Google is being sued by some idiot using Safari on a Mac. US Congress critters investigate.

I noticed this yesterday and decided to comment.

There’s a big stink going on right now. Someone found out that Google was setting “third party cookies” (for their advertising servers) in Apple’s Safari browser, which defaults to not loading third party cookies (which I’ll get to in a moment).

Now it appears that someone using Safari on a Mac that expected privacy somehow, is suing Google. (The PC World article on the first link has a more accurate technical description of what’s going on)

In short, someone found a bug in Safari, and now Google is being sued and is under investigation by Congress. We know how much Congress can be expected to know about the internet based on their hilarious to horrifying attempts to regulate it as many of them uttered things like “I don’t know how this here internet thing works, but they tell me….” or the late Senator Ted Steven’s infamous “series of tubes” comment. To say nothing of the fact that Congress flip flops between mandatory tracking for all and bullshit “consumer privacy concerns” such as this one. (For those concerned with the former, the bill is called HR 1981, but a more fitting name would be HR 1984)

If this was a bug in Firefox, it would be fixed. If it was a bug in Chrome, it would be fixed.

Somehow, Microsoft and Apple users seem to think they can use proprietary secret software when they’re not allowed to know how it works and have privacy at the same time. Software which has a history of many bugs,  with vendors that typically take weeks/months/years to patch them once they’re made public. These companies also slip back doors into the software for various government agencies.

Apple was recently caught with a back door that they put into iTunes, it remained there for 3 years, undetected, which facilitated man in the middle attacks. (A government could use this to run a counterfeit iTunes server and load malicious software onto the victim’s computer. The article calls it a flaw, but we know what was really going on, and that it was likely just moved.).

There’s no way you can trust Microsoft or Apple’s software to protect your privacy. Anyone who has actually read the EULA for Windows (especially XP, Vista, and 7) should know that there are at least several dozen Windows components that phone home to Microsoft with your personal information. Most do it over an encrypted connection so that the user has a very hard time telling what is actually being sent to them. Apple isn’t any better.

Let’s get back to cookie controls. They’re a red herring. They’re totally bogus. They don’t do anything for you. Every browser has them, even Internet Explorer 6. They don’t do anything to protect you because cookies are passe. Tracking and spyware sites have developed data mining techniques that work well even if the user clears every cookie they ever set.

One method is to associate IP addresses with log ins. Facebook, Google, and Microsoft all do that. Even after you log out, it’s possible for them to track you personally. There’s other methods. Browsers like Firefox and Chrome are just now starting to implement watered down privacy controls for Adobe’s Flash software (which is proprietary software and a frequent cause of cross platform/cross browser security problems).

Flash has “supercookies”, or what is more technically known as Local Storage Objects. Flash LSO’s can be up to 150 KB (which is 37.5 times larger than a cookie), a site can store as many as they want on your computer (just like a cookie), and (unlike cookies), most browsers do very little to nothing about them. Silverlight has something similar, users of Windows where Silverlight is sneaked over the fence by Windows Update should take notice of that.

The take home message here is that it was ludicrous for this guy to expect any kind of enhanced privacy just because Safari has some lame cookie controls which are a piss poor clone of something Mozilla introduced well over 10 years ago. I really doubt that will stop this frivolous lawsuit, and I fully expect the anti-Google interests called Microsoft and Apple to play this up for all the drama it’s worth.

Microsoft hired the scumbags over at  Waggener Edstrom a while back to launch a smear campaign against Google, and Microsoft is already jumping on this Safari problem like a dog in heat. (I won’t link since I can’t seem to find an article that is telling people the truth about where the anti-Google smear is coming from. Waggener Edstrom specializes in astroturfing and attack ads. They’ve worked for companies like BP and Walmart, and for many a corrupt politician. (When you see that disgusting outrageous pants-on-fire “GMail Man” attack ad, that’s who made it).

If you’d like to know more about these people, Techrights has occasionally blogged about what they’re up to and who they work for.

So now that we’ve covered the facts about Microsoft and Apple, IE and Safari’s lack of real privacy controls, and why cookie controls do nothing.

There’s a number of things you CAN do to really prevent or limit how sites track you. Here’s some suggestions.

Firefox users can use Adblock Plus (just remember to opt out of the “acceptable ads nonsense). Delete Easylist’s filter subscription, and add these instead.

Better yet, use Chrome/Chromium with Chrome Adblock, remove Easylist, and use these instead. (Chrome Adblock is better than Adblock Plus for Chrome, the two are unrelated)

Firefox or Chrome 17+ users can install HTTPS Everywhere (The Chrome version is an alpha for the time being, but it does work)

Opera users can use Opera’s content blocker to block advertising and stat/tracking sites. Pre-made lists here. Remember to manually update them now and then or skip the process and let Opera Adblock do the same thing for you if you have Opera 11 or later.

Firefox and Chrome can also block Flash applets from automatically loading, saving you bandwidth and making flash applets that track you or load malicious software less effective. Firefox has Flashblock, Chrome users can enable the Click to Load option in the advanced settings for plug-ins.

Weaker protection for users who insist on inferior browsers with government spyware built in.

Internet Explorer 9 supports “tracking protection lists”, which are a small/watered down subset of true content blocking. Pre-made TPLs for IE here.

Safari users can use Safari Adblock, it’s from the same guy that made Chrome adblock. I’ve never used that one, but if it comes with Easylist, rip it out and add these.

The bottom line is that the only way to protect yourself from tracking servers is to not connect to or run applets from them to begin with.

AT&T finds another way to mug their customers…

Bandwidth caps:

Or “If I had only known then what I know now, I may not have left Comcast”

I just checked my more or less abandoned Hotmail account the other day because I needed to retrieve a license key for a particular piece of software I bought a long time ago (and they only send the key to the email address you gave them when you bought it).

While I was digging, I noticed a letter from AT&T. The letter was very unprofessional because it didn’t even mention what service that it was in regards to. My mother, who is computer-illiterate, had them send her cell phone account info to that email address because she needed it in order to get “rebates” on her cell phone plan. Ever since then I’ve resigned myself to the fact that anything I see from AT&T that lands there is hers. I couldn’t get them to stop because it’s her account, she can’t get them to stop because she called one day, spent a typical AT&T hour on hold, got someone that said he fixed it and didn’t. (Again, everything I’ve come to expect out of AT&T).

So I get something from AT&T that said I went over my “data plan”. I didn’t notice, but AT&T has had a DSL cap of 150 GB a month since March. I figured my DSL didn’t have a cap, because it was “unlimited” when I started subscribing to it. So I figured it was talking about her cell phones. So I called over to their house, told my step dad that they might want to watch how much data they use over there and inadvertently started a fight that hasn’t let up between them yet. As soon as I found out that this was not about them, but was about AT&T DSL, I have never felt so pissed off in my life. I started World War III over there over something AT&T did to screw me over that has nothing to do with them.

Now that I’ve gotten that out of the way, here goes the obvious rant about data caps:

The nature of the DSL system makes it very very cheap for AT&T to solve congestion problems. Likely a few upgrades to DSLAMs here and there would clear up any problems (if there are any). For a company that makes record profits and gets to overcharge so much already due to being a near monopoly in the United States, these upgrades would be peanuts.

What is really happening, obviously, is that someone at AT&T noticed that if they can extract $10 a month extra here and there from their existing customers, that’s pure profit. Some of them may even not notice right away due to AT&T’s tendency to use cram methods so you never know quite what you’re paying for, and I doubt anyone is going to sue over $10-$20 in overage. Another fact, like in my case (where I got the two warnings this year), is that I changed email services quite some time ago and AT&T had an old Hotmail address I was barely using. Why aren’t they sending this crap to my ATT.NET email account? That’s my official AT&T email account. They sent those hilarious and absurd warnings about IRC being Windows malware to that address earlier this year. I do check it now and then to see if there are any account notices. Not quite as often as I could, but anyone who relies on ISP email is stupid. It is instant lock-in. If you ever leave that ISP, like I likely will with AT&T in the coming months, then they simply delete your email address and give you no forwarding options. Yet the fact remains that it is the official email address tied to my account and they should be using it in all official communications with me.

Now that we’re past the parts where AT&T made me to be an asshole and inadvertently start a war between my mother and step-father, then almost surprised me with a whopping bill full of overages, let’s talk a little about Adblock Plus and other ad blocking, like Privoxy or host files or Chrome Adblock or Opera’s content filter…or……you get the point.

I looked at my monthly usage for the last year, ad blocking the entire time. and I noted that there would have been an additional ~5-6 times that I got so close to either the 150 GB cap or the next cap (they sell you additional 50 GB chunks at $10 each), that I would have essentially paid AT&T another $50-$100 over the last year if I had turned my ad blocker off.

Note to website owners: Sure I feel for you, but I am not going to turn my ad blocking off and pay another $10-$20 a month in overage fees for the bandwidth that your 10 foot tall Microsoft ads in flash (the example I used was Phoronix.com at one point). If you would like to replace them with ONLY static ads or Google text ads, which do not chew bandwidth, and then apologize and promise on your site to never resort to that behavior again, then I promise to consider whitelisting your site. As it is though, I don’t feel like paying highway robbery to get Microsoft ads in flash and “buzzing mosquitoes” and “shoot-the-monkeys”.

In the kind of networks where there really are congestion issues by design, such as cable, it’s likely that this abusive advertising is what is actually “clogging the pipes”.

 

 

 

 

 

Another alternative to Adblock Plus. Just use Opera.

Continuing to mention alternatives to the corrupt Adblock Plus people, takes me to Opera.

I myself don’t use Opera much because it is proprietary software. Although one thing that Opera doesn’t do that Adblock Plus (which is not proprietary) is doing now, is override what the user has told it to block and show garbage and malware links anyway.

Sadly, Privoxy seems to be the only real option for blocking ads in Firefox other than Adblock Plus, I covered it in my last post, but it is unwieldy and as the kind of shit that only Internet Explorer users would have had to do back in 2001 when more than a few Opies were using it (most of them, unwillingly). Now that Wladimir Palant has abused his monopoly to enrich himself by selling paid exceptions to the user’s ad blocking rules under the table, the only option beyond Privoxy is switching browsers. There’s Chrome/Chromium, and I will mention it and its limitations in a follow up post, but you’re actually worse off with Chrome than you are with Firefox, and so I’ve decided to do Opera first.

Opera has had “content blocking” for quite some time. Unlike Firefox which depends on a monkey patch called Adblock Plus., and unlike Chrome whose extension support is still a complete joke. Opera also supports user scripts and user style sheets without the need for cumbersome add-ons like Firefox depends on for this.

Opera’s content blocker is so simple a caveman could do it. Plop in a urlfilter.ini file with rules and a user style sheet to kill whitespace and hide crap that is otherwise difficult to remove. (yes, I’m talking about Google’s search result ads that frequently lead to phishing and malware again. Get your XP Super Duper Antivirus 2012 Edition while they’re hot! Guaranteed to find made-up malware and “remove” it for the low low price of $30 wired to India. Comes loaded with spelling and grammar mistakes! *except in Nebraska! *No Reversi *All sales final *Credit card subject to being maxed out before you can call to dispute the charges!)

One such list that is well maintained and thorough is Fanboy’s List. The author of this list expressed some opposition to the so-called “acceptable advertisements” idea in “Adblock Sometimes”. (New name!).

Fanboy’s Opera adblock stuff and instructions here:
https://secure.fanboy.co.nz/adblock/opera/

Other than that, there’s not a lot to say about blocking ads in Opera except that it is better than “Adblock Sometimes”. The one downside to this is that you need to manually update your lists from time to time or they will become old and less effective. It isn’t hard, just download the new files and save them over the old ones.

Update: There’s an Opera Adblock extension which basically manages filter subscriptions using the built-in content blocking and user style sheet functionality. Unlike Adblock Sometimes for Bloatzilla Firechrome, it does not sneak around and turn some of the ads back on in defiance of the user. Imagine that…

Installing Privoxy 3.0.18 in Ubuntu Oneiric or derivatives

Since Adblock Plus sold out and can no longer be considered trustworthy, I have decided to explore other options.

Short story: Adblock Plus 2.0 development branch has added a new “feature” they call “acceptable advertising” and flipped it on by default without asking the user. The default whitelist is so far only including advertising from networks like Google with suspiciously deep pockets, leading me to believe that money has probably changed hands somewhere along the way. You can opt out of this through a rather unwieldy process, but most people won’t. I find “acceptable ads” to be unacceptable because even Google Adwords is well known for profiling the user even if they only use non-Google sites and they’ll let anyone with enough money take out an ad, even if it leads to phishing sites or Windows malware. Most definitely NOT acceptable. (But hey, it’s your computer and if you like XP AntiVirus Super Duper 2012 Edition, I think you’re beyond my help.

Privoxy is powerful but has a daunting (not terrible, but compared to Adblock Plus, rather involved) setup if you want it to work as best it can, so I have decided to document the entire process here that I used.

Step 1: Remove Adblock Plus from Firefox. The only reason we’re going to switch to Privoxy is because Adblock Plus is no longer trustworthy.

Open the add-ons menu. Either by clicking the Firefox button followed by Add-Ons, or if you use the classic menu, then Tools followed by Add-Ons.

Find Adblock Plus. Click “Remove”. Firefox will want to restart.

Step 2: Install Privoxy.

Ubuntu Oneiric comes with 3.0.17, which is now outdated and has some serious bugs that have been fixed in 3.0.18. The packages from the development branch of Ubuntu (codenamed Precise) work fine and provide version 3.0.18.

Go to this page:
http://packages.ubuntu.com/precise/privoxy

Under Download Privoxy, choose the package for your architecture. Mine is AMD64, but you might be using the i386 version of Ubuntu. Choose whichever applies to your system.

Click on any mirror you want, it will offer you the DEB file. Once the DEB file has finished downloading, either double click on it in the Downloads or open your file manager and go to where you downloaded it and double click (single click for Kubuntu users) on it to launch the package installer. Install the package.

NOTE: Installing packages from other versions of Ubuntu is not always a great idea. Privoxy just happens to be really small with no dependencies that can’t be satisfied by Oneiric. DO NOT make a habit of doing this!

Step 3: Make sure the Privoxy daemon (service) is running. It probably is, but this can’t hurt.

Open a terminal.

sudo service privoxy start

Step 4: Configure your proxy settings to route through Privoxy (Privoxy operates as a local non-caching proxy server).

In GNOME or KDE or whatever you use, set HTTP and HTTPS to use 127.0.0.1 on port 8118 (where Privoxy listens). Do this again in Firefox’s Network preferences. It should pick up your global settings but it is Firefox and you know how things that should happen on Firefox for Linux sometimes don’t.

Firefox/Preferences/Preferences/ or Edit/Preferences followed by Advanced then the Network tab, click Configure How Firefox connects to the Internet, and use 127.0.0.1 and port 8118 for HTTP and HTTPS.

(Yo dawg, I heard you liked Preferences so I gave you Firefox so you can have Preferences with your Preferences!)

Step 5: Configuring Privoxy.

Privoxy is actually a pain in the ass to configure with text files by hand. It does have a web browser-based GUI setup for filtering operations, but it must be enabled in a configuration file. There is no need to restart Privoxy after modifying anything since the daemon (service) notices a few seconds later that the settings changed and applies them immediately.

Press Alt+F2, this brings up a run dialog under pretty much any desktop environment worth using. Remember this is for Ubuntu derivatives, others tend to use gksu and kdesu, but since Ubuntu does not set up the root user by default, it uses gksudo and kdesudo instead. Fedora KDE also seems to come with kwrite instead of kate, so Fedora KDE users would use kwrite. I use Nano but I am striving to make this as painless as possible for users accustomed to a GUI.

GNOME/UNITY: gksudo gedit /etc/privoxy/config

KDE: kdesudo kate /etc/privoxy/config

Now we can edit the main config file. Note. Make sure any lines I say to edit don’t have a hash symbol in front of them (one of these #) or Privoxy will interpret them as a comment and fail to parse the rule.

Go to section 4.5, titled enable-edit-actions. Scroll down. Find the line that says:

enable-edit-actions 0

change it to

enable-edit-actions 1

Go to section 4.8, titled buffer limit.

It defaults to 4096 with a line such as:

buffer-limit 4096

I find it runs better with a 16 MB buffer. I have lots of RAM. Yay RAM. I change it to:

buffer-limit 16384

Go to section 6.4, titled keep-alive-timeout.

It’s set to 5 I find it works best with 300.

So I change this:

keep-alive-timeout 5

to this:

keep-alive-timeout 300

Save the file and exit.

Step 6: Close Firefox if you still had it open, and restart it.

Step 7: Type this into the location bar and hit enter:

config.privoxy.org

(Privoxy intercepts this and redirects it to its own configuration page, if Privoxy is not running,  you get a page on Privoxy.org telling you it is not running, if this happens, try clearing your history and trying again.)

You should get something like this on the page that comes up:

This is Privoxy 3.0.18 on localhost (127.0.0.1), port 8118, enabled

Step 8: Configure the filtering rules. (We’re almost done)

On the config page, click the link “View & change current configuration”, then under “Actions Files” there should be “/etc/privoxy/match-all.action” as the first listing. Click the Edit button next to it.

Under “Actions” set to “Cautious”, it should provide a minimal template from which to work without stupid filters that don’t apply to Linux users. (At least, I don’t think many of us need a filter to block some common Internet Explorer 6 vulnerabilities)

Now, to the left of the Cautious button, click the Edit button. What follows is how to get the setup I use. Some filters look tempting but actually break some sites. If you want to experiment with them later, do it one at a time and turn them off if they break something you use.

fast-redirects, click green button to enable, check decode entire url.

filter refresh-tags, green to enable, check “Decode URL before checking”

filter img-reorder, green to enable

filter banners-by-size, green to enable

filter banners-by-link, green to enable

filter webbugs, green to enable

filter no-ping, green to enable

filter google, green to enable

hide-from-header, red to disable (No browser since the mid 90s that I know of sends out your email address to every page you visit. This one is stupid.)

hide-referrer, green to enable, check “Forge referrer if host has changed, but don’t touch in-site referrers.”

set-image-blocker, green to enable, check “Send a 1×1 transparent GIF” to reduce page clutter.

Click submit.

Step 9: Privoxy doesn’t handle pop-ups and unders that well since there’s a lot of sneaky ways to load them. We can deal with this problem from within Firefox itself. Note: Adblock Plus was only blocking most pop-ups because it had explicit rules for them which needed a lot of complicated filtering and still missed some.

In Firefox’s location bar, type this, and hit enter.

about:config

If necessary, click the do not show me this again thing that comes up and jokes about “voiding your warranty”.

In the filter box type popup and locate dom.popup_allowed_events and double click it. Remove everything. Sites now have no way of loading pop-ups. The “Firefox has blocked a pop-up” thing will appear when one tries and you can use that to load the pop-up anyway or whitelist that site for next time. (My bank uses them, sigh).

Step 10 (Optional): While in about:config, let’s toggle some other nonsense that Firefox has done by default.

In the filter bar, search general.autoscroll, double click it to change it to true. Mouse wheel scrolling on Linux instead of the stupid X11 clipboard ftw.

In the filter bar, search for trim, locate browser.urlbar.trimURLs and double click to change it to false. This will revert Firefox to the traditional behavior of telling you what protocol the loaded site is using in the address bar and fixes the problem (on Linux anyway) of occasionally copy pasting a URL without the http:// or https:// or ftp:// or whatever bits.

Congratulations. Privoxy should now be set up. It’s a shame that Adblock Plus decided to take on an anti-user stance in exchange for Google’s money and that we have to block ads in Firefox now with a local proxy server like it was 1999 all over again if we want to avoid the abuse I’m sure is coming from Wladimir Palant and “Rick752″ and friends.

Until next time, this is DaemonFC reminding you that the only “acceptable” ad is a dead ad.