, it's obvious now that the large media companies and their lobbying organizations are determined to control us as stringently as possible. No one said that protecting your privacy was going to be easy ... but it can be done.
Securing Privacy: Software Issues
As we shall see, some software is designed to safeguard privacy, while other software seems designed to compromise it.
Firewalls are an important part of a privacy protection strategy because they prevent intruders from gaining access to valuable information that is stored on a computer. Now let's look at firewalls that run on individual computers. Known as personal, or PC, firewalls, these are different from hardware firewall-routers in several ways. The best PC firewalls track incoming and outgoing traffic, and allow users to set up rules governing what programs on the computer will be allowed to establish connections to the Internet. Best of all, many PC firewalls are free, although even if they are available commercially, prices tend to be reasonable.
There are many different personal firewalls available, for both Windows and Mac OS. Some of the better known ones are:
A brief note of caution for Windows XP users. Now that Microsoft has started bundling its "Internet Connection Firewall" into XP, these users might think that they don't need to look at any of these personal firewalls . However, ICF is not a particularly secure solution, as it only watches inbound connections and ignores outbound traffic. If a bad guy is attempting to scan a computer for vulnerabilities, it should be all right; however, a trojan may be installed - either unintentionally by the legitimate user, or intentionally by a malicious hacker - on that system. If the trojan attempts to phone home, ICF won't notify the user at all. Therefore, it is a good idea to simply turn off Microsoft's firewall and use one of the third-party personal firewalls listed above.
Common Characteristics of PC Firewalls
Certain things are common to nearly all PC firewalls. The fundamental task of all firewalls is to monitor all network traffic entering and leaving the protected computer. If suspicious traffic tries to enter the computer, it will be blocked and the user will be notified. On the other hand, when a program on the computer tries to send traffic out to the Internet, the user will be asked if he or she wishes to allow it. All PC firewalls allow the user to deny or approve the outgoing connection, and to make those settings permanent. Many also give additional details that can help the user track down anything suspicious.
PC firewalls typically allow the user to set rules governing network traffic. These rules can be set using a simple slider, for basic settings, or the user can specify granular parameters. A good PC firewall keeps logs about incoming and outgoing traffic, and allows users to examine those logs to look for patterns that can help them batten down the hatches if needed.
Linux Personal Firewalls
Some Linux users have an effective firewall built into their computers. While installing Red Hat, users are asked how they want to configure the firewall. They can configure the firewall further with Lokkit, which both a simple and a more feature specific interface. Be warned, however, that Lokkit is a pretty simple tool. If you need something more complicated on your Linux machine, you might want to look into ipchains and iptables. But no matter what you choose to use, the important thing is that you have a software firewall on your system. Without one, you are inviting potential disaster.
Personal Proxy Software
Even if users have firewalls installed, their privacy is not necessarily secured. While firewalls can keep nosy hackers out of users' systems, the Web-surfing habits of the user can be used to harvest a bounty of personal information. In addition to personal firewalls, users also need to install personal proxy software.
Proxy software examines all the packets coming in to the user's Web browser. As a new Web page is requested, the proxy examines the Web page's HTML, scripts, and graphics. At the same time, it checks the user's preferences so that it knows what he or she wants to view and what should be discarded. For instance, if the user tells the proxy that they don't want to view banner ads, the proxy will filter those ads out.
Some of the most common personal proxies are WebWasher (Windows, Linux, and Mac OS), Junkbusters (Windows and Linux), Guidescope (Windows, Linux, and Solaris), and AdSubtract (Windows). Each of these programs works differently. Some block ads based on the URL, path, or file name, and some base their filtering on dimensions (dimensions are easier to set up, but URLs are more precise). Some proxies have a Web-based interface for configuration, and some require the user to edit text files. Some of these tools provide extensive logging, and others provide just a summary of statistics (see below for an example of WebWasher's statistics). Some software provides advanced debugging tools that can really help the user figure out why something isn't working, and other software provides minimal debugging abilities. Most of the proxies mentioned are free, or available for a minimal charge.
The results of a personal proxy can be seen almost immediately. In particular, Web pages will load more quickly. But a proxy also protects the users privacy in the following ways:
A cookie is a small text file that a Web sites store on visitors' hard drives. Cookies store data about the user. They are intended to help the Web site remember information about the user, so that customized information can be presented to them the next time they visit. However, in some cases the data collected by data may be used for less legitimate purposes, such as creating profiles of users for targeted marketing. In some cases, companies sell this personal information for profit without the explicit knowledge or consent of the user.
Whether a cookie is good or bad may be a matter of perspective. For instance, I like getting cookies from The New York Times or Slashdot - they allow me to instantly log-in to www.nytimes.com and get personalized content at Slashdot. However, I don't like that DoubleClick, the giant Internet advertising company, is able to track me on all the sites on which it has placed banner ads. Proxies allow you to customize your cookie settings for each Web site, as I've done with The New York Times and Slashdot.
By filtering out advertising:
Advertising can compromise privacy because it allows the companies placing the ads to track users' movements across many Web sites. As a person visits each site, the banner ads silently gather information tracking users' trails. By blocking ads, they make it much harder for third parties to compile a record of their interests.
With a proxy, users don't ever need to see another banner ad. However, before filtering out all ads, users might want to consider that many Web sites depend on ads for revenue, so they shoud consider whether or not you want to filter out all ads. Some of the smarter proxies can filter out ads on most Web sites, while allowing ads on sites the user wishes to support.
By blocking pop-up and pop-under windows:
This can be a problem, however, on some sites such as Yahoo Mail, which uses a pop-up window for adding attachments to your e-mail, and Windows Update, which opens a popup window while it's checking your computer. Users will need to configure the proxy to ignore those Web sites that use pop-up windows they need.
By hiding the previous Web page visited:
Every time Internet users go from one Web page to another, the browser informs the new page of the previous page visited. This is required on some sites, especially search engines. By knowing where people have come from, a Web site can further target those other sites that consistently send it traffic. However, this information may also be used to compile profiles of users' browsing habits, data that can then be used for targetted marketing. Because of this, some people find referer information to be too revealing. Proxy software can help them hide their tracks.
By squishing "Web bugs":
Web bugs - also known as "clear GIFs", "1-by-1 GIFs", and "invisible GIFs" - are tiny graphics placed inside Web pages or e-mail messages in order to track information about the user. Many companies, like WebTrends Live, use Web bugs for their log analysis programs. However, some companies use Web bugs to track whether or not user have read an email or even forwarded it. Proxy software can remove Web bugs so that companies can no longer track the user without his or her knowledge.
A personal proxy can really help protect your privacy. After the proxy has been installed, you may want to make sure it's working. WebWasher has a test page available. Or, Steve Gibson's GRC Web site has a fascinating proxy test page that can be used to gauge a proxy's effectiveness. Just go to these pages and follow the instructions.
Once they've got a PC firewall and personal proxy installed, users will have much greater control over their privacy. However, their computers may already be running software that is revealing sensitive information about them ... and users may not even be aware that this software is running on their machine!
Software that works without the user's knowledge, or that obfuscates what it is doing, is known as "spyware", or "sneakware". Most of the time spyware gets onto a computer by piggybacking along with a program that was intentionally installed. For instance, Audio Galaxy is a popular filesharing program. In January of this year it was revealed that Audio Galaxy also installed the "VX2" program onto users' computers. VX2 tracks the Web sites that users visit and reports that information back to the company, which adds it to a database tracking each user. Worse yet, VX2 collects information from the on-line forms that users fill out. VX2 promises that it won't collect anything sensitive - like credit card numbers or passwords - but the only contact information available for the company is a Hotmail address and a PO box in Las Vegas. Does that make you feel safe? (Removal instructions for VX2 can be found at Counterexploitation)
On April 1, CNET reported that Kazaa, an incredibly popular filesharing program, had bundled software from Brilliant Digital Entertainment for several months. In fact, users could not install Kazaa without agreeing to also install Brilliant's software.
Brilliant revealed in a federal securities filing that its software was designed to link all the computers who had installed it into a new network called Altnet. Computers on this network would receive advertising, music, and other content from Brilliant's partners. In addition, Brilliant would make use of members' computers in order to run programs in a distributed computing system.
Kazaa and Brilliant argued that all the details were made available to users before they installed the programs, in a "terms of service" contract that users are required to read and agree to. This contract, however, is 2,644 words, and analysis has shown that it is written in an extremely confusing, complex manner. Most people simply click "I Agree" and don't read the terms.
(The controversy continues. Brilliant's CEO has tried to justify his company's actions. CNET published instructions detailing how to uninstall Brilliant's software. And in the latest turn, a new program called "Kazaa Lite" that provides access to Kazaa's filesharing network without having to install Brilliant's software has been developed by a Russian programmer known as "Yuri".)
There are Web sites that can help in the fight against spyware: Spychecker, Thiefware, and the colorfully named Scumware are a few of them.
Most spyware problems occur on Windows, but it is also an issue on Macs. However, Windows is the main battleground, and it's not surprising; after all, Windows is on at least 85% of the world's personal computers, so it's the main target for the unscrupulous providers of spyware. Fortunately, there's free software available for Windows that will check for spyware, and remove any that it finds, called Ad-aware. After Ad-aware finishes scanning the computer, it lists any spyware it finds. Users can check the boxes next to the spyware they would like to remove, click "Continue", and they're done.
One note of caution: some programs may cease functioning if their spyware is removed. In this case, users simply need to click the "Backup" button in Ad-aware before removing the spyware. If the software no longer works after the removal of the spyware, it can easily be restored. Of course, a better long-term solution might be to look for different software that doesn't act as spyware.
Users who download and install a lot of software should run Ad-aware every couple of weeks. Otherwise, every month or so would probably be fine.
Update the OS and Software
New spyware comes out all the time, so Ad-aware constantly updates its database. If you want Ad-aware to be as effective as possible, download new versions regularly from Lavasoft.
This is true for pretty much all software. If you want to secure your privacy, you need to keep your software up to date. First, new vulnerabilities are discovered in software constantly, and they could compromise your privacy. Second, software like ZoneAlarm and Ad-aware is constantly being improved, and you need to keep up with those improvements.
For users who are running Macs, Apple makes updating its system software easy. Users running OS X simply need to open System Preferences in the Apple menu and select "Software Update". They can then connect to Apple's servers, check to see if there are any updates, and then make their choices.
Microsoft's Windows Update has been available ever since Windows 98. To use it, users just need to open Internet Explorer (they must use IE - Windows Update requires technologies built into IE, so it won't work with Netscape), go to the "Tools" menu, and choose "Windows Update". After the page finishes loading, they can choose "Product Updates", make their choices, click "Download", and Windows Update will download and install everything. It's pretty painless. Unfortunately, Microsoft doesn't give users a lot of information about exactly what it's doing to their system, but Windows Update is still required for Microsoft operating systems. Users need to read the updates and ensure that they actually need them before downloading.
Linux and Red Carpet
People who use Linux have a wealth of options available to them. One of the best reasons to install Ximian GNOME, which runs on a variety of Linux distributions, is Red Carpet. Red Carpet is like Windows Update, but it gives the user far more information. For each item that can be downloaded, Red Carpet displays the currently installed version number, the requested version number, a summary, a full description, required files, and provided files. It will also resolve dependencies, and inform the user if there are any key updates needed for security purposes.
According to research conducted by Neilson NetRatings, e-mail is by far the most widely used application on the Internet. Unfortunately, e-mail should also be of great concern to people concerned about privacy.
If you asked most people what program they use the most each day, it's probably their e-mail client. For most Windows users, this means Outlook or Outlook Express (OE). This is problematic, of course, since out of the box both programs are dreadfully insecure. Fortunately, there are things that users can do to protect their privacy when using Microsoft's e-mail clients. Please note that I'm only going to cover aspects of these programs that directly pertain to privacy; going over the security aspects of Outlook and OE would require an article by itself.
Web Bugs in E-Mail
The biggest privacy danger to e-mail users is that of Web Bugs. Basically, a Web bug is a tiny invisible GIF image that a spammer or marketer (often the same thing) places into an HTML-formatted e-mail. With the Web bug, the spammer can tell when the recipient of the e-mail opens it because his server will track a hit when the Web bug is viewed, this lets him know that he has a live address. In addition, the spammer can also track if the recipient forwards the e-mail and when the new recipient opens the e-mail as well, thus gauging the effectiveness of the spam. Finally, the IP address of all readers of the e-mail can be transmitted to the spammer, which helps him link an e-mail address to a specific machine on the Internet.
The Preview Pane
There are several steps that e-mail users can take to block Web bugs; as an added bonus, some of these steps will help curb (but not prevent) the spread of viruses, something Outlook and OE make far too easy. First of all, turn off the Preview Pane function in Outlook. If the Preview Pane is on, a Web bug may be activated as soon as you select the e-mail from the list of messages in your inbox. To turn the Preview Pane off in Outlook, go to the View menu and uncheck "Preview Pane".
Do the same thing if you're using Evolution for Linux. If you're using Outlook Express, choose the View menu, then select "Layout ..." in order to open the Window Layout Properties dialog box. Uncheck the box next to "Show preview pane".
Finally, if you're using either the Mozilla or the Netscape e-mail program, choose the View menu, go to "Show/Hide", and then disable "Message Pane".
But wait, you're still not done! Now click the "Zone Settings ..."; button. A warning box will open informing you that you are about to change settings that will affect Outlook, Outlook Express, and Internet Explorer. Since we know that, click "OK". In the "Security" window that will open next, choose "Restricted Sites". Click the "Custom Level ..." button. Once the Security Settings window has opened, scroll down to "Active Scripting" and make sure that "Disable" is chosen. Click "OK" to close "Security Settings", click "OK" to close the Security window, click "OK" to close the Options window, and you're finally done.
If you use Outlook Express, the process is similar - after all, you're working with the same parts of the operating system that I described above for Outlook - but since this is Microsoft and everything has to have a different user interface, things are a bit different. Start by selecting the Tools menu, then "Options" and then select the "Security" tab. In the Security Zones section, select "Restricted Sites Zone (More secure)".
Now we need to set the Zone settings. Open "Control Panel" and choose "Internet Options". Click on the Security tab and choose "Restricted Sites". Click the "Custom Level ..." button. Once the "Security Settings" window has opened, scroll down to "Active Scripting"and make sure that "Disable"is chosen. Click OK to close "Security Settings", click OK to close the "Internet Properties"control panel, and you're finally done.
The best way to stop Web bugs in their tracks is to read your e-mail while you're not connected to the Internet. After all, if a Web bug can't send information back to the mothership that spawned it, then it's useless. If you're connecting to the Internet via a dial-up modem, going offline is easy - just disconnect. If you're using broadband, like DSL or a cable modem, it's more complicated, but you can do it. However, do you really want to have to disconnect every time you read e-mail, and then reconnect when you're finished? If you're using a modem, the wait can be interminable.
Fortunately, there's a better solution. Several e-mail clients allow you to take the program offline without taking the entire computer offline. This allows you to read e-mail and reconnect immediately again as needed. You get the same effect as a disconnection, but it's far less hassle.
If you don't want to browser your e-mail offline, Evolution can still accommodate you. Since Web bugs work, by and large, by using tiny, 1x1 pixel GIFs, if you could block those images, you'd be immune. Evolution has a setting that enables you to prevent images from loading off the Internet. This is something that none of the other e-mail clients I'm examining here offer. To use this feature, go to "Tools", select "Mail Settings...", go to the "Display" tab, and check next to the appropriate box.
Outlook and Outlook Express don't have Evolution's ability to block images selectively from the Internet in your e-mail, but they do make it easy to go offline. Simply go to the "File" menu and choose "Work Offline". Unfortunately, due to the way Microsoft tied its e-mail programs and Internet Explorer together, your choice to work offline in your e-mail program also prevents your Web browser from accessing the Internet. Since Linux doesn't tie programs together in the way Microsoft does, users of Evolution do not have that restriction. Of course, Windows users who use the Mozilla or Netscape browsers also don't have that limitation. It's possible to go offline in Outlook or Outlook Express and still use Netscape to access the Web.
You can also go offline easily if you use Mozilla or Netscape to read e-mail. In fact, you have two methods available. In the bottom right corner of the program is a little icon, similar to the one in Evolution, that enables users to go on- or offline with one click. Alternatively, you can choose the File menu, then select "Offline" and highlight "Work Offline".
One caveat: if you go offline in Mozilla or Netscape e-mail programs, the Web browser will also be taken offline. Since the e-mail program and browser are really aspects of the same program, this makes sense. But it can still be annoying if you find a Web address in an e-mail that you want to check out using your Web browser.
Of course, the best way to protect the privacy of your e-mails as they travel over the wires of the Internet is to use encryption. If you encode your email messages, even if a spy got hold of them, he couldn't make sense of the gibberish he'd have in front of him. Only those who have the proper "key" to decrypt your e-mail messages will be able to read them. If you use strong enough encryption, you can feel well protected.
There are many programs you could use, but there are two that bear particular emphasis: PGP (Pretty Good Privacy) and GPG (Gnu Privacy Guard), which is an open source replacement for PGP. Both are free and incredibly powerful. Both are not that difficult to use. And both support a wide variety of e-mail programs, including Outlook, Outlook Express, Netscape, Eudora, or Evolution.
A lot of ink has been spilled on the subject of encryption, so we're not going to recreate the wheel here. (The relevant links section at the bottom of this article includes a number of useful resources on PGP.) It's no longer particularly difficult to encrypt your e-mail. Just remember that the recipient of your message has to be able to decrypt it, so they need to have installed and configured an encryption program as well. The best way to learn how is to download PGP or GPG, create your public and private keys, and send yourself an encrypted test message. You'll be surprised how easy it really is, and you'll feel a lot safer.
I'm not going to spend a lot of time on the problem of spam. I loathe spam, and I'm not alone in my sense that it is increasing in quantity and obnoxiousness. The standard advice concerning spam - never reply to it, create good filters, and don't patronize companies that use spam - is sound, and I follow it myself. And there are certainly many Web sites that can help fight against the flood of junk mail we're finding in our inboxes; two such Web sites are spam.abuse.net and CAUCE: Coalition Against Unsolicited Commercial E-mail. Remember, spam is often a result of some sort of invasion of privacy, such as tracking which Web sites a user has been visiting, and too often it uses the tricks I've detailed above, such as Web bugs, to further threaten privacy.
Find Out Who's Selling Your Info
Even if you read and follow the advice given on anti-spam Web sites, you're probably still going to get bitten. You're going to get junk e-mail. But wouldn't it be nice to know who betrayed your information? Who sold your e-mail address?
Here's a tip that may help you. It won't work on every e-mail system, so you'll need to test it first. But when it does work, it's a powerful way to find out exactly what Web site sold you out.
Let's say a man's e-mail address is "firstname.lastname@example.org". Bob goes to The New York Times Web site and has to register in order to view the content. In the box that requests his e-mail address, Bob enters the following: "email@example.com". At the Slashdot Web site, Bob uses "firstname.lastname@example.org". At Real Media's Web site, he puts in "email@example.com". And so on. Each time, he adds a plus sign, followed by a word describing the site, after his e-mail username and before the "@" sign.
A couple of weeks later, Bob finds some spam offering him a cheap cell phone. Bob groans ... more spam clogging up his inbox. But this time, Bob looks carefully at the header of the e-mail to see to whom it was sent. Aha! It wasn't sent to "firstname.lastname@example.org". Nope. Instead, it was sent to "email@example.com". Real Media sold him out!
As you can see, this technique can help you pinpoint exactly how a spammer got your e-mail address. At that point you can contact the company that sold your e-mail and change some marketing preferences that enabled it to sell your address, or you can choose to sever all ties with the company. The important thing is that people at the company cannot deny your accusation, as you have concrete proof.
There are two caveats about this trick. First, as I said above, it doesn't work for all e-mail systems. So send yourself a test message first. Bob, for instance, would send himself a message addressed to "firstname.lastname@example.org". If he gets the message, great. Things should work fine. If he never gets the message, maybe send one more, and if that one never arrives, assume that my technique just isn't going to work, at least as long as he uses the e-mail hosting company he's using.
The second caveat involves remembering what e-mail address you've used with all those sites at which you've registered. If Bob ever wants to log back in at The New York Times, he'll need to remember that the e-mail address he used is "email@example.com" and not "firstname.lastname@example.org". If Bob only registers at one or two sites, this won't be a problem. But if Bob is like most people and has registered at many sites, he'll need to either develop an ironclad system and stick to it, or keep a file on his computer that keeps track of the e-mail addresses he's used at various Web sites. It's not a huge deal, but it is something to think about. Many people find that the slight trouble of keeping such files is more than outweighed by the advantage of knowing exactly how their e-mail addresses are being used.
E-mail is important to all of us. It's convenient and powerful, and it helps us communicate in ways that were unimaginable just a few short years ago. However, we can't just assume that the e-mail programs we use will protect our privacy. Instead, spend some time and make sure that e-mail, that most powerful of tools, is working to benefit us in every way possible.
Securing Privacy: General Internet Issues
The Internet offers all of us unparalleled access to information, but it also brings with it unique threats to our privacy.
Web Browser Settings
The Web browser is a tool many people use without ever really thinking about how it can reveal information about them. If you use Internet Explorer version 5 or above, you should think about whether or not you wish to enable the AutoComplete feature. Autocomplete allows IE to remember previous entries you've made for Web addresses, forms, and even passwords. When you start to re-enter the same information on subsequent visits, the Autocomplete feature will offer the complete text, thus saving you the trouble of typing out text repeatedly. This undoubtedly makes using IE easier; unfortunately, anyone sitting down at your computer will be able to easily see where you've been on the Web and, worse yet, impersonate you at Web sites that require you to input information. While some people find the convenience worth the obvious risk, it's a tradeoff you need to weigh carefully.
If you want to disable AutoComplete, you need to go to two places. First of all, open IE and select the Tools menu, then choose "Internet Options ..." and the "Advanced" tab. Scroll down and uncheck the box next to "Use inline AutoComplete for Web addresses".
Next, without closing the "Internet Options ..." dialog box, select the "Content" tab and then the "AutoComplete ..." button. Here you check or uncheck the boxes next to the items you want AutoComplete to remember: "Web addresses", "Forms", and "User names and passwords on forms". If you decide to check next to "User names and passwords on forms", make sure you also check "Prompt me to save passwords" so you can tailor your choices for each Web site. Click "OK" to close the dialog box, and you're done.
The other Web browser with substantial market share is Netscape and the open source wunderkind it's based upon, Mozilla. Netscape 6.2 , like Internet Explorer, will store your passwords if you'd like. Simply open Netscape and select the Edit menu, choose "Preferences ...", then "Privacy & Security", and "Passwords". Check or uncheck the box next to "Remember passwords", depending upon your certainty that your machine is secured. If you decide to enable "Remember passwords", make sure that you also check "Use encryption when storing sensitive data" in order to prevent snoopers from accessing your Netscape files, thereby gaining the keys to the kingdom. Furthermore, make sure you use a good password, which will be discussed below.
There are additional Internet privacy issues that users should be aware of, such as privacy policies. Privacy policies are statements made by the owners of the Web site stating what will and will not be done with the personal information that users disclose when visiting that site.
If you want to reduce the amount of your personal information that is sold to on-line advertisers - if you want, in other words, to lessen the data that marketers gather about you - you need to read the privacy policies on the Web sites you visit. I know this is tedious. I know many of them are written in a way that normal human beings don't write. But it is vital, nonetheless.
Most importantly, keep up with the changes companies make in their privacy policies. Businesses have a nasty habit of "revising" their policies in a way that benefit them at the expense of their users.
Some Examples of Changing Policies
For instance, AOL pulled a fast one in November 1999. In early 1998, AOL unveiled sweeping policies designed to preserve the privacy of its users. Among the options detailed in the new policy was the ability for users to opt-out of direct marketing pitches from AOL's partners, whether delivered via the Web, e-mail, postal mail, or telephone. Eighteen months later, AOL sent a mass e-mail to its users informing them that their "marketing preferences" were not permanent, as might be expected, but would instead expire in a few weeks. If a user wanted to block the junk, he would have stipulate this preference every year. If a user doesn't get around to resetting preferences every year, then his settings are automatically set to "Yes", as in: "Yes, please send me as much junk mail and telemarketer calls as possible".
eBay has also engaged in this sort of chicanery. In January 2001, eBay sent e-mails to thousands of customers, informing them of a newly discovered bug. When someone registers with eBay as a buyer or seller, she has to fill out several screens of information. One of those screens concerns whether the new eBay customer wants to receive e-mail and telephone offers from eBay and its partners. The series of questions are supposed to default to "Yes"; however, the bug eBay discovered had caused the default to set to "No". Apparently panicked that some people were missing out on junk mail and telemarketing calls, eBay helpfully reset users' settings to "Yes" and then sent the e-mails giving people two weeks to change their settings.
Thanks for posting this, security seems to be an increasing concern with 'ili Georgie Hitler and Big Brother Ashcroft seeking to assess every thought that passes through the collective conscious of Amerika now...probably unconscious too.
Very nice, but of course anyone interested in anonymity should take a good long look at +Fravia's pages. The mirror of his old page (still updated) is http://tsehp.cjb.net and his new page is called Searchlores. You'll find a wealth of information about anonymity as well as other interesting topics (reverse engineering, coding, reality cracking, etc.). I hope you like what you find...and anyone who is inspired -- welcome to the world of reverse engineering
You cannot start new topics / You cannot reply to topics HTML is disabled / BBCode is enabled
Moderator: Enlil 1,914 topic views. 2 members, 2 guests and 4 web crawlers are browsing this forum.
[ Toggle Favorite | Print Topic | Stats ]