Lab 8: Privacy and Security

Sun Dec 2 09:57:58 EST 2007

This is the last lab. Have fun.

Privacy is much in the news lately, with concerns ranging from identity theft through government surveillance to commercial exploitation of information about our purchases, our interests, our activities, our friends, and everything else. This lab will explore some issues of privacy and access to information.

This is a relatively new lab, so you may well find ambiguities and fuzzy bits. Don't worry about them, since this is meant to be more about exploration than precise answers, but let us know so we can fix them up for next time.

This lab is meant to be more than a Google and Wikipedia exercise; you should cast your net more widely, by using other search engines and other information sources. You will be graded partly on how well you do this, so be prepared to tell us for each thing what tools you used and comment on their efficacy. Among the search engines you might try are Yahoo and Microsoft and Ask.com, sites that aggregate results from other sites, and sites like Clusty or Mooter that try to cluster search results. SearchEngineWatch points to a variety of possibilities. There are also sites that do telephone number lookup or that maintain public records, financial sites like Yahoo finance provide access to holdings and insider trading, and of course social networks like Facebook reveal a huge amount about their users. Explore; that's part of the exercise.

As you go along, we want you to collect your observations and comments in a Word document. You must use this template, lab8.doc, so we have some uniformity among the submissions. Please download this file now and begin to edit it. In the following, when we ask you to "report", we're looking for a reasonably organized but not too long description. The questions in the text are meant to start you thinking, not necessarily be answered literally. We're not going to grade your writing, but you'll leave a better impression if there aren't too many spelling mistakes, flagrant grammar errors, random formatting, and so on. It's ok to summarize with lists rather than complete sentences, but do try to distill the essence of what you've seen rather than just cutting and pasting.

If you're using Office 2007, you must save and submit your lab8.doc file in Office 2003 format; we can't read the new format. Please do this right the first time. Thanks.

You can do this lab anywhere. Some of the threats only affect PCs running Windows, but all users have to be suspicious about most things.


Part 1: Individual Information

Sometimes people state strong opinions forcefully, and the record lives on forever.

  • Who said "You have zero privacy. Get over it." and in what setting?
  • Where is he now and what job does he hold?
  • What is Bill Gates's holding of Microsoft stock and how much is that worth?

How much can you learn about someone by searching online information? For yourself or a member of your family and for someone else, perhaps someone in a quasi-public position, see how much you can learn about them online. Examples of the kind of information you might look for include home address, telephone number, age, birthday, education, employment, political contributions, organizations and memberships, price of their home, names of family members (the classic mother's maiden name, for example), activities and interests, pictures. Do you get any information by searching for a phone number or street address or social security number? (Read this Wikipedia article first about why it is a bad idea to search for your own SSN.) Does a phone number or address reveal a family name? Did you find inconsistent information? You can do this for a friend as well or instead.

Can you find a good picture of your home (or someone else's) with Google Maps or Earth, or Microsoft Maps? Which one of these gives the best image? Can you make out your car or some other possession? How much might the house be worth? See, for example, Zillow.

There's no need to go overboard on this; the goal is definitely not to invade anyone's privacy but to get a sense of the accessibility of ostensibly private information.

  • For each person, report on the nature of the information that you were able to find. Don't include any actual phone numbers or addresses in your report, though it's ok to report the city of residence; other information like political contributions, memberships, and the like are fair game.


Part 2: Cookie Crumbs

We've talked about how cookies can be used to track what web sites you visit, especially "third-party" cookies (that is, cookies that come from someone other than the web site you accessed directly) that aggregate and correlate information about your visits to apparently unrelated sites.

Turn on cookies in your browser and visit a bunch of sites (media, sports and e-ecommerce sites are good for this). How many cookies does a typical visit involve? Track the cookies that are tracking you: look for evidence of linkage, e.g., the same third-party URL on independent sites.

What sites that you visit regularly deposit third-party cookies? What's the latest cookie expiration date you can find? Do any contain interesting information instead of just long strings of apparently random letters and numbers? How does the cookie content change, if at all, if you revisit a site after an interval?

  • Report on what you found out about cookies. In particular, what evidence did you find of third-party tracking? Include a sample third-party cookie. It's ok to abbreviate long ones.

"Web bugs" are another way to track when someone visits a web site or accesses information using a program that interprets HTML; a web bug is typically an almost invisible 1x1 pixel image that includes a URL, like this one from cnn.com:

     <img src="http://cnnglobal.122.2O7.net/b/ss/cnnglobal/1/H.1--NS/0"
          height="1" width="1" border="0">
When the image is retrieved, the server at 2o7.net knows that you have visited the page that contained the img tag. (The Adblock extension in Firefox gets rid of a lot of third-party images both large and small.)

Find a web page (not CNN) that includes a web bug from a third-party. You can quickly find candidate links in a web page by searching for things like "height=1" in various forms. Can you find a web bug in an email message?

  • Report on what you found out about web bugs. Include a sample web bug URL and describe what it is.


Part 3: What Do They Know About You

As we saw in class, the mere act of visiting a web site reveals some information about you. There are a variety of sites that report back to you about what information your visit reveals, or about what vulnerabilities your system appears to have. Visit some of these and see what they tell you. Here are some useful ones; can you find others like them?

The pages at Gibson Research are pretty technical but worth some study. And apropos of the geolocation example, this site might tell you how the information could be used.

  • What potentially significant information about you and your computer does your browsing reveal to sites that you visit?
  • What IP address was displayed by the web pages? Is this the same IP address as you see by running ipconfig on Windows or System Preferences on a Mac?
  • What potential vulnerabilities are reported about your system?
  • Did you find any other sites that provide similar or analogous services?

To run ipconfig on Windows XP, Start / Run / cmd. In the resulting commandline window, type ipconfig /all. On a Mac, System Preferences / Show Airport / TCP/IP.


Part 4: What is Truth and Who Changes It?

Find an article on Wikipedia about some topic that you know something about. Check the history of changes to get a sense of what has happened, how recently, and whether there is any controversy or discussion. Find an error or something that needs expansion or maybe just something that could be written better.

Edit the page. If you have no ideas, the page on Princeton University has several sections for which revision is solicited. Various Princeton institutions like eating clubs, residential colleges, and people all have entries as well. Do not make changes that will be reverted immediately as vandalism, or violate the rules and spirit of Wikipedia.

There have been frequent stories of how not-disinterested parties have revised Wikipedia articles to put someone or something in a more favorable light. One of the most interesting new services is WikiScanner, which provides a convenient way to see who has changed various pages. Investigate how changes to particular Wikipedia entries have been made. In particular, look for edits that have probably been made by students or faculty at Princeton. (Remember IP addresses and the two major subnets at Princeton?) Can you find something interesting or revealing.

  • What did you find out on Wikipedia?
  • What page(s) did you change and (briefly) how?
  • What did you find out with WikiScanner?


Part 5: Defenses and Countermeasures

As we discussed in class, there are ways to limit your risks and the amount of information that you reveal. Virus checkers are the most important, but there are plenty of others as well.

Many web sites insist that you provide a working email address before they will let you register or access some service. 10MinuteMail provides a useful alternative: it provides an email address that's valid for 10 minutes and shows you whatever mail arrives during that time; that lets you retrieve the registration key or whatever, without giving away a real address. Try this service. How long does it take for mail to arrive? Empirically, how long does it take for the temporary address to time out?

Check your own environment. What browser do you routinely use? What are your default settings for cookies, filename extensions, Javascript, Java, popups, automatic updates, downloading, software installation, programs that start automatically, etc.? Does your mail reader provide a previewer that interprets HTML and thus is subject to web bugs? Do you read mail in HTML format by default? Try sending yourself mail with a reference to an image.

As we saw in class, Word, Excel and other programs include a Visual Basic interpreter that can be used to (silently) run programs that are included in documents. What level of macro protection are you running in Word and Excel? (Look under Tools / Macros.) If you run Internet Explorer, what security level do you apply to ActiveX controls?

  • What was the result of your experiments with 10MinuteMail? What email address did it assign to you? If you use it a second time a while later, what is the second address?
  • What operating system are you running? What browser do you normally use? What mail client do you normally use?
  • Report on how you have your defenses configured. Did you tighten up any defense as a result of your experiments?


Part 6: Who's on the Other End

Traffic between you and at least some sites is encrypted so that it can't be intercepted. Visit a web site that is using encryption (indicated by the locked padlock icon near the bottom of Firefox and IE) and examine the certificate that your browser is using to verify the identity of the site. You can usually get to the certificate by double-clicking on the padlock even if the current transaction is not being encrypted.

  • What organization or company are you visiting? Who issued their certificate?

You've probably gotten any number of phishing emails, purporting to come from some bank or a company like eBay or PayPal, that ask you to click on a link and "update your banking details." Naturally, you've never been so foolish. But if you look at the contents of the mail message with other tools, you can find the URL or IP address that hides behind the links, and sometimes you can even trace that back to its source.

Here's a random list of URLs and IP addresses that claimed to be from banks or the like. Your job is to use traceroute on some of these to see if you can figure out what country they are in, or at least what continent.

Do not use a browser to visit these.

www.china-cas.com	Regions Bank
165.246.122.22		Regions Bank
64.247.12.215		Union Planters
143.248.31.92		Regions Bank
203.198.167.157		Union Planters
211.218.54.247		KeyBank
4.61.184.24		Bank of the West
202.237.147.10		Union Planters
221.148.161.145		Lasalle Bank
62.56.224.244		Bank of Oklahoma
210.188.194.161		eBay
You can run traceroute on any Unix/Linux system, like Hats or Arizona. It's also available on Macs; start a Terminal window and run it:
     traceroute 62.56.224.244    (you can use a URL or an IP address)
On Windows, try Start, then "Run...", then type "cmd", then run tracert in the resulting window. You're welcome to use similar data from your own experience instead. If you want to explore your own mail, save the message in a text file and examine that with Notepad or the like.

  • Report on what you found out about at least three of these addresses. Explain how you inferred possible locations.
  • Try to traceroute to a friend's computer, and include the traceroute output. Or trace the route to your own machine from someplace else, for example an ssh window on arizona. What notification do you get when your machine is probed this way?

For a useful discussion of traceroute, see using traceroute.


Part 7: Submitting your Work

Finally, if you saw anything interesting or suspicious that we didn't ask about specifically, or if you have any thoughts on how to improve this lab, we'd like to hear them. Thanks.

When you're all done, don't put this lab in your public_html directory. Instead:

Reminder: If you're using Office 2007, you must save and submit your lab8.doc file in Office 2003 format; we can't read the new format. Please do this right the first time. Thanks.