|
|
|
Who controls your desktop?
Late last year I had a call from Waikato Times reporter Jon Stokes. He wanted to talk to me about porn. Of course I denied everything and threatened to sue. “No, no,” said Stokes, “this is about a scam.”
Late last year I had a call from Waikato Times reporter Jon Stokes. He wanted to talk to me about porn. Of course I denied everything and threatened to sue. “No, no,” said Stokes, “this is about a scam.”
It seems that some of his readers had been caught out by a local variation of a tried and tested overseas con: the “porn finder”. It works like this: the casual internet user is told they’ll be able to access all sorts of smut if they download and run a special browsing accessory. The program, typically 10 or 20KB, downloads and installs in seconds. A double-click and you’re off. Internet Explorer has a new, raunchy homepage and there are dozens of links — filth heaven.
But behind the scenes the dialup connection to your ISP has been quietly dropped and substituted with a connection to an 0900 number. At $2.99 a minute — plus GST.
The number, owned by Auckland firm Oneseek New Zealand, returns an obligatory message about the cost of the call if you dial it from a phone. But of course you won’t hear that from a modem. And when the bill arrives, most people are too embarrassed to complain.
I told Jon I’d heard of the trick but this was the first time I’d seen it used in New Zealand. I sighed as I put down the receiver. Just another skirmish in the Battle for Your Desktop.
Front 1: The Battle for Information
The Stasi, the East German secret police, collected detailed information on more than four million of its citizens — around a quarter of the population. The problem was this information was on paper, in vast warehouses, trapped inside binders and manilla folders. Searching for possible dissenters, drawing conclusions from the interests, activities and associations of four million comrades required a lot of time, an army of clerks and luck. It would have all been a great deal easier if the citizens had had web browser-equipped PCs.
The personal computer is unique amongst all our tools in the amount of information it acquires about us. I’m not talking about your diary, your company’s spreadsheet or the pictures of your kids. At best they have limited commercial value. It’s more subtle than that.
If browsers do one thing above all others it’s to reflect the interests of the person at the keyboard. If, next week, you develop a passion for cricket or crochet your browser may well be the first to know of it. To appreciate what I’m getting at, consider the following three surfers. What conclusions can you draw about each based purely on the last sites they visited?
| Surfer #1 harrypotter.com mcdonalds.co.nz barbie.com | Surfer #2 pcworld.co.nz intel.com pricespy.co.nz | Surfer #3 antiques.com sharechat.co.nz retirement.org.nz |
Powerful, isn’t it? Not only does this information highlight the individual’s interests, but it’s also possible to draw conclusions about the surfer’s age, background, socio-economic status and even sex.
The world wide web was born in 1990. In October ‘94 the first web advertisement appeared. Shortly after that the tracking of individual surfers commenced.
There’s nothing outwardly sinister about it. The aim is simply to associate your interests with what others have to advertise. No point in bugging Surfer #1 with offers of cheap car loans, for example. The sheer brilliance of this is that not only is the system dynamic — as a user’s interests change so do their ads — but the more they browse, the more precisely you can hone your their profiles. The Stasi would have loved it!
Persistent Client-State HTTP files — or “cookies” as they became known — are tiny text files that do just that. The web’s designers built in strict rules governing their use. Site A could never access Site B’s cookies for example. But they missed one vital point.
What if, the ad men posited, Site A takes some of its content from Site Z? It would, very briefly, be just as if the user had connected to that second site directly. Site Z could then lay a cookie of its own. A kind of cuckoo cookie if you like.
But the real clincher is to affiliate Site Z to hundreds, thousands, even millions of websites. Jo User visits Site A and gets a Site Z cookie — big deal. But then she visits Sites J, Q and T all of which are also Site Z affiliates. Site Z is now effectively tracking her from place to place. It has a record of everywhere she’s been.
Cookies aren’t the only concern: an apparently ad-free site can still be communicating with others through the use of invisible 1 x 1 pixel graphics. The process is the same. Site A connects with Site Z to fulfil its request for the tiny image giving Site Z a direct connection to the user’s machine. These graphics, called “web bugs”, can even be inserted into email messages and Word documents to track exactly where they go. The profiling business has become ever more sophisticated. By tempting developers of shareware and freeware with hard cash, advertising companies have been able add hidden tools to track surfing habits, record shopping preferences and even use the user’s email account to secretly “phone home” with the results. A February 2003 survey found one in three European companies to be infested with these sneaks. Users who never give license agreements a second glance are often surprised to discover they and their computers are working for third-parties. One of the world’s most popular peer-to-peer music sharing programs, KaZaa, is so heavily infested with these trackers that disgruntled users have created their own version, KaZaaLite, billed as “KaZaa Without the Shit!”
Front 2: The Battle for control
One of the first mainstream software spies was Windows 95. Users upgrading from Windows 3.1 were given the choice — via the newly introduced Registration Wizard — of whether or not to send Microsoft information about every application on their PC. It didn’t matter whether you chose Yes or No, tests proved the information went regardless.
The developers claimed it was a bug. These days the convicted monopolist is more overt. License agreements for the latest fixes to XP and Windows 2000 — Service Packs 1 and 3 respectively — force users to accept online snooping before they can even begin patching their systems:
By using these features, you explicitly authorize Microsoft or its designated agent to access and utilize the necessary information for updating purposes. Microsoft may use this information solely to improve our products or to provide customized services or technologies to you. Microsoft may disclose this information to others, but not in a form that personally identifies you.
The OS Product or OS Components contain components that enable and facilitate the use of certain Internet-based services. You acknowledge and agree that Microsoft may automatically check the version of the OS Product and/or its components that you are utilizing and may provide upgrades or fixes to the OS Product that will be automatically downloaded to your computer.
Similar clauses have been introduced to the usage agreement for Windows Update. Ostensibly for automatic bug fixing and license control, these clauses are disturbingly vague. One paragraph talks of providing customised services and technologies, the next about automatically downloading them. Is the user to have no say in the matter? Notice too the subtle shift from proving guilt to proving innocence. All users are now considered software pirates until Microsoft confirms they aren’t.
Since Redmond started flexing the right-to-snoop muscle, dozens of other have other software makers have followed suit. Here’s a clause from Muvee AutoProducer’s licence:
By installing The Software you grant Muvee Technologies Pte. Ltd. the right to access, store, and transmit system information concerning the hardware and software configuration of your computer.
Again, disturbingly vague. Just what constitutes a computer’s “configuration”? Does it go further than the CPU, video card and RAM? Does it include user names, email addresses and other personal details? And what guarantees can Muvee or Microsoft provide that these access portals won’t be abused, either deliberately or by accident? How secure are they? What recompense will users be offered if an automatic update runs amok and damages their data? On more than one occasion, Microsoft have released CDs containing a known virus. Is there even a slight chance they could expose millions of users worldwide via an automatic release?
It’s not just software that’s started phoning home. The Netropa multimedia keyboard used on many HP Pavilion computers has a little LED that tells users when they’re online. It knows this because, once a second, it sends a small packet of data — known as a “ping” — to the overseas address of ANS Communications, a subsidiary of WorldCom. Naturally those pings add to traffic charges and reduce bandwidth but it’s disturbing to consider what else might have been communicated to that address. It seems unlikely that HP would maintain a server just to set a keyboard light when a simple operating system call could do the same thing.
It’s still too early to see where these technologies might lead but it’s not unreasonable to speculate how they may be employed. Microsoft’s accounts show only two real sources of income; operating systems and office applications. If the latter were to come under serious threat — say from the cheap/free StarOffice/OpenOffice alliance — it’s not inconceivable a “patch” might be released to help the home team. It’s happened in the past. In the early 1980s Excel was a very poor relation. Lotus 1-2-3 had more than 90% of the spreadsheet market. Dos version 2 included “features” to make Lotus less reliable. The development team even had its own mantra: “Dos ain’t done till Lotus won’t run!”
The difference with automatic updates is that these battles could be played out in real time on every user’s desktop.
Open warfare is precisely what the US entertainment industry proposed last year when it floated a bill to give it the right to break into other people’s computers if they suspected them of copyright violation. That was followed by a proposal from a small group of security researchers to establish a counterstrike system that, in the event of a computer assault, would automatically retaliate against the perpetrator. There’s a very real danger we’ll slip into an era of vigilante justice.
What surprises me the most is how sanguine typical users are in the face of such onerous license provisions. If the government said they wanted to “access, store and transmit information” on your personal computer, there’d be outrage and protests in the streets. And if they demanded the right, at their own discretion, to alter, update and tamper with its contents, there’d probably be a bloody revolution. But these edicts come from corporations — profit-driven bodies responsible to only their shareholders — and there’s barely a squeak of dissent.
Front 3: The Battle for the future
The privacy predations of the past — and the almost blissful complacency with which users seem to accept them — don’t augur well for the future. And that “future” may be as little as six to 18 months away.
Such technology effectively subverts the role of the police, the courts and even governing law. The precedents established by the use of blank cassette and video tapes are overridden and once again the dominant principle becomes guilty-till-proven-otherwise.
The Trusted Computer Platform Alliance (TCPA) plans to take this idea one step further by introducing a system in which the owner of the hardware will be little more than an administration assistant. All decisions on what can and can’t be run will be in the hands of outside parties. The TCPA — an alliance of almost 200 hardware, software and entertainment industry corporations — is careful to distinguish their phraseology. A “trusted” device won’t necessarily be any more secure, virus- free or reliable than its predecessors. It will however be trusted to do what its masters dictate.
“Trusted” architecture effectively partitions off areas of hardware and makes them inaccessible except via registered ‘zones’. A music download from Sony, for example, will create a secret Sony zone on the user’s disk that is managed externally by the corporation. Just as Microsoft has now granted itself the right to manage your PC remotely. The advantages for the entertainment and software industries are manifold and best summed up in the phrase “total control”. It will be possible to time- or play-limit downloads and restrict them, as with CPRM, to a single machine. Even access to data via a network will be controllable. Plus, with the inclusion of secure payment zones, it’ll be possible to lease material or distribute it on a pay-per-use basis, even perhaps ensuring automatic payment for automatic software updates — whether the user considers them necessary or not.
Microsoft’s version of TCPA — an architecture known as Palladium — is due for release next year, hand-in-hand with the next version of Windows. Like “trusted” before it, the company has now redefined the term “security”. A research presentation last October was told that security in a Palladium context doesn’t so much mean keeping outsiders out as securing the system from doing things its controllers don’t want. Like extracting music tracks or copying CDs.
While there are some appeals and conveniences inherent in a CPRM/TCPA/Palladium-controlled world, it is unclear whether users will be happy to cede many of the rights they currently enjoy to an elite group of corporate overlords. Though, going on the near blanket acceptance of web bugs, profiling, spyware and general snooping provisions, it does seem depressingly likely.
In February 1999 Intel released the Pentium-III. Buried within each chip was a unique processor serial number that could be used to identify specific machines and thus individual users. Though the company was at pains to explain the feature could be turned off, it didn’t take long for a German magazine to find a way of flipping it remotely. So even an “off” PSN could be turned on and read by an unscrupulous website. Protests began. Users threatened boycotts. Graphics based on the “Intel Inside” logo but reading “Big Brother Inside” appeared on countless websites. And the company quietly dropped the feature.
Consumers forget that they are the ultimate arbiters in the marketplace. That they, quite literally, have the power of life and death over corporations. That they really can influence the Battle for the Desktop. Whether they choose to exercise that power remains to be seen.
The Threats
Wireless networking
Risks: “War drivers”, ham radio freaks or even your next- door neighbour may be able to tune into your transmissions.
Solution: Enable encryption. Or, if you happen to be the SysOp of a commercial site, let me put it this way: ENABLE ENCRYPTION!
Alternatives: CAT5 cable. It’s still almost five times faster. And way more secure.
Sneaky licences
Risks: Keeping up-to-date with the latest bug fixes opens your system up to Big Brother Bill or his “designated agents”.
Solution: None.
Alternatives: Linux or a lobotomy. Or perhaps a Mac and Prozac. Altogether now, “I’m H, A, P, P, Y, I’m H, A, P, P, Y, I know I am, I’m sure I am, I’m...”
Browser leakage
Risks: Check out leader.ru/secure/who.html to see what you’re currently giving away. (Or http://snoop.anonymizer.com or http://privacy.net/analyze or http://www.rental-web.com/~azuma/cgi-bin/env.cgi )
Solution: Toughen your browser’s security settings or get one that’s simple to adjust. (For example, pressing F12 in Opera gives you instant control of pop-up windows, Java, JavaScript, animated GIFs, cookies, referrer logging, proxy servers and even your browser ID.)
Alternatives: A proxy server. Mine currently informs nosy websites I’m connecting from address 127.0.0.1 (themselves!) and that I’m using “Bertie Boo’s Big Bad Bwowser version 3.6”. Suck on that, ad man!
Ad trackers & third-party cookies
Risks: Imagine Sting is the ad site. Now listen to “Every Breath You Take” again. (“Every breath you take, every move you make, every bond you break, every step you take, I’ll be watchin’ you...”)
Solution: Run Ad-aware and a cookie manager regularly then delete, delete, delete. Tighten up your browser’s cookie controls. Ad-aware 6 can be downloaded from this month’s PC World Plus CD.
Alternatives: Play the Cookie File Edit Game. Search your hard drive for any files containing “@”, use Notepad to open those pointing to sites you don’t recognise and change the data at random! Or turn them into really, really big files. (You just might crash their server. Ooops!)
Web bugs
Risks: Unauthorised third-parties track your movements and correlate data via invisible (1 x 1 pixel) graphics on web pages. Anything entered on a bugged site can be snatched, including email addresses. They’re not called buggers for nothing.
Solution: http://www.guidescope.com (for Linux and Windows). Squashes bugs, manages cookies, blocks ads and more. And all at your favourite price. Free. There’s also Bugnosis but it only works with Internet Explorer — which almost deserves a threat category of its own.
Alternatives: Live with ‘em.
Keyboard Loggers & Screen Snappers
Risks: Like Ad Trackers but worse. Every key you press or screen you look at is recorded for later retrieval. (Some key loggers can store two million hits and despatch their snoop results via a hidden email.)
Solution: Expensive, snoop-detect software. Much of it sold — without a hint of irony — by the snoop-software sellers themselves. Still not a 100% solution though as snoopware may be software-based, hardware-based or a combination of both.
Alternatives: Encourage the cat to sleep on your keyboard. That should blow their buffers! Blu-Tack’s fun too. If it’s a work PC, try typing out something like; “Dear Frank, Thanks for the offer. I could certainly use another $30,000 a year but I feel my work here is important... (blah, blah, blah)”. If the boss calls you in the next day or two and commends your attitude, be very, very suspicious. (A guy I know once spent a boring, civil service afternoon hitting every key thrice: “DDDeeeaaarrr FFFrrraaannnkkk,,,”... The following day, unbidden, TechSupport replaced his keyboard. What would you conclude?)
Hackers / Crackers
Risks: Varies considerably depending on your type of connection (dialup or “always on” broadband), networking (wireless or cable), system usage (server or desktop) and even your operating system.
Solution: All of the above and keep up to date with the latest patches, fixes and attack vectors.
Alternatives: Disconnect and lock the doors. The only really secure computer is one that can’t be reached.
CPRM / TCPA / Palladium
Risks: “Excuse me, but may I download this please?”
“Would it be all right if I made a copy of these music tracks? Oh, okay, I understand.”
“Sorry I didn’t realise Linux wasn’t a ‘trusted’ application. Honest. Please let me keep using my computer. Please...!”
Solution: Oppose control while you still have the chance. Let companies know you won’t support compromised hardware platforms. Vote with your wallets. Learn Linux.
Alternatives: Stick with your old hardware. Forever.
A little bird told me
A free plug-in from for Internet Explorer 5 and later versions, Privacy Bird allows you to specify your privacy preferences regarding how a website stores and collects data about you. If a site’s policies meet your requirements, a small green bird icon in the browser’s title bar emits a happy tweet after you have loaded the page. But if the site does more with your information than you’ve said you’ll accept, the bird icon turns red and chirps a shrill warning when you first load the page. The bird doesn’t block the site; it only alerts you that you may not like what the site does with your information. With a couple of clicks, you can see what a site plans to do with your data.
The defenders
Firewall
What is it: Think of a firewall as your own personal Soprano. It checks the credentials of all outgoing and incoming network traffic. Plus, to the outside world it’ll make it look like your machine doesn’t even exist. And if a bogus app does sneak onboard and try to call home, the firewall will give you a nudge and say, “Hey boss. You wanna let dis guy access da internet? Or like, maybe I should break his legs...”
Rating: Essential for all internet users. If you don’t believe me, go here and see how vulnerable you are. Then try the address again with a firewall installed.
Free Sources: For Windows users, www.free-firewall.org has a comprehensive summary and links to available products. Linux users can go to GuardDog or ShoreWall.
Known problems: Poor user configuration results in firewall holes.
Solution: proper testing. Try these sites:
http://grc.com/x/ne.dll?bh0bkyd2
http://scan.sygate.com/probe.html
http://www.pcflank.com/test.htm
http://www.blackcode.com/scan
http://www.testmyfirewall.com
http://www.auditmypc.com
Proxy server
What is it: A kind of remote control web robot, the proxy sits between you and your target website. Any interrogation by the website reveals only the proxy’s details thus protecting your privacy.
Rating: A paranoid’s (and a hacker’s) delight.
Free Sources:
Windows: Proxomitron
Linux: Proxy, TinyProxy, MiddleMan
Known problems: Proxies can be hard to find. Solution: keep digging! Public proxies can be s-l-o-w.
Solution: find another one or create your own using an old PC and Linux.
Antivirus software
What is it: Software that scans applications, downloads and incoming mail for known viruses and worms then removes them.
Rating: Essential for Windows users. For Linux users it varies from “not required” to “essential” depending on system usage. (Desktop users don’t need to worry but it’s recommended for mail servers delivering email to Windows clients.)
Free Sources:
Windows: AVG, F-Protect
Linux: F-Protect, Clam
See also http://www.openantivirus.com/projects.php#mini-faq
Known problems: Doesn’t protect you from just-released viruses.
Solution: regular, preferably automatic, updates.
Spyware detector
What is it: Scans your files and registry for the presence of information harvesting and dissemination tools unwittingly installed with many freeware applications.
Rating: Very important for Windows users but not required on Linux.
Free Sources: AdAware, SpyChecker
Known problems: Removing spyware may disable or limit the original application.
Solution: use your firewall to prevent spyware apps calling home or find an alternative program. (KaZaa-Lite instead of KaZaa, for example.)
Spam bucket email account
What is it: A non-essential email address for people and organisations you don’t want to hear from on a regular basis.
Rating: Highly useful for websites that demand a contact address or software that requires a registration number — sent to you by email — before it’ll work.
Free Sources: KoolSurf, mail.com
(Avoid hotmail.com due to excessive and regularly altered Terms of Use (10,000+ words!) and insistence you use Microsoft’s appalling Passport privacy plughole.)
Known problems: Has to be emptied occasionally. Ye-euch!
Spam filter
What is it: A mailbox checker that screens your email, either deleting known spam before download or moving it to a special folder.
Rating: Nice to have.
Free Sources:
Windows: MailWasher, SpamNet
Linux: SpamAssassin, MailFilter
Known problems: Improper setup may nuke important messages.
Solution: thorough testing. For the first couple of weeks choose to review all suspects before deleting them.
Wwebbug detector
What is it: Filters out the invisible graphics that secretly link one website to another for the purpose of user tracking and consumer profiling.
Rating: Useful
Free Sources:
Guidescope (Linux and Windows)
Bugnosis
Known problems: (Guidescope) Quicker site access, no ad banners, cookie control... They’re problems? (Bugnosis) For Internet Explorer only.
Cookie control
What is it: Allows the retrieval, examination and editing of cookie files left behind when you browse the web.
Rating: Interesting at first. Then a bit of a yawn.
Free Sources:
Windows: Cookie Jar, Cookie Wall
Linux: Privoxy
Known problems: Too many cookies, too little time. Good browsers allow you to automate cookie control with settings that decline third-party cookies, display suspicious ones, or even (Opera) throw them all away at the end of the session.
geoff_palmer@idg.co.nz
Trusted editorial content relevant to the NZ market & convenience of free NZ delivery
© Fairfax Media Business Group
Fairfax New Zealand Limited,
FairfaxBG | Computerworld | PC World | PressF1 | Reseller News | CIO | Unlimited | actv8
Email Webmaster | Contact Fairfax Media Business Group | Subscribe Online | Advertise With Us | Privacy Policy
| Sitemap | 