Here's a real disappointment

Discussion in 'privacy general' started by luv2bsecure, Feb 26, 2002.

Thread Status:
Not open for further replies.
  1. luv2bsecure

    luv2bsecure Infrequent Poster

    Joined:
    Feb 9, 2002
    Posts:
    713
    I was considering an "anonymizer.com" subscription and went to the site and looked all around. It looked really good. I like the URL encryption as well as IP hiding. I figured it's worth $45 a year.

    However, ther is a drop-down menu on the home page at [link]http://www.anonymizer.com/[/link]

    Actually there are two, "learn" and "shop", I went to the "learn" menu and went to where it says, "What Data Am I Revealing Right Now?" and saw all the information we know we give away when we visit a site.  WELL, when you go there, up comes a new window with no address bar to give you all the scary information. However I right clicked to "properties" and found the URL to be:
    http://snoop.anonymizer.com/cgi-bin/peleus.cgi?.doubleclick.net

    Doubleclick? On a site selling Anonymizing serviceso_O?

    I would like to hear others thoughts. Is it just me, or would that be of some concern to you?

    Also, outside of Anonymizer does anyone know of another anonymous browsing service that is credible and offers URL encryption as well as just IP hiding?

    This really disappointed me.

    BTW, my cable is flying today! We have been routed through cox and comcast domains and servers all over the country during the transition from @home, which obviously slowed us wayyy down for a couple of months. I am hitting 3 megabits today!

    John
     
  2. javacool

    javacool BrightFort Moderator

    Joined:
    Feb 10, 2002
    Posts:
    3,995
    This is extremely interesting - as far as I can tell, no cookies are read/stored from DoubleClick on that main page (although the site tries to read one if you ask it to later) BUT a cookie IS saved from the snoop.anonymizer.com site.

    I have not checked on the contents of this cookie just yet, but will very soon.

    It seems slightly suspicious...
     
  3. javacool

    javacool BrightFort Moderator

    Joined:
    Feb 10, 2002
    Posts:
    3,995
    Hmmm...that site is rather scary.

    Information:
    The site loads some sort of Active X control(s) and/or java applet(s).

    The site saves a cookie to your browser simply with the content "Permanent Cookies" or "Session Cookies" (and expiration date, etc. - no personal data or identifying numbers) simply to check if you have session cookies and permanent cookies enabled.

    BUT the site ALSO opens up www.msn.com in a separate browser window...and the scary thing is that (according to my proxy) the MSN cookie is read BEFORE the GET/ HTTP/1.0 request.

    Does anyone want to guess why this is? The MSN cookie contains GUID #s and UID #s - why is this information gathered?
     
  4. luv2bsecure

    luv2bsecure Infrequent Poster

    Joined:
    Feb 9, 2002
    Posts:
    713
    Here's MORE!!

    Javacool,

    Very good work. I always thought Anonymizer.com  was on the up and up. But to find them involved in any way with DoubleClick was baffling to say the least. A privacy oriented, anonymizing service having dealings with one of Internet privacy's greatest foe is very hypocritical of a company that has the audacity to sell products that DETECT things like DoubleClick in their own "OnlinePrivacyStore."

    Javacool, I have been doing some research as well. What do we make of the following?

    In the Anonymizer Privacy Policy it says, "Because our business is privacy and anonymity, we do not require that users provide any personally identifiable information to use our services."

    Under "log files" it says, "No information connecting a user name or the identity of a user (IP address for example) with the sites being visited is ever kept any where in any form. Our log files do not contain usernames or user IP addresses. Additionally, they are purged every 48 hours. Our own system administrators can not tell who is looking at what, even in real time with root access to the servers."

    Italics above are mine.

    I thought, well that means that they log incoming IP's and domain names as paying members sign-in to Anonymizer. But then the very next sentence says, "Our log files do not contain usernames or user IP addresses." That seems all inclusive to me and not open to a lot of misinterpretation.

    But, later in the Privacy Policy they have links to an "Opt-Out" policy. That policy allows for site owners to "opt-out" and Anonymizer will block access to those sites. It is here they write something that makes no sense at all if the above "no logging of IP's, etc." is true.  "In any case, we cannot reveal any information about the person's identity without a court order." Hmmmm. How could they reveal ANY information at all (court order or not) if they claim to not have information to reveal?

    Compare that with the online anonymous email service (not anonymous browsing) Hushmail.com, where I DO have a paid account. Phil Zimmerman's association with HushMail and his implementing OpenPGP and AES sold me. Read this carefully:
    What if my message is subpoenaed?
    Hush, like any company or individual, is legally bound to respond to court-issued subpoenas. However, because not even Hush can access the encryption keys of individual users, in the case of a subpoena Hush would only be able to provide the encrypted (coded) version of the transmitted email.
    In other words, all they will get is a 1,024 bit encrypted email, nothing of much use. Not that anything illegal is going on with most users, but the example as a service that protects the actual purpose of the service from anyone is impressive.

    But Anonymizer? How could they provide information, if they don't log IP addresses coming into the gateway of the service? I am wondering if, in fact, the Anonymizer's privacy statement where it says they do not log IP's "with the sites being visited" is the real story. Otherwise, there would be no information to give under court order. If they DO log incoming IP's and domain names from paying cusomers as they access the Anonymizer servers, they could hand that over, under court order, and it would tell the authorities, with a quick faxed court order to the ISP, who the account holder is, where they live, phone number and whatever logs the originating ISP keeps.

    So, my question: Is Anonymizer truly anonymous? Maybe to an individual site owner who checks his stats logs, but not to the authorities that matter if one esposes unpopular political ides, etc.

    Sorry this was so long, but it took a lot to explain all that and my concerns with Anonymizer and Javacools concerns as well. I hope others chime in here and share their feelings about all this.

    It's still the DoubleClick association, and the info JavaCool provided that raises my eyebrows.

    This is actually very interesting and enlightening.

    John
     
  5. javacool

    javacool BrightFort Moderator

    Joined:
    Feb 10, 2002
    Posts:
    3,995
    Re: Here's MORE!!

    I would like to clarify right now that the ONLY proof I have found of ANY connection to DoubleClick is through the page tag after the "?"... which may have to do with something else (there doesn't seem to be any cookies going to DoubleClick or any other information).

    In addition, the page works fine without the ".doubleclick" at the end, showing that it doesn't seem to have any necessary point.

    Of course, that CGI script could always store the data it displays to you - and save it for some other purpose... (while we're on most-likely impractical conspiracy theory that a company would ONLY participate in if it wanted to destroy its own reputation ;))
     
  6. Woody

    Woody Guest

    Your theory holds no water. The reason you see double click after that ? is because the default field setting for the window on this item which has a drop down for "other " domains you can check......
    Look on that page where you see these words..
    _____________________________________________
    Select a domain and we will show you your cookies from that domain.
    _____________________________________________
    just happens to be double click...so the webmaster (called) "named" the page double click.



    _____________________________________________
    If you want to go there and check you must click the button....
    _____________________________________________
    I did not read all your post but this is a test page not a "spy on you" page.  :) :) :) :)


    This privacy site to surf has been in the news lately if you want that info I will be happy to post it for you.

    There are other site like this I can post a few if you like.





    Here is one with ssl on the front end (128 ) but I do not know your capability. It is free. (today) does not look too back considering what else is out there.

       https://www.megaproxy.com/_secure/
     
  7. luv2bsecure

    luv2bsecure Infrequent Poster

    Joined:
    Feb 9, 2002
    Posts:
    713
    Woody,

    You made me feel MUCH better. You are absolutely right. A dumb move by Anonymizer to have that name anywhere in any of their URL's though. As for the Privacy Policy that is contradictory, maybe you can find where I am wrong there, (possibly in the part of the post you didn't read) but I don't think so, that one truly baffles me.

    You said you had some more information on the site being in the news and some other similar site recommendations. I have been to many of them, but maybe I've missed some. I want one with URL encryption and not just these freebie "hide your IP" services.

    Thanks, Woody! (And thanks for clearing that up!)

    John
     
  8. Woody

    Woody Guest

    See the link I posted above for megaproxy...

    No coment on the privacy policy you post...it stands on its own for all to decide.

    I will hunt up the new article and post it some day soon.
    ;)
     
  9. Checkout

    Checkout Security Rhinoceros

    Joined:
    Feb 11, 2002
    Posts:
    1,226
    There is a point worth noting here:  anonymising services are only as valuable as the amount of trust users are willing to invest in them.  There are currently no anonymising services, certainly that I'm aware of, which can operate in a trust-less state.

    (To put it another way, does Project Vegetarian sound more like a good idea now?)
     
  10. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    https://mbr1.idzap.com/idsecure.php?uid=31001&sid=58962795


    Also, even though you're leery of anonymizer, this is their 'total' service:
    http://anonymizer.com/services/dialup.shtml . With the F-Secure SSH Client Software in the mix there, wouldn't that take care of your concerns with the privacy statement?

    That is, of course, unless both anonymizer and id sesecure turn out to be owned by the CIA? :)  Pete
     
  11. Checkout

    Checkout Security Rhinoceros

    Joined:
    Feb 11, 2002
    Posts:
    1,226
    The problem's not even that basic.  A little political pressure here, a touch of legislation there, and suddenly our anonymising service is a logging service, firmly targetted at those most vulnerable and with the greatest need of privacy.

    Shudder.

    Like I keep banging on about, we need a world-wide, distributed system of double-coupled anonymisers.
     
  12. javacool

    javacool BrightFort Moderator

    Joined:
    Feb 10, 2002
    Posts:
    3,995
    We already know the CIA was backing SafeWeb (although it can be argued if that was a good or bad thing - since they were looking into using the technology, I believe).

    But the fact that Anonymizer has access to the data that could be revealed doesn't make it seem so "anonymous" at all - something like Hushmail's policy is the way a TRULY anonymous service should be.
     
  13. Checkout

    Checkout Security Rhinoceros

    Joined:
    Feb 11, 2002
    Posts:
    1,226
    Would it work in the UK, where the RIP Act makes you guilty until you can prove yourself innocent, simply by refusing to give authorities your encryption keys?
     
  14. UNICRON

    UNICRON Technical Expert

    Joined:
    Feb 14, 2002
    Posts:
    1,935
    Location:
    Nanaimo BC Canada
    In Canada, the penalty for failing to provide a breathalizer sample to the police is the same as being found guilty of driving impared. This is how they get around the innocent until proven guilty "right" that most people in the free world are supposed to enjoy. Simply refusing the test winds you @ss up in jail anyhow.

    So if the punishment for failing to provide encryption keys to the authorities was the same a being found guilty of whatever they were after you for, they could circumvent any worries of "innocent until proven guilty" being denied. I could imagine the US gov putting a nice 10-20yr term on that one. This would make all this privacy stuff next to worthless, and i bet it is just around the corner.....
     
  15. luv2bsecure

    luv2bsecure Infrequent Poster

    Joined:
    Feb 9, 2002
    Posts:
    713
    Some very good points made.

    I have wondered something about the RIP Act, Checkout. What if someone is falsely accused, has an encrypted container he hasn't thought about in a year or two and honestly can't remember the encryption passphraseo_O? Which leads to the question, how do they know if you really can or cannot remember the passphrase?

    In the United States, we are lucky enough to have an amendment to the constitution that prohibits being forced to give a passphrase to an encrypted container. It can be used and not imply guilt.

    No person shall be held to answer for a capital, or otherwise infamous crime, unless on a presentment or indictment of a Grand Jury, except in cases arising in the land or naval forces, or in the Militia, when in actual service in time of War or public danger; nor shall any person be subject for the same offence to be twice put in jeopardy of life or limb; nor shall be compelled in any criminal case to be a witness against himself, nor be deprived of life, liberty, or property, without due process of law; nor shall private property be taken for public use, without just compensation.

    The fifth amendment (being used to aggravate all of America now with the ENRON scandal) protects us from being forced to turn over encryption keys, passphrases, etc.

    Now, with that said, I agree with Unicron. There is a move about to strip Americans of basic freedoms and the buzz phrase they want to perpetuate (and people are falling into line) is "There IS no privacy - get over it." I am sick of hearing that as it is all a part of the underlying tone of this Bush administration's war on "terrorism" which is really more a war on "freedom" than anything else. Yet, look at his approval ratings. Scary. But, at least we DO have the 5th that prevents one from having to be a witness against himself.

    John
     
  16. Checkout

    Checkout Security Rhinoceros

    Joined:
    Feb 11, 2002
    Posts:
    1,226
    It's a moot point:  with the RIP Act, you can't even complain - going public automatically adds two years to your sentence.  I don't actually know what you would be charged with, since they (presumably) can't decrypt your data without your co-operation.  I guess it would a worst-case presumption.

    Maybe we'd all better make each Wednesday a "reformat my hard disk" day...
     
Loading...
Thread Status:
Not open for further replies.