lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
From: tlarholm at pivx.com (tlarholm@...x.com)
Subject: Is the FBI using email Web bugs?

Can we blow off the FUD on images embedded in HTML mails? Whenever I see
the term "Web Bug" used I know that I will have to find factual
information on the subject discussed from another source.

"Web Bug" is just a sensationalized term for an HTTP request made from
an email. Sure, one use of those HTTP requests could be to track if you
have read the email, just like one use of cookies could be to track your
websurfing across multiple sites and build a profile on your surfing
habits, political belief, marrital status and sho size.

Any technology can be used for both good and bad. Cookies are most
definitely used for more good than bad in a scale of the thousands, and
other than spammers trying to verify email addresses by making an HTTP
request from an HTML mail there has not really been any other use of
"Web Bugs".

Some products even try to profit from the fear, uncertainty and doubt
concerning scare terms such as "Web Bugs", like Privoxy claiming to
block these "Web Bugs" - only now, they are not labelled as images in,
or HTTP requests made from, HTML mails, they are labelled as small 1x1
images served from a webpage used for gathering visitor statistics.

If I wanted to spy on somebody or pry on their surfing habits, "Web
Bugs" in whatever label they have this week or the next is the last
thing I would ever consider. To get some perspective, just compare how
many SpyWare backdoors that people have voluntarily installed to get a
free Timer or Calendar application.


Regards

Thor Larholm
Senior Security Researcher
PivX Solutions
24 Corporate Plaza #180
Newport Beach, CA 92660
http://www.pivx.com
thor@...x.com
949-231-8496

PivX defines "Proactive Threat Mitigation". Get a FREE Beta Version of
Qwik-Fix
<http://www.qwik-fix.net> 

-----Original Message-----
From: Richard M. Smith [mailto:rms@...puterbytesman.com] 
Sent: Wednesday, January 07, 2004 7:24 AM
To: full-disclosure@...ts.netsys.com
Subject: [Full-Disclosure] Is the FBI using email Web bugs?


Hmm, is an "Internet Protocol Address Verifier" just an email Web bug?
If so, the suspect should have been using Outlook 2003 which blocks 'em.
;-)
 
Richard
 
Feds thwart extortion plot against Best Buy
http://www.startribune.com/stories/535/4304797.html

The federal search warrant was obtained the morning of Oct. 24 and
allowed the FBI, with Best Buy's cooperation, to use an Internet device
known as an Internet Protocol Address Verifier. It contained a program
that automatically sent back a response to Best Buy after the company
sent a message to the e-mail address. The response allowed investigators
to identify Ray as the sender of the e-mail threats, according to the
government.

Assistant U.S. Attorney Paul Luehr said the address verifier was one of
several investigative tools the government used to track Ray down.

"It was a tool that helped us confirm that other leads were moving in
the same direction," said Luehr, who declined to discuss details of the
investigation.

Ray faces a maximum of two years in prison and a $250,000 fine for
property and reputation extortion. He faces a maximum sentence of five
years in prison and a fine of $250,000 for threats to damage computers.


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Powered by blists - more mailing lists