Privacy is much in the news lately, with concerns ranging from identity theft through government surveillance to commercial exploitation of information about our purchases, our interests, our activities, our friends, and everything else. This lab will explore some issues of privacy and access to information.
This is a relatively new lab. Since it hasn't been refined as much as some of the other labs, you may well find ambiguities and fuzzy bits. Don't worry about them, since this is meant to be about exploration, but let us know so we can fix them up for next time.
This lab is meant to be more than a Google and Wikipedia exercise; you should cast your net more widely, by using other search engines and other information sources. You will be graded partly on how well you do this, so be prepared to tell us for each thing what tools you used and comment on their efficacy. Among the search engines you might try are Yahoo and Microsoft, sites that aggregate results from other sites, and sites like Clusty or Mooter that try to cluster information. SearchEngineWatch points to a variety of possibilities. There are also sites that do telephone number lookup or that maintain public records, and of course various social networks. Explore; that's part of the exercise.
As you go along, we want you to collect your observations and comments in a Word document. You must use this template, lab8.doc, so we have some uniformity among the submissions. Please download this file now and begin to edit it. In the following, when we ask you to "report", we're looking for a reasonably organized but not too long description. We're not going to grade your writing, but you'll leave a better impression if there aren't too many spelling mistakes, flagrant grammar errors, random formatting, and so on. It's ok to summarize with lists rather than complete sentences, but do try to distill the essence of what you've seen rather than just cutting and pasting.
You can do this lab anywhere. Some of the threats only affect PCs running Windows, but all users have to be suspicious about most things.
|
How much can you learn about someone by searching online information? For yourself or a member of your family and for someone else, perhaps someone in a quasi-public position, see how much you can learn about them online. Examples of the kind of information you might look for include home address, telephone number, education, employment, political contributions, organizations and memberships, price of their home, names of family members, activities and interests, pictures. Do you get any information by searching for your phone number or your street address or your social security number? Does your phone number or address reveal your family name? Did you find inconsistent information? You can do this for a friend as well or instead.
Can you find a good picture of your home with Google Maps or Earth, or Microsoft Maps? Which one of these gives the best image? How much might the house be worth? (See, for example, Zillow.)
There's no need to go overboard on this; the goal is definitely not to invade anyone's privacy but to get a sense of the accessibility of ostensibly private information.
|
We've talked about how cookies can be used to track what web sites you visit, especially "third-party" cookies that aggregate and correlate information about your visits to apparently unrelated sites.
Turn on cookies in your browser, visit a bunch of sites (media and e-ecommerce sites are good for this), track the cookies that are tracking you, and look for evidence of linkage, e.g., the same third-party URL on independent sites. How many cookies does a typical visit involve?
What sites that you visit regularly deposit third-party cookies? What's the earliest cookie expiration date you can find? What's the latest? Do any contain interesting information instead of just long strings of apparently random letters and numbers? How does the cookie content change, if at all, if you revisit a site after an interval?
|
"Web bugs" are another way to track when someone visits a web site or accesses information using a program that interprets HTML; a web bug is typically an almost invisible 1x1 pixel image that includes a URL, like this one from cnn.com:
<img src="http://cnnglobal.122.2O7.net/b/ss/cnnglobal/1/H.1--NS/0"
height="1" width="1" border="0">
When the image is retrieved, the server knows that you have visited the
page that contained the img tag. (The Adblock extension in Firefox gets
rid of a lot of third-party images both large and small.)
Find a web page (not CNN) that includes a web bug from a third-party. Can you find a web bug in an email message?
|
As we saw in class, the mere act of visiting a web site reveals some information about you. There are a variety of sites that report back to you about what information your visit reveals, or about what vulnerabilities your system appears to have. Visit some of these and see what they tell you. Here are some useful ones; can you find others like them?
|
Visit some popular web sites, including commercial, social network, news, portals, etc., and view the HTML that they send to your browser. (Use "View Source" or the like.) Assess the amount and character of the Javascript you find, especially for things like fiddling the status bar. Did you find any potentially nefarious Javascript, like sites that won't let you exit or that obscure their code so you can't easily read it? Very roughly, what fraction of the pages you visit include Javascript? What fraction include other active content like Flash? What fraction of sites simply won't display anything useful without Flash? What fraction include some kind of Flash movie or irritating animation?
|
As we discussed in class, there are steps you can take to limit your risks and the amount of information that you reveal. Virus checkers are the most important, but there are plenty of others as well.
Check your own environment. What browser do you routinely use? What are your default settings for cookies, Javascript, Java, popups, automatic update, downloading, software installation, programs that start automatically, etc.? Does your mail reader provide a previewer that interprets HTML and thus is subject to web bugs?
As we saw in class, Word, Excel and other programs include a Visual Basic interpreter that can be used to (silently) run programs that are included in documents. What level of macro protection are you running in Word and Excel? (Look under Tools / Macros.) If you run Internet Explorer, what security level do you apply to ActiveX controls?
|
Traffic between you and at least some sites is encrypted so that it can't be intercepted. Visit a web site that is using encryption (indicated by the locked padlock icon near the bottom of Firefox and IE) and examine the certificate that your browser is using to verify the identity of the site. You can usually get to the certificate by double-clicking on the padlock even if the current transaction is not being encrypted.
|
You've probably gotten any number of phishing emails, purporting to come from some bank or a company like PayPal, that ask you to click on a link and "update your banking details." Naturally, you've never been so foolish. But if you look at the contents of the mail message with other tools, you can find the URL or IP address that hides behind the links, and sometimes you even trace that back to its source.
Here's a random list of URLs and IP addresses that claimed to be from banks or the like. Your job is to use traceroute on some of these to see if you can figure out what country they are in, or at least what continent.
Do not use a browser to visit these.
You can run traceroute on hats. It's also available on a Mac in a Terminal window:www.china-cas.com Regions Bank 165.246.122.22 Regions Bank 64.247.12.215 Union Planters 143.248.31.92 Regions Bank 203.198.167.157 Union Planters 211.218.54.247 KeyBank 4.61.184.24 Bank of the West 202.237.147.10 Union Planters 221.148.161.145 Lasalle Bank 62.56.224.244 Bank of Oklahoma www.m1jm0ad4.com Regions Bank 210.188.194.161 eBay
traceroute 62.56.224.244 (or provide a URL)
On Windows, try Start, then "Run...", then
type "cmd", then run tracert in the resulting window.
You're welcome to use similar data from your own experience instead. If
you want to explore your own mail, save the message in a text file and
examine that with Notepad or the like.
|
For a useful discussion of traceroute, see using traceroute.
Finally, if you saw anything interesting or suspicious that we didn't ask about specifically, or if you have any thoughts on how to improve this lab, we'd like to hear them. Thanks.
When you're all done, don't put this lab in your public_html directory. Instead: