Government Web sites follow visitors' movements

TalkBack 14 of 15:

Next »

« Previous

• Thread View
• Flat View

so many stupid replies...

I have read the responses in this blog and I cannot believe that people say the incredibly stupid things that they do. Web Bugs, collecting dossiers of personal info, invasion of privacy. You people are vividly displaying your complete ignorance of how web servers and the internet in general works. On top of this you leverage this complete ignorance to scream about how laws should be made and how everyone in the Bush administration is violating civil rights.

GET THE FACTS BEFORE YOU COMPLAIN AND ***** ! ! !

Every web server on the planet gets your IP address. Not from cookies. Not from Web Bugs. It is sent to the web server by your own computer as part of your request for a web page. It is part of what is called a request header. If the web server does not have this information, then how in hell does it know where to send the page you requested? The web would not work if this were not part of its fundamental design.

If you are really, really, really worried about this little fact of life, then use an anonymous proxy server to do your web surfing like all the kiddie porn guys do when they want to keep their IPs a secret.

If it were me, I would be more worried about these very proxy servers than any visit I might make to the White House website. Why? Well, it should be obvious. Most people involved in nefarious activities who don't want to be tracked, use these very servers. If I were law enforcement and I wanted to see the IP addresses of people surfing kiddie porn, I would set up a number of these proxy servers and make them available for people to use. Traditional honey pot operation.

What would I do with these IP addresses? I would see what sites that people are viewing and if they happen to be kiddie porn sites, then I would get a warrant and use your IP address to find out who you are by getting this information from your internet service provider. The real world problem is that getting a warrant in this way is next to impossible. Why? Because my honey pot operation would be considered illegal and no judge would issue one. Without a warrant, your internet provider would never divulge your personal info to me so the whole concept is basically moot.

Now for the idea of Web Bugs spying on you. A one by one pixel is just an image. Nothing more. Why it is considered a bug is that the image is located on a webserver. As part of a webpage that you visit, this image is requested by your browser so it can include it as part of the page you are looking at. This request is comprised of URL for the image as well as the header information your computer sends out. It is this header info that the webserver that hosts the image is interested in. I will divulge what this header is comprised of and why they want it and the limitations of what each piece of header info reveals about yourself.

1) Your IP address. This can be looked up against a standard table to see where you are surfing from in terms of geographical region. This allows the web server (such as Google with their ad words) to deliver ads from merchants in your area. Much more effective and economical than throwing just any old ad at you. They might also be interested in simply doing a statistical analysis of what parts of the country people are coming to their site from so as to gauge the effectiveness of their own advertising campaigns. Standard business practice, nothing more.

2) The type of browser you are using. Web Trends does this to see just how many people are using what types of browsers. Very important in determining how one writes the very HTML for the web pages you are looking at. Because of this valuable information, most webmasters now know to not waste time writing pages that support Netscape 4.7 which has been officially declared dead as less than .1% of the surfing audience uses this browser.

3) Your operating system. Pretty much the same reason as for the browser info. A particular browser might display a page one way under one OS and differently under another OS. Good webmasters will want to know this so they can effectively create pages that all can properly see. I am a webmaster and I have 4 PCs setup - Win98SE, Win XP-SP2, Mas OS9, and Mac OSX with a total of 12 browsers installed on these machines. I do this so I can check my work on every type of system possible (no linux, sorry). It is a result of knowing the OS and browser that people are using that allows me to maintain these same setups in my office so I can be sure that I am properly building and maintaining websites for my customers. Failure to do so would be short sighted on my part.

4) If an image is called by a short string of javascript, then the server knows you have javascripting turned on. Duh! This can also reveal the version of javascript your browser supports. This is essential in making sure a webmaster's javascript code is properly displaying and providing the intended functionality that the webpage is designed for. Javascript is inherently secure and well designed. I have never heard of a single exploit where javascripting was used to capture and reveal personal info to anyone, hacker or otherwise. Active-X controls? Well, that's another story. Just turn that sucker off and you don't have to worry about it.

5) If an image is called as a result of a hidden "no javascript" tag, then the server knows you don't have javascripting turned on. No rocket science here - straight forward textbook html.

6) Referring <ocument. If you go to a webpage as a result of clicking a link in another webpage, the referring webpage's web address is sent to the server of the new page in question. This is very useful in determining whether people are coming from within your own site or are coming from a site where you hare paying for a banner ad put there. If you see that a site where you are paying for ad space on is claiming that they sent you 3,000 hits but your records show that only 53 people came from there (using the referring doc info) then you know you are getting screwed out of your advertising dollars. Also, lets say that you have a page that you don't want to display unless people have been to another page on your site just prior, you can make this determination as well. There are actually lots of security reasons that you might want to do this but I won't go into that here.

Notice how much I am able to do w/o cookies or Web Bugs at all? If you object to this, you might as well stop surfing the net and go play outside.

7) Cookies. Cookies a small pieces of text placed by the webserver onto your computer. If you are curious as to what info is in them, all you have to do is to set your brower to confirm all cookies before accepting them. Cookies are NOT small programs. They are not scripts or any other form of code, malicious or otherwise. The website setting them can ONLY retrieve those very cookies that they have set. No website on the planet can retrieve cookes set by another website. Browsers are deliberately created to enforce this security.

Cookies are an essential part of delivering website functionality. Without them all the sites that you go shopping at or post messages to or any other site that has more than static pages in it would not work as well as they do. Plain and simple.

The most common misconception about cookies is that webservers can read them to find out your email address, SS number, bank account info, what other sites you have been surfing, login information for these other sites, and other pieces of personal information, none of which is true. IT IS A PHYSICAL IMPOSSIBILITY!

This is as far fetched as the myth that your computer monitor is able to see what you are doing and send these images back to some secret hacking base for purposes unknown. You might as well go about believing that you can cover your head in tin foil so the aliens won't read your thoughts!

Bottom line is that cookies, IP header information and Web Bugs cannot divulge personal information about you, not unless you deliberately enter this information into a webform and submit it. Every webmaster knows this. Every now and then I get a customer who asks me to make a webpage that will harvest peoples' email addresses and names and I tell them that this is impossible unless I were to write an actual virus for this purpose. Then I would have to take advantage of some sort of unpatched security hole in peoples' PCs such as the Windows .wmf vulnerability or using Active-X controls. I also tell them that this is also totally against the law and that they had better forget about ever doing this, at least with my work.

To date I have never heard of anyone - anywhere - ever using cookies to hack into a person's system or being able to use cookies to see what other sites you like to go to or to get your passwords to your bank accounts or any such thing. This is the domain of spyware, adware, viruses, trojans, worms, etc... These security issues are not caused by IP header information, Web Bugs, or cookies. Until such time that someone figures a way to exploit cookies or Web Bugs to a hacker's advantage, I suggest attention be focused on the real problems that face us today and not on imaginary witch hunts that simply have no basis in fact.

The real unfortunate thing is that all too many people make decisions and express opinions based on "what they heard" or "what they read" and they never bother to properly investigate whether these little snippets of info have any real basis in fact. Using unsound information as a basis for expressing political opinions or passing law is just plain primitive and ignorant. Once upon a time people (the church in particular) thought the world was flat and opinions to the contrary most often were met with severe punishment if not death. The sad fact is that we still live these types of lies today everytime someone accuses the government of this and that when they don't have any real clue as to what they are talking about.

A misinformed public is every bit as dangerous as the government that they elect!

Posted by: cppsolutions   Posted on: 01/06/06 You are currently: a Guest | Members login | Terms of Use

Alert moderator to an offensive message

Subscribe to this discussion via Email or RSS

SponsoredWhite Papers, Webcasts, and Downloads

• The True Costs of Virtual Server Solutions VMware In an economic environment that is repeatedly heralding the message "do ... Download Now
• Three Steps You Need to Know to Stop Data Loss Varonis Sensitive data exposed to misuse or loss... it is the stuff of nightmares ... Download Now
• Five Steps to Determine When to Virtualize YourServers VMware Server virtualization isn't just for big companies. Entry-level ... Download Now