Archive for March, 2010

Browsing Anonymously: They Know Where You’ve Been (Online)

Friday, March 19th, 2010

One of my favorite authors ever, in one of my favorite books ever, wrote:

Just because you’re paranoid doesn’t mean they aren’t after you.
- Joseph Heller in Catch-22

And so to the paranoid among you, and those who should be, I present a quick lesson in how truly un-anonymous you are online, and how much more anonymous you can become.

The first thing everyone needs to know, but most people don’t full appreciate, is how your activity online is like your activity in real life, without unusual precautions you’ll leave your virtual DNA everywhere. For most of you a collective “so what” is a reasonable reaction. You’ve got lives to live, and you don’t anticipate anyone would likely be interested in where on the web you go. But anonymity (and the privacy it brings) can be important in many reasonable situations. And for some there is a general principle involved: the principle that we have a fundamental right to privacy, that should not be abridged (just because it is so easy to do and provides a thin veneer of national or regional security).

On that note! Let me share show you how, how much, and where you shed your virtual DNA…

Let’s examine the simplest thing you’re likely to do on the web. You just watched a Discovery channel show about pandas and find yourself curious about how pandas procreate. What happens when you do a quick Google search on “panda bear sex” and click the first result? Here’s what happens:

Your Action or its Result Who Sees Your Data? What Data do They See? Why do they want it? How long do they hold it?
You type your keywords “panda bear sex” in your browser’s search box and hit “enter”. Browser (it’s search form history)
  • search phrase
  • computer username
Your browser’s search form remembers this search phrase to make your life easier. Indefinite. Usually until you have so many phrases that it prunes the list. Even after that the data is still on your hard drive, recoverable until over-written.
Your browser plugins (also known as browser helper objects and add-ons) act on the URL, if applicable. Anti-virus / Browser Plugins
  • url
  • date/time
  • IP
  • city/state/country (from IP)
  • anything else they want
Most software firewall/anti-virus suites include a browser plugin that can check every site you want to visit against a list of potentially harmful sites. This can mean (depending on implementation) that they are passing information to their backend about every single browser request you make. It’s like you are cc:ing them on every URL you want. Plugins make the experience of the web much richer, but each one has access to the URLs you visit, the content of those URLs, and anything else it wants on your hard drive (files, data, webcam, microphone, gps, etc.). Indefinite. Could be anything.
Your web browser contacts Google search via your internet service provider (ISP) to get the Google search results. Your ISP (the government, etc.)
  • url
  • search terms
  • IP
  • date/time
  • city/state/country (from IP)
  • name
  • address
  • phone number
  • social security number
  • credit card number
  • and more…
Your ISP is the only one knows exactly what IP corresponds with exactly what household. And for that household they have a name, phone number, address, perhaps credit card and social secrity number, etc. In no way am I suggesting you should be afraid of your ISP, per se. They will not divulge your identity behind your IP to just anyone, but in this new age of loosely targetted government warrantless wiretaps, RIAA anti-piracy monitoring and lawsuits, etc. ISPs are giving up your identity with and without legal necessity. And ISPs have installed government packet sniffing NarusInsight nodes at their facilities which can analyze all network traffic passing by, looking for activity they deem “suspicious”. And suspicious likely includes the use of keywords, phrases, website urls, etc. that may have worrying or innocent uses.Also note, other ISPs are involved as your internet traffic travels crosses various networks. The ISPs in between can record the traffic they see. ISPs are legally required to retain information about you for 6 months to 2 years, specifically to help law enforcement. What they retain is left somewhat open-ended, but is at least the information about who had what IP when. ISPs have also in the past generated revenue by selling traffic information to thirdparty companies, helping search engines and advertisers know what web sites are popular; they would not directly include your IP, but poorly written sites can leak some data through URLs.
Google receives and responds to the request, via the ISP. Google
  • url
  • IP
  • search terms
  • date/time
  • city/state/country (from IP)
  • identity (possibly)
They record the URLs you visit to improve their search results, and also to provide you with features. If you have a gmail account, a Google account, a YouTube account, etc. and you have cookies enabled, Google knows specifically who you are with every search you do and can do things like show you (optionally) your search history. They say they keep data at least 9 months. (Presumably they keep the data indefinitely if they have your permission as part of a feature of theirs, or if they dis-associate it from your IP.)
Your browser receives the results from Google, but won’t show it to you quite yet. First your browser stores the file it received on the hard drive, adding it to your browser’s cache of the web page. Browser Cache
  • url
  • contents of web page
  • date / time
  • computer user name
What you see when you view a web page is a combination of many text, style, video, and audio assets all combined into one rendered document. Each asset is fetched seperately, and stored separately in the cache. Many of these assets are re-used between different pages on a site (for example the images in the header and footer of a page). It would be wasteful for the browser to request these re-used assets every time you visit another page on the same site. The cache saves the remote server work, saves your local browser work, and lets you click from one page to another more quickly (since it already has most of the assets you need). Indefinite.  Lifetime of the cache, then as long as it takes for the info on the disk to be over-written.
Your browser history records the url of your search results in your browser history. It still won’t show you the page yet, still a few steps away! Browser History
  • url
  • date/time
  • computer username
Your browser’s history can be your good friend or your worst enemy. Useful when you want to revisit a site whose name you can’t remember, but it can be an awful snitch if you plan to cheat on your wife or husband via an online dating site. Indefinite. You can modify the retention time in your browser settings, but keep in mind the data on a hard drive is not destroyed until it is over-written (and not even, always, then). A URL you visited 2 weeks ago may disappear from the list because you set a 2 week limit, but the url is still on the hard drive and can be recovered, until the disk happens to re-use that space.If you tell your browser you want NO history, this doesn’t necessarily mean it wasn’t recorded on the disk. Many browsers still record to disk and only delete the entries when you close the browser. But deleting is not destroying.
Your browser plugins act on the document of results from Google, if applicable. Nothing is shown yet, but we’re getting close! Anti-virus / Plugins See above on Anti-virus, plugins. See above on Anti-virus, plugins. See above on Anti-virus, plugins.
Next your browser sets cookies that Google requested. Almost there! Cookies
  • url
  • date / time
  • computer username
  • remote session ids
  • other data you gave the remote site
Cookies are vital for site personalization and authentication. They are benign except that they can contain data which could be found and used to tie you to sessions on other servers, topics you are interested in (based on searches, ads clicked, etc.). Indefinite.  Lifetime of the cookie, then as long as it takes for the info on the disk to be over-written.
Now you see Google results! None* n/a * In the case of Google where all the advertisements are Google’s this final step of viewing the page doesn’t open you up to any new privacy leakage… but see the next few steps which mention the anonymity risks regular ads, Java, Flash, and other things pose… n/a
You click on the first search result and your browser sends a request to Google via your ISP to redirect you to the first search result, “PandaLovingInfo.com”. Google, ISP See above on Google and ISP. Google wants to know which results people click on. See above on Google and ISP.
Your browser is redirected to PandaLovingInfo.com. Website, ISP
  • referring url
  • date/time
  • IP
  • city/state/country (from IP)
  • search keywords
  • ISP has access to your personal details (as mentioned above)
Websites want to know where their inbound traffic is, want to know how many users they have, what their users do, etc. They can collect this anonymously and then tie it to an account you create later.And see above on ISP. Indefinite.  No universal rule, they can keep the data as long as they like. And see above on ISP.
You now see the webpage on PandaLovingInfo.com, where all your questions will surely be answered! Cache, plugins, and cookies See above on cache, anti-virus, plugins, and cookies. See above on cache, anti-virus, plugins, and cookies. See above on cache, anti-virus, plugins, and cookies.
You are shown advertisements on PandaLovingInfo.com offering many wonderfully peculiar items. Advertisers on the website
  • url
  • date/time
  • IP
  • city/state/country (from IP)
  • search keywords (maybe)
  • referrer (maybe)
  • other information about your interests/identity (maybe)
Advertisers want to know where you live, what you’re interested in, and anything else they can. They can track you between sites, so they know you are the same person who was interested in zebra mating rituals last week. Indefinite. Whatever they want it to be.

The above is about as simple a web experience as you can get. You do one search and view one result, and see how many people are given access to what you’re searching for, and to varying degrees, who you are, what you like, etc. If you want to be truly anonymous, every single “leak” listed above must be plugged.

In the next installment I’ll talk about the dangers posed from these traces you leave, and in the final installment what you can do about it.

- Quinxy

HP Slate and MS Courier, The Second Coming of the Tablet PC

Tuesday, March 16th, 2010

In the last few weeks new details have emerged about upcoming contenders vying for the market the iPad is expected to create. 

Videos, screenshots, and details of Microsoft’s Courier have  appeared on Engadget, and reveal the device to be a brilliantly innovative book-like digital journal running a form of Windows Mobile 7 and arriving in Q3 or Q4.  But  the information comes not from Microsoft, but from a “trusted source”, so there’s good reason to doubt the final product will match the cleverness shown in these videos; I can’t remember the last time I saw a product from Microsoft which I would call innovative (the word derivitive is the one I expect to use for their products).  One of the most surprising things for me about the Courier as alleged is the focus on the digital journal centric design.  It certainly differentiates the device from the other players in the field which stress no particular application or use (aside from the ubiquitous browsing or reading apps).  This could be key to its success or demise, despite the fact that it will no doubt also run apps of every other description as well; the device wouldn’t be limited by design, only by the limits people read into it.   This journaling direction isn’t completely new to the Tablet PC versions of the Windows OS which have long had a primitive but good journal app, but if this truly does deliver on the features shown, it just may be worthy of being a central feature of the OS and device.

The HP Slate also got some press this week, debuting in some videos released by HP.  In form, the Slate is akin to the iPad, but certainly larger than the foldable Courier, but what sets the Slate apart from both is that it runs a full desktop OS, Windows 7; that is a good and a bad thing.  Included in the good is that every Windows app will run on it, that it will be more easily integrated into (and therefore greeted by) conservative business environments, and that for all users the full web means the full web (every last glorious and icky part of it).  Chief among the negatives of a full OS, it’ll never be as elegant to use (since both OS and apps are not going to be exclusively designed for that form factor), the battery life will never be quite as good, it’ll always run somewhat hotter, and it’ll never squeeze the best performance out of whatever cpu is inside it; my last three points hinging on the fact that a full OS will always be more bloated in ram, disk, and cpu cycles required to support the services, features, and other “stuff” necessary to accommodate an entire back catalog of Windows applications.


If the HP Slate or the Windows Courier (as described) both appeared on the market tomorrow at a sensible price I’d probably buy ‘em both (but not the iPad), perhaps one won’t preclude the other.  The Courier might become the digital journal I carry with me everywhere, which can be my RDP connection to full computers when/where I need them.  And perhaps the Slate would replace my Tablet PC as my mobile ideating and writing computer, for the apps like MindJet’s Mind Manager, MS Visio, MS Word, web for blogging, etc. (with bluetooth keyboard/mouse).

It’s times like these I wish I had a time machine…

Site Back Up! It Had Been Down Temporarily. :(

Tuesday, March 16th, 2010

We apologize but one of our database tables “crashed” and needed urgent repair. The issue was causing several of our main site features to fail (search, downloading, and registration). We originally hoped we could do the repairs overnight and just limp along until then, but it soon became clear we had to do this ASAP. This sort of thing can happen periodically with MySQL, it’s not a big deal, just takes a little while to rebuild the index. We use replication and backups, so no data was lost. We just brought the site back up after about 2 hours of down time.

Again, very sorry for the inconvenience!

Get Windows 7 Location Support without Buying a GPS Dongle

Saturday, March 6th, 2010

There’s no point in buying a GPS sensor for your desktop or a laptop if you rarely move it or have only rarely need that feature, but for free you can install Geosense, a free driver and app that integrates with the API in Windows 7 to provide GPS data to all the apps which use that API.  They compute your location from wifi, cell tower, and IP information.  Don’t expect to get updating turn by turn directions from your netbook as you cruise along in your car, but very likely perfect for checking directions or doing local searches from a parked car or a cafe.   Download it at Geosense.

Quinxy

Does my computer model matter with DriverGuide Scan?

Friday, March 5th, 2010

When I use the DriverGuide Scan I get results for drivers which are NOT for the model of computer that was scanned.  Why is this?

Most drivers are not specific to a model of computer since the same devices (and chipsets) are found in multiple models by multiple manufacturers. A bluetooth driver for a Dell Inspiron may be the same as in a Toshibe Satellite. For this reason, our DriverGuide Scan doesn’t focus on matching up drivers by model of computer since that’s not the most relevant criteria. We focus on matching up the hardware ids coded into the actual devices, and base compatibility on that and the device manufacturer.  We also use the compatibility ids (also coded into the devices) since drivers are often compatible with multiple versions and incarnations of the same device. An HP Photosmart 7550 driver works on an HP Photosmart 7100 printer as well. So, we also look at these compatibility ids and use a formula based on what Windows itself uses to determine the likelihood of compatibility. We then present you with those updates most compatible with your device.

There are some very rare cases where driver data supplied by manufacturers is wrong and this could be wrongly reported to you as an update; we collect user feedback and able to filter those out.  We always recommend reasonable caution when trying out a driver (set a restore point, perhaps make a backup, know how to use safe mode, etc.).  Drivers rarely cause trouble, but when they do, it can be very frustrating.

Quinxy

Note: This article was based on a member question, but their original question was reworded.

If you like the idea of the iPad but not the iPad…

Thursday, March 4th, 2010

The viliv S10 Blade is coming, and for those of you who like the idea of an Apple iPad more than the actual iPad, this just might fit the bill, but expect that bill to be a little larger.

Let’s be clear about this, an iPad is basically a giant iTouch.  An iPad is not a full computer, and it’s lacking a lot of features many people reasonably expect:

  • No Flash support & no browser plugins
  • No true HD (no 720p)
  • No camera for video conferencing
  • No Verizon, hope you like AT&T
  • No USB, no external memory sticks
  • No multitasking!!!
  • Limited format support for audio & video (only what will play natively)

The iPad will do what it does in style, and if that’s enough for you, you’ll be happy as a hipster clam.

But many of us are looking for something more.  We want something akin to a full laptop in the form factor of an iPad, and we want might options, not the constraints Apple imposes.   And the device to best deliver that at the moment is the viliv S10 Blade, a tablet PC running Windows 7.

Here’s a table, with many of the key comparitive points:

viliv S10 Blade Apple iPad Conclusion
OS Windows 7 iTouch OS Windows 7 is probably less stable, and more bloated, but you have more software to pick from, you can use Flash and any browser plugin, and multitask to your heart’s content!
Display 1366×768 1024×768 S10 wins
Battery Life 10 hours (spares allowed) 10 hours (non-replaceable) Even Stephen.
Hard Disk 32-64 GB SSD, 60 GB HD 16, 32, 64 GB SSD Even Stephen.
Multitouch 3 point 2 point? I haven’t tried the viliv or Windows 7 with multitouch, and I can’t find evidence that the iTouch OS detects more than 2 fingers. So, not sure who wins here.
Dimensions 10.23″ x 7.28″ x 0.67 – 1.02″ 9.56″ x 7.47″ x 0.5″ They are roughly the same width and height, but the iPad is half the thickness. You get a regular swivel keyboard as compensation, but for some, that won’t be enough.
Weight 2.67 lb 1.6 lb The iPad clearly wins here, it’s 33% lighter, and I’m sure you will feel that weight the longer you cradle it and carry it about. The weight won’t bother me unduly, but I won’t deny it will some people.
Keyboard Built-In No I’ve used tablet PCs for the last 5 years and I would be miserable without the speed and accuracy of a built-in regular keyboard. Typing on a screen isn’t the same.
Camera Yes, Facing No A stunning omission for the iPad.
Bluetooth 2.0+EDR 2.1+EDR I don’t know enough or care enough about Bluetooth to know how important this is, but the iPad wins.
GPS No Yes (and compass) I am surprised the viliv doesn’t have this, and wonder if perhaps it really does and just isn’t listed in the specs, GPS is ubiquitous these days, and comes on most of the 3G modem cards. If it truly doesn’t have this, then that is unfortunate, but perhaps not such a big deal. I rely on GPS and directions from my phone, and I’m not sure if I would require that from something in a tablet form factor. It could be a drawback, or it may not matter much.
CPU Intel Atom 1.6-2.0 GHz Apple A4 1 GHz The viliv is surely faster, but it’s hard to compare speeds. The iPad won’t multitask, won’t be expected to run the full desktop apps the viliv will, so it will surely be fast enough for the uses it’s put to. Personally, I require a device that can multitask, and has the speed to do it.
Instant On Wakeup from standby in < 4 seconds Nearly instantaneous The iPad certainly wins here, and wins big. Those 4 seconds will feel longer than they are, and I’m sure that will have a subtle effect on how people view this device. It will discourage someone ever so slightly from reaching for the S10 Blade to check a fact on wikipedia, when they could do it more quickly with their phone.
Heat Probably warm Probably not as warm The S10 uses more power and will almost assuredly feel a good bit warmer in your lap, cradled in your arm, etc.
Price $699+ $499+ The full pricing isn’t out for the viliv, so it’s hard to make comparisons. The iPad ranges from $499-899, and I’d guess the S10 Blade will range from $699-1399. So, the viliv is definitely more expensive, but you do end up with a real laptop.

For many, the iPad will surely be another amazing triumph from Apple.  For me, and for many like me, it will stop far short of what we want, and that’s where a device like this tablet PC steps in.  We’ll pay more, it’ll weigh more, and it won’t be quite as instantly handy, but we won’t be constantly frustrated by the many things we cannot do with it.

And read about two other coming iPad alternatives in my post about the HP Slate and MS Courier, The Second Coming of the Tablet PC.

Quinxy

Toolkit License Issue Fixed!

Tuesday, March 2nd, 2010

One of our servers went down unexpectedly on March 1 and our generation of software licenses was affected.  If you made a purchase between March 1 and today you may have not received your license by email.  Please contact us with the payment confirmation email and we’ll get you off a new license ASAP!  Sorry for the inconvenience.