[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[comp.society.privacy: Re: Is Browsing Secure?]

In der folgenden Meldung nimmt jemand die "Features" des MS
Internet Explorer auseinander. Das Programm scheint
megabyte-weise Daten ueber den Benutzer anzulegen und quer ueber
die Festplatte zu verstreuen. Gesammelt werden u.a. die ueblichen
Web-Adressen, aber angeblich notiert der Newsreader auch welche
Artikel im Usenet gelesen werden und welche nicht usw. usf.

Netterweise stellt Microsoft auch eine C-Library-Funktion zur
Verfuegung die jeden Win95 oder NT Rechner auf seine Ausstattung
hin abfragen kann. 


    William Hugh Murray, CISSP wrote previously: You can have a high
    degree of confidence that vendors such as Microsoft are not likely
    to abuse your system in this way.  They have a much higher interest
    in their good repute than in any data that they might collect from
    your system.

I beg to differ when it comes to Microsoft. Many people seem unaware of
a number of Microsoft privacy issues and I'd like to take a few
kilobytes of your time to focus on just a few of them. When both
software and the operating system beneath them are all controlled by
one single company with no "real" competition to speak of, such abuses
are unavoidable in theory. Please don't bother to flame me about Macs
or Amigas or Ataris or I will bootstrap my MITS Altair, a _real_
computer (click-click). <grin>

I'm Kevin McAleavey and I am the author of the NSClean privacy software
for Netscape which addresses a number of security issues such as
cookies, cache and history databases, javascript pulls and the security
of your identity on the 'net. When we released NSClean several months
ago, we repeatedly pointed out that Microsoft's Internet Explorer did
all of the same things that Netscape did, but press coverage seemed to
center solely on Netscape.

When a large corporation like Microsoft controls such a large chunk of
advertising dollars, you can bet the press won't step on Microsoft's
toes with investigative reporting. Nor it seems, will the U.S.
Department of Justice. I won't waste anyone's time discussing the
cutthroat tactics of Microsoft to annihilate anything that looks like
competition and their compromising of the remainder either. I won't
mention the Win95B "bugs."

Nor will I even bother with the dangers of rogue "ActiveX" controls
which have direct access to BIOS and all levels of the OS above there.
I'm sure everyone's heard enough on this already. Why a company with
the expertise of Microsoft would leave a user's ENTIRE system so
vulnerable to attack from outside is "completely random." At least this
received some press coverage. Microsoft of course denied that there is
any problem with rogue "ActiveX' controls, yet new demonstrations of
their reach at web sites are becoming commonplace. Story's over, please
return to your homes, there's nothing to see here ... :)

Back when Windows95 was being launched, spokespeople for Microsoft
touted a function in the Win95 32 bit API called
"RegConnectRegistry()," a C library function which allows direct access
to the entire contents of the system registry from outside sources via
a 'net connection. They touted it widely as, "a feature that makes it
easier for us to reach into people's computers and fix minor problems
with their setups for them."

This function allows remote adjustment of your system as well as the
ability to "inventory" your system's contents and is part of both '95
and NT. If you doubt me, read the help files on the WIN32 API that
comes with Borland C++ 5.0 - it's there clear as day as a function
available to ANY programmer who writes in C to use as they please. All
you do is call it and it returns whatever you want to look up in an end
user's machine or you can use a subfunction to WRITE whatever you want
there as well.

My NSClean product uses these features internally to help protect user
privacy but does not send them over a connection as intended. Since
we've just released a similar product we call IEClean for the Microsoft
Internet Explorer, I have a great deal of research into MSIE's privacy
risks under my belt, many of them brought to my attention by casual
users who saw little odd things that made them suspicious about why
Microsoft would give away a browser for free when client operating
systems (NT) are sold for four hundred dollars (!) now that Microsoft
is a MONOPOLY in this crucial area. Philanthropy? I think not.

For a company that charges admission of $30.00 or more to attend one of
their "sales events" only to walk away without the goodies promised, a
large number of people have expressed concern that something doesn't
seem right with MSIE's price point. I've heard many concerned users
comment about Greek mythology and wooden horsies and that piqued my
interest in addressing these issues with software.

Upon examination, there are a number of things about MSIE that are ripe
for paranoia. If you've read all the hoopla over Netscape cookies,
history databases and other privacy concerns about Netscape, you may be
surprised to discover that the security issues and disk space wasted by
MSIE far exceed any concerns people may have had with Netscape.

MSIE has TWO "cookie" databases, four separate cache databases, two
history databases, a much larger database to track the sites you've
visited, and an incredibly detailed accounting of each and every
message, image and file attachment you've ever seen on usenet. In
addition, these databases are strewn all over your system in such a way
as to make them very difficult to track down manually. Aside from all
that, MSIE wastes tens of megabytes of hard disk space detailing every
single move you've made on the internet and holding onto it for a very
long time, all at the expense of precious hard disk space YOU paid

If you use MSIE's news reader, it actually records not only the entire
text of what you read, but any attachments (pictures, etc) that are
part of the message with each newsgroup in its own large databases
which even include information about the messages you DIDN'T read. If
that's not enough, the one item that has people concerned the most is
the "search" button in MSIE.

When you wish to search for sites on the web, MSIE sends you to
microsoft.com/access/allinone.asp instead of the search engine you may
think you have connected to. If you know what Yahoo or Altavista or
Excite really look like, you'll notice immediately when you use it. Why
they would make you come to their site, enter keywords only to have
them do the search and return the results to you from their site can
only be left to speculation but it is odd indeed that they do this.

Considering that Microsoft didn't even know there was an internet until
very recently, it would make sense that they would want to know what
people do on the internet and find a way of tapping into a large amount
of search results to determine what they need to sell as products. This
is mere speculation on my part, but many others in the security field
tend to think this the most viable explanation for this situation.

If you'd like to take a look at what MSIE has stored on your system, we
give away a FREE demo version of our IEClean (as well as our original
NSClean for Netscape) on our NSClean website at:

   http://www.wizvax.net/kevinmca/  (trailing slash is needed)

It will show you everything I've talked about above and let you see for
yourself these various privacy concerns. From the web page are a number
of links to other sites with a wide variety of information on the
larger issues in general. Of course I'd like to see folks buy copies of
our full product but that's not my purpose here. There are issues with
MSIE and I would like people to actually see what they are with their
own eyes on their own computers where the data has been squirreled
away. I don't care if anyone buys IEClean, just go have a look at your
own machine.  Suddenly Netscape won't be such a bad idea after all even
if it costs a few bucks.  I know Netscape inside out and our NSClean
product deals effectively with the few minor genuine concerns that
exist with it.

There is a great lack of understanding in the 'net community over many
of these issues and the only way one can protect their privacy on the
net is to be armed with accurate information and the tools with which
to take back control of their privacy. Discovering the issues
themselves is the most important first step in the right direction.

Blind trust in the good will of corporations is probably misplaced. All
of my statements can be verified independently through searches of back
issues of InfoWorld magazine, PC Computing, PCWorld and a wide array of
well-known publications for those who still have doubts. As for my
statements, they are my own opinions I guess. I'm new at all this, I've
only been in the computer security business since 1974. For Microsoft's
Legal Department: I have no assets and I rent. Don't waste your

Thanks everyone for your time ...

Kevin McAleavey (author of NSClean & IEClean privacy software)