Re: Linux and spyware?

Quoth haynes@alumni.uark.edu (Jim Haynes):
> An article in today's paper alleges that Linux and MacOS are just as
> vulnerable to spyware as is Windows. Is this true? and if so what is
> the mechanism of action? And how can spyware be detected and eliminated
> in Linux?

Most of the "client side spyware" has tended to be embedded either in
web browser extensions or in stuff like JavaScript. The former tend
not to be available for Linux, but the latter ought to be able to
work.

And in any case, the usual _real_ form of "spyware" will mostly be on
the server side of web accesses, so that the platform you are using to
browse the web is totally irrelevant.

Consider: You get an email that points you to "Hot Young Teens."

It has a URL that points the sender to who they sent it to. That may
be as unobvious as:

ID # Email Address
-------------------------------------
1021 a@b.com
1022 your_address@wherever.com
1023 my_add@mysite.com
.. and so forth ...

which turns into a URL like:
<http://www.hotteens.com/stuff+1022+intro/>

Note that there is _no_ reason for you to consider the "1022" part to be
associated in any way with your identity.

But an interesting linkage then takes place: if the web site does
basic URL access logging, they can know that someone whose email
address was <your_address@wherever.com> accessed the URL from some IP
address at some moment in time.

If your web browser quietly stores cookies, remote web sites can link
things up further, so that if you visit that web site again, they can
identify that it was you before, and you now.

They may not know much about you beyond the email address, but they'll
get to know a few things.

And note that the only thing about this that you can forcibly do
anything about is to choose not to follow the web links.
--
wm(X,Y):-write(X),write('@'),write(Y). wm('aa454','freenet.carleton.ca').
http://www.ntlug.org/~cbbrowne/security.html
"As long as there are ill-defined goals, bizarre bugs, and unrealistic
schedules, there will be Real Programmers willing to jump in and Solve
The Problem, saving the documentation for later. Long live FORTRAN!"

In <bdoa0i$uena0$2@ID-125932.news.dfncis.de>, Christopher Browne:

[Snip...]

>And note that the only thing about this that you can forcibly do
>anything about is to choose not to follow the web links.

I take the burntearth policy: turnoff Java, Javascript, and cookies except
for trusted useful sites (like my hometown bank, for example). This has an
extra benefit of virtually eliminating those pesky popups, etc. It is also
why Lynx is typically my browser of choice for most mundane tasks. If Lynx
has problems with a site, I probably don't have the time myself for it.

I understand this isn't possible all the time for everybody. Just my view.

--

Regards, Weird (Harold Stevens) * IMPORTANT EMAIL INFO FOLLOWS *
Pardon any bogus email addresses (mklog*) in place for spambots.
Really it's (wyrd) at raytheon, dotted with com. DO NOT SPAM IT.
Standard Disclaimer: These are my opinions not Raytheon Company.

On Mon, 30 Jun 2003 08:01:31 +0000, #Harold Stevens US.972.952.3293 wrote:

>>And note that the only thing about this that you can forcibly do
>>anything about is to choose not to follow the web links.

> I take the burntearth policy: turnoff Java, Javascript, and cookies except
> for trusted useful sites (like my hometown bank, for example). This has an
> extra benefit of virtually eliminating those pesky popups, etc. It is also
> why Lynx is typically my browser of choice for most mundane tasks. If Lynx
> has problems with a site, I probably don't have the time myself for it.

If you go visit one of those http://www.hotteens.com/stuff+1022+intro/
type URLs, then they can tell (from the 1022 part) what your e-mail
address is, even if you have Java/JS/cookies turned off. As previously
noted, the only way around *that* is to avoid going to the site.

In <pan.2003.06.30.08.10.22.739029@socal.rr.com>, Ed Murphy:

[Snip...]

>type URLs, then they can tell (from the 1022 part) what your e-mail
>address is, even if you have Java/JS/cookies turned off. As previously
>noted, the only way around *that* is to avoid going to the site.

OK, maybe Lynx is promiscuous in that respect, too (I honestly don't know)
but I can fight spammers sniffing my email a lot easier than some blackhat
Javascript suddenly aboard, running amok. :)

(BTW, our corporate firewall/mail policy pretty much nukes spam other than
at the munged address in my sig, and even that is minimal)

--

Regards, Weird (Harold Stevens) * IMPORTANT EMAIL INFO FOLLOWS *
Pardon any bogus email addresses (mklog*) in place for spambots.
Really it's (wyrd) at raytheon, dotted with com. DO NOT SPAM IT.
Standard Disclaimer: These are my opinions not Raytheon Company.

Centuries ago, Nostradamus foresaw when stevens@mklog4.rsc.raytheon.com (#Harold Stevens US.972.952.3293) would write:
> In <pan.2003.06.30.08.10.22.739029@socal.rr.com>, Ed Murphy:
>
> [Snip...]
>
>>type URLs, then they can tell (from the 1022 part) what your e-mail
>>address is, even if you have Java/JS/cookies turned off. As
>>previously noted, the only way around *that* is to avoid going to
>>the site.
>
> OK, maybe Lynx is promiscuous in that respect, too (I honestly don't
> know) but I can fight spammers sniffing my email a lot easier than
> some blackhat Javascript suddenly aboard, running amok. :)

You're missing the point.

There's nothing Lynx would do that is "promiscuous."

The "spying" is accomplished simply using the contents of the URLs
combined with tracking what IP address you come from.

You're imagining yourself safe from surveillance because you're using
Lynx, when all the surveillance takes place on the remote server which
you don't control.
--
If this was helpful, <http://svcs.affero.net/rm.php?r=cbbrowne> rate me
http://www.ntlug.org/~cbbrowne/security.html
"Over the centuries the Indians developed sign language for
communicating phenomena of interest. Programmers from different
tribes (FORTRAN, LISP, ALGOL, SNOBOL, etc.) could use one that doesn't
require them to carry a blackboard on their ponies." -- Alan Perlis

Christopher Browne wrote:
> Quoth haynes@alumni.uark.edu (Jim Haynes):
>
>>An article in today's paper alleges that Linux and MacOS are just as
>>vulnerable to spyware as is Windows. Is this true? and if so what is
>>the mechanism of action? And how can spyware be detected and eliminated
>>in Linux?
>
>
> Most of the "client side spyware" has tended to be embedded either in
> web browser extensions or in stuff like JavaScript. The former tend
> not to be available for Linux, but the latter ought to be able to
> work.
>
> And in any case, the usual _real_ form of "spyware" will mostly be on
> the server side of web accesses, so that the platform you are using to
> browse the web is totally irrelevant.
>
> Consider: You get an email that points you to "Hot Young Teens."
>
> It has a URL that points the sender to who they sent it to. That may
> be as unobvious as:
>
> ID # Email Address
> -------------------------------------
> 1021 a@b.com
> 1022 your_address@wherever.com
> 1023 my_add@mysite.com
> .. and so forth ...
>
> which turns into a URL like:
> <http://www.hotteens.com/stuff+1022+intro/>
>
> Note that there is _no_ reason for you to consider the "1022" part to be
> associated in any way with your identity.
>
> But an interesting linkage then takes place: if the web site does
> basic URL access logging, they can know that someone whose email
> address was <your_address@wherever.com> accessed the URL from some IP
> address at some moment in time.
>
> If your web browser quietly stores cookies, remote web sites can link
> things up further, so that if you visit that web site again, they can
> identify that it was you before, and you now.
>
> They may not know much about you beyond the email address, but they'll
> get to know a few things.
>
> And note that the only thing about this that you can forcibly do
> anything about is to choose not to follow the web links.

Don't forget web bugs: 1 pixel by 1 pixel transparent gifs on web pages
that may be pulled from any *other* web site in the world, allowing
sites that have nothing to do with your visible web page to determine
what the calling site was, what host, and all sorts of other interesting
information. Can you say "ad.doubleclick.net collects data on people"?

Note also that it's esier, in many ways, to get the client's machine to
generate the data and send it in with the Javascript/etc. than to try to
maintain the server with a consistent database, back end communication,
etc., so the first forms of spyware are still popular. Their use partly
results from the *committees* that decide on things like Java,
Javascript, HTTP, etc. accomodating the desires of commercial web
designers to enable such "features". The continuing difficulty in simply
turning them off with a button on the top of the browser is the fault
of, you guessed it, the web browser authors who know full well who is
paying their bills and don't dare turn the !@#$ off.

In <bdp8fk$ve5uq$2@ID-125932.news.dfncis.de>, Christopher Browne:

>The "spying" is accomplished simply using the contents of the URLs
>combined with tracking what IP address you come from.

That's a cute trick. Kinda shoots my Usenet munging to heck, I suppose. :)

>You're imagining yourself safe from surveillance because you're using
>Lynx, when all the surveillance takes place on the remote server which
>you don't control.

Well, at least Lynx doesn't make it easy to run rogue script. So there. :)

Seriously, I don't like surveillance but malware is much worse (to me).

--

Regards, Weird (Harold Stevens) * IMPORTANT EMAIL INFO FOLLOWS *
Pardon any bogus email addresses (mklog*) in place for spambots.
Really it's (wyrd) at raytheon, dotted with com. DO NOT SPAM IT.
Standard Disclaimer: These are my opinions not Raytheon Company.

Nico Kadel-Garcia wrote:
>
> Don't forget web bugs: 1 pixel by 1 pixel transparent gifs on web pages
> that may be pulled from any *other* web site in the world, allowing
> sites that have nothing to do with your visible web page to determine
> what the calling site was, what host, and all sorts of other interesting
> information. Can you say "ad.doubleclick.net collects data on people"?

Do you know of any OSS web bug blocking packages available?

--
Confucius: He who play in root, eventually kill tree.
Registered with The Linux Counter. http://counter.li.org/
Slackware 9.0 Kernel 2.4.21 i686 (GCC) 3.3
Uptime: 11 days, 23:59, 1 user, load average: 1.22, 1.24, 1.23

David <thunderbolt01@netscape.net> wrote:
>
> Do you know of any OSS web bug blocking packages available?

You could use a filtering proxy, for starters. Squid with sleezeball for
instance. This will not protect you from web bugs in general, but it
lets you block stuff by URL. So you can e.g. avoid ad.doubleclick.net.

Ciao.
Seb.

Centuries ago, Nostradamus foresaw when David <thunderbolt01@netscape.net> would write:
> Nico Kadel-Garcia wrote:
>> Don't forget web bugs: 1 pixel by 1 pixel transparent gifs on web
>> pages that may be pulled from any *other* web site in the world,
>> allowing sites that have nothing to do with your visible web page to
>> determine what the calling site was, what host, and all sorts of
>> other interesting information. Can you say "ad.doubleclick.net
>> collects data on people"?
>
> Do you know of any OSS web bug blocking packages available?

JunkBuster was the traditional one; development on that has ceased in
favor of Privoxy.

<http://www.privoxy.org/>
--
If this was helpful, <http://svcs.affero.net/rm.php?r=cbbrowne> rate me
http://www3.sympatico.ca/cbbrowne/ifhow.html
Babbage's Rule: "No man's cipher is worth looking at unless the
inventor has himself solved a very difficult cipher" (The Codebreakers
by Kahn, 2nd ed, pg 765)