BUGNOSIS!

Download Bugnosis here -

[link]http://www.bugnosis.org/[/link]

If you haven't heard about it yet - here's the scoop!

John


SAN FRANCISCO (April 21, 2002 3:22 p.m. EDT) - Internet bugs - tiny, hidden images that can cue your computer to send information on you to advertisers, are being caught and dissected by a new software program called Bugnosis, one of a number of Privacy Enhancing Technologies or PETs discussed Friday at the 12th Annual Conference of Computers, Freedom and Privacy.

Other technologies presented during CFP and a sister conference, Privacy Enhancing Technologies 2002, included methods to hide the names of persons making Internet queries and new ways to send private messages through mechanisms like message timing information.

Web bugs - named after the eavesdropping kind of electronic bugs, not programming flaws - are intentionally planted pictures in the files that make up the graphics of a Web page. Only a few pixels in size, the pictures are invisible to the naked eye. Some bugs are only meant to provide spacing between the graphics. Less benign versions are separate, buried Web pages with different Web addresses than the requested Web site.

When a computer opens a Web site with an embedded bug, the bug file is loaded onto the computer along with the rest of the Web page. If the hidden graphic is a true bug, it sends out a call to its home advertising or tracker site to send an ad. In the process of making the request the bug sends basic information about the computer it is on. Some bugs work in tandem with Internet programs called "cookies," sending the detailed information contained in these programs as well.

Cookie programs - often lots of them - are planted on your computer when you visit many Web sites. They are used to store useful information like passwords and other data such as your history of purchases from that Web site. But they can also be used to track what other sites you visit and may contain very personal information. Some types of cookies from ad firms with many, many contracts can be used to monitor Web behavior and create customer profiles.

Bugnosis, which works with Internet Explorer, catches the bugs - alerting the user with a little "uh-oh" sound. It gives the Web address of the bug and points the user to where the bug is on the screen using a cartoon of an insect. The program indicates the severity of the bug caught and opens a box at the bottom of the screen that shows what information is being passed along.

David Martin, a professor at Boston University and a member of the two-man Bugnosis team, told CFP attendees that one bug they caught has forwarded his user name, real first and real last name, password and the latitude and longitude of his house - the latter derived somehow and saved by a cookie after he had typed in his address days or weeks before. Companies found to have bugs on their Web sites included Microsoft, MSNBC and Verisign, a company that works to support Internet site security.

Referring to the very large cookie data file triggered by the Verisign bug, Martin said "this (file) goes on and on. They have a bunch of stuff I can't understand... but they also have ... the results of a Google search," referring to the popular Internet search engine site.

Martin noted it was a Web site that appeared as a result of the search, not the Google search engine itself, that had provided the initial data for the file.

"People are doing that sort of thing more and more these days, said Roger Dingledine, who works on security issues at the Somerset, Mass., firm Reputation Technologies, Inc.

"You've got cookies, you've got web bugs - whatever else is on the list," Dingledine said. "Basically the goal of the people running the Web servers is to be able to figure out as much as possible about the people going there, and they are going to do it using whatever technology they can."

He added that, "It's going to be an arms race between people wanting privacy and people wanting to learn more about their customers."

Work on Bugnosis was supported by the Privacy Foundation, Boston University and the University of Denver, where most of the work was done.

 

Bugnosis will simply alert you to the presence of webbugs and nothing more.

 

Note also that it works only with IE.

It's also a BHO.

It also adds hundreds of entries to your registry.

When I tested it a couple of years ago, it had extremely high processor usage, people were reporting un-install problems and conflicts with other programs and general flakiness problems (FI, it turned itself back on every time you opened a new instance of IE).

Even if the program itself has improved in the interim, it seemed as though most people weren't understanding what Bugnosis was telling them - or they insisted on having it display all information, not just the potentially harmful stuff.

Un-installed it then and no desire to re-try it now. Pete