Can we blow off the FUD on images embedded in HTML mails? Whenever I see the term "Web Bug" used I know that I will have to find factual information on the subject discussed from another source.
"Web Bug" is just a sensationalized term for an HTTP request made from an email. Sure, one use of those HTTP requests could be to track if you have read the email, just like one use of cookies could be to track your websurfing across multiple sites and build a profile on your surfing habits, political belief, marrital status and sho size. Any technology can be used for both good and bad. Cookies are most definitely used for more good than bad in a scale of the thousands, and other than spammers trying to verify email addresses by making an HTTP request from an HTML mail there has not really been any other use of "Web Bugs". Some products even try to profit from the fear, uncertainty and doubt concerning scare terms such as "Web Bugs", like Privoxy claiming to block these "Web Bugs" - only now, they are not labelled as images in, or HTTP requests made from, HTML mails, they are labelled as small 1x1 images served from a webpage used for gathering visitor statistics. If I wanted to spy on somebody or pry on their surfing habits, "Web Bugs" in whatever label they have this week or the next is the last thing I would ever consider. To get some perspective, just compare how many SpyWare backdoors that people have voluntarily installed to get a free Timer or Calendar application. Regards Thor Larholm Senior Security Researcher PivX Solutions 24 Corporate Plaza #180 Newport Beach, CA 92660 http://www.pivx.com [EMAIL PROTECTED] 949-231-8496 PivX defines "Proactive Threat Mitigation". Get a FREE Beta Version of Qwik-Fix <http://www.qwik-fix.net> -----Original Message----- From: Richard M. Smith [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 07, 2004 7:24 AM To: [EMAIL PROTECTED] Subject: [Full-Disclosure] Is the FBI using email Web bugs? Hmm, is an "Internet Protocol Address Verifier" just an email Web bug? If so, the suspect should have been using Outlook 2003 which blocks 'em. ;-) Richard Feds thwart extortion plot against Best Buy http://www.startribune.com/stories/535/4304797.html The federal search warrant was obtained the morning of Oct. 24 and allowed the FBI, with Best Buy's cooperation, to use an Internet device known as an Internet Protocol Address Verifier. It contained a program that automatically sent back a response to Best Buy after the company sent a message to the e-mail address. The response allowed investigators to identify Ray as the sender of the e-mail threats, according to the government. Assistant U.S. Attorney Paul Luehr said the address verifier was one of several investigative tools the government used to track Ray down. "It was a tool that helped us confirm that other leads were moving in the same direction," said Luehr, who declined to discuss details of the investigation. Ray faces a maximum of two years in prison and a $250,000 fine for property and reputation extortion. He faces a maximum sentence of five years in prison and a fine of $250,000 for threats to damage computers. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html