Fear Your Browser, Episode 3: Using Proxies

“Proxy” means several things in the networking world, unfortunately.

One meaning refers to the kind of network trickery mainland Chinese use to get around government restrictions: proxy servers. Basically, these serve as a relay for every request, making the origin look like themselves (usually in a different country), and not someone in a nation where information is “controlled.”

Another refers to proxy servers like Squid in the Unix world, and ISA in the Windows world. Both offer content caching, as well as logging and monitoring (think about that, since most enterprises use proxies) and content filtering. At one organization the image of a Big Red Hand greets your attempt to visit certain sites, for instance. While these machines are Big Brotherly, they actually offer some advantage in security, since they can indeed prevent certain content from reaching users. This is not, however, usually geared toward advertisers and other potentially abusive tracking organizations.

Yet another type of proxy is a local proxy, running right on your computer but providing some of the more clever content-filtering features of the Big Brother proxy servers. For browsing purposes, a good choice as of this writing is Privoxy (http://www.privoxy.org/), which is specifically geared toward eliminating third-party tracking. In their own words:

Privoxy is a non-caching web proxy with advanced filtering capabilities for enhancing privacy, modifying web page data and HTTP headers, controlling access, and removing ads and other obnoxious Internet junk.

It’s available for everything from Windows to BSD, with about as wide a variety of installation instructions as you could imagine. If you’re running BackTrack on your laptop, its as easy as

apt-get install privoxy

Dig into the documentation. There’s a world to know about Privoxy if you want to tinker with filtering actions. But also be clear: default settings are already way, way better than surfing “naked.”

There’s only one little problem.

Your traffic has a clear origin, and your browser has a unique fingerprint.

Oops, that’s two problems. And you wanna bet there are more? For next time …

Fear Your Browser, Episode 2: How They’re Tracking You

Let’s start with some of the simpler stuff (like a horror movie).

We all understand cookies, right? Sure we do! We don’t mind them at all. We let our bank and our Yahoo Groups and Google and every, well, yahoo out there set cookies on us. Newer browsers make dealing with this issue about as fun as athlete’s foot, and just as recurrent. Do you want to accept cookies from this site? From other sites? From third parties? For eternity? From Satan???

Usually we just wade through a series of Yeses and get back to surfing porn. But oh, boy, what we’re agreeing to! The last time I studied a Yahoo EULA, it seemed clear that once I visited my one Yahoo Group, by logging in automatically of course, I was “logged in to Yahoo” and my every click was being tracked.

One of these days these guys are going to find a way to tell how long our eyes rest on an image, and then all hell breaks loose. I won’t be able to pass a lingerie shop without my cell phone ringing with an ad for red panties. Ahem. And let me be clear that I don’t wear them.

In any case, this level of “traction” does not appeal to me, and it’s barely the beginning. Bad Issue No. 2: third-party cookies you “inherit” (or are afflicted, or even infected with) when you visit practically any site. Google’s gonna track my click-through, that’s a fact. But take a look at your cookies list sometime: you’ll have cookies from DoubleClick, Advertising.com, and a whole raft of other familiar-sounding names.

You don’t want those cookies. Those cookies are bad. They not just can be, but are in fact used to track your “interests” as you traverse the web. It’s not like gnorman.org setting a cookie for your local login. It’s like Google setting a cookie, or more likely reading one, because I have Google Ads on my site (as of this writing). Now certainly Google knows far too much, period. I agree with the Dos XX billboard: The bulk of your life should be off the record.

But it’s the advertisers I fear. We are headed, fast fast fast, toward the world of The Minority Report, where ads swarm around you every step of your way. This would shortly drive me to gunfire, personally.

They’re tracking you across hundreds or thousands of sites. Let your teenage son share your login (or hey, don’t use one at all) and suddenly you’re on a lot of records as having a proclivity to porn. Fortunately teens aren’t so unsafe, after all; they’re primarily interested in each other. However, their activity attracts people who are not safe at all, no indeed. I recall the NewMexicoKids.org bulletin board in the naive days of a decade ago, a great place for parents and kids to ask questions — and shortly, a great place for pedophiles.

Neat, huh? How those dramatically unintended consequences bite you in the butt?

Cookies are also subject to cross-site restrictions, by design. This can be a problem in web design, when for instance the same user may pass from networkworld.com to computerworld.com. Clever developers solved this nicely: they used Flash cookies instead.

If you bake chocolate chip cookies, and I bake a huge wedding cake and call it a “cookie,” we’d have about the same relationship as a Flash “cookie” has to a real browser cookie. If you call a dog’s tail a leg, how many legs does a dog have? Four, because calling it a leg doesn’t make it one. Unfortunately, in this case the term has indeed stuck.

Flash cookies are already the subject of rising legal attention, but for our purposes you must clearly understand that any page using Flash, even a single-pixel image, can set a Flash cookie. And these babies are tougher to deal with.

So now we should fear single-pixel GIFs and Flash images, cookies and third-party cookies, advertisers and certainly Google, Yahoo, MSN, and the mirror port at every major telecom facility that cables in to a highly secured closed room accessible only to the Federal government. Oh yeah, that too.

Next time: surfing through proxies.

Why should you be afraid of your browser?

This installment starts a series on browser safety online. Let me open with a question: Do you practice safe browsing? Put another way, Do you know what safe browsing is? Or darkly recast, Do you have a clue what’s unsafe?

As with any field, we have to start with a taxonomy. What are the threats of browsing?

Okay, first: your browser and search histories. Your clickpath is a highly personal piece of information. Except you usually can’t get to the records that advertisers keep about you, so you’re at an immediate disadvantage. That clickpath (your browse and search histories), at the very least, reveal reams about your problems, relationships and interests. Maybe you don’t care about advertisers targeting you, and that’s reasonable. The troubling thing is, investigations by, say, the federal government may reveal things you’d rather not share, or even result in catastrophic incorrect assumptions about you. You don’t want the NSA drawing any funny conclusions from your Lawrence of Arabia fetish, do you?

Second: your browser fingerprint. Huh? Browser fingerprint? Yup, it’s got one. And it can be used to identify you personally and specifically as a visitor to a site.

Third: bugware. I’m talking about everything from those single-pixel gifs that advertisers hang onto pages so they can track you, to that foolish agreement you signed with Google or Yahoo or MSN that lets them track your every move while you are logged in to their service. You signed no such thing? If you have Gmail or Yahoo mail or MSN mail, yes you did. Read the EULA and weep.

Let me talk about issue one, your searches and browsing clickpath. Let me pick on Google for an example (they make such a good example of so many things). Take a look at “What Google Knows About You” at

http://www.computerworld.com/s/article/337791/What_Google_Knows_About_You?source=CWNLE_NLT_PRN_2009-05-11

Allow me to strenuously point out the issues: Google has no clear guidelines on what they can collect or how they can share it, aside from a recent decision to anonymize data after it’s been kept a certain time. They won’t tell you what information they have about you; that right is reserved exclusively for advertisers. You can’t correct errors, clarify misconceptions or provide countervailing information. You’re just plain under the microscope, and if some agency decides to dissect you, you can’t do a damn thing about it.

So just in the realm of this particular issue, what can you do? Read “6 Ways to Protect Your Privacy on Google” at

http://www.computerworld.com/s/article/336607/6_ways_to_protect_your_privacy_on_Google?source=CWNLE_NLT_PRN_2009-05-11

Take this advice seriously. When you are online, you are naked in public. Act like it. Be modest. Don’t draw attention to yourself. Disappear. Because someday, somebody will be hauling you into court to explain something you said online, or something you “Liked” on Facebook, or someone who is your “friend” on some service.

Or even me, for this article.

Windows 7 Security

Obviously a big part of the security game is staying ahead of the curve. Right now the curve is Windows 7, which is hitting organizations in a big way. As always I’d suggest being versed in the new security features of this OS, since you’re likely to support it and equally likely to make money doing that.

Check out the ComputerWorld.com article, “Five Windows 7 security features that businesses need to know about” at

http://www.computerworld.com/s/article/9179749/Five_Windows_7_security_features_that_businesses_need_to_know_about?taxonomyId=125&pageNumber=1

BitLocker precedes Windows 7, but now you can get BitLocker To Go for your USB stick. Multiple active firewall profiles is a neat feature. But I have to admit I particularly like the new “VPN replacement,” DirectAccess. Okay, network students: at a casual guess, how do you think this is being implemented?

There’s Some Breathing Room In The Race To Implement EMR (and get paid for it)

Implementing electronic medical records has become a race. The U.S. Department of Health and Human Services is the enforcer here, and pretty much as everyone expected, medical practices are nowhere close to meeting the deadlines. There’s good money to be had in the form of reimbursements for implementing EMR systems, but just as they do every time innovation gets jammed through the system, practitioners don’t want to use it.

Now they’ll have to, and they’ll have to pay for it themselves.

Except there’s a momentary reprieve: HHS has made it easier to qualify for reimbursement, reducing 90 requirements to 44. And providers can wait as late as 2012 to begin implementing EMR and still have two years to reach the first level of compliance.

They’ll get less money, but it’ll be easier to get it. We’ll see how it plays out. Go to http://www.computerworld.com/s/article/350830/Feds_Lower_Bar_for_EHR_Funds for more info, including links to primary sources.

Are You Being Monitored Online?

Should you have the illusion that you have even a vague sort of privacy on the internet, you should read this report:

Project Vigilant and the government/corporate destruction of privacy

at http://www.salon.com/news/opinion/glenn_greenwald/2010/08/02/privacy/index.html.

Did you know that self-appointed vigilantes are monitoring huge numbers of people? And processing that data? And turning it over to the US Government? With the total complicity of their ISPs?

If this doesn’t worry you, you’re already on the wrong web site.