Internet Paranoia

Today we're going to take a skeptical look at computer security. How real are the threats we are warned about all the time? Do these supposed threats pose any actual danger, and if so, what kind? What steps do we really need to take?

Note: This is an old episode. It was true in 2006, but today there are newer and more realistic threats such as ransomware. As far as cookies and other things discussed in this episode, it's still generally true. —BD

In the early days of web browsing, innovative programmers created cookies as a way to store session variables on the visitor's computer. When Bob visits Amazon and tells the server that his name is Bob Smith, Amazon writes "Bob Smith" on a nametag and sticks it on Bob's shirt. This is a cookie. It permits Amazon to accumulate a shopping cart full of merchandise for Bob, and to know where to put each new item without asking Bob to identify himself each time he brings something else to the register. The server can say "Ah, you're Bob Smith, good to see you," and it knows which shopping cart to put Bob's new DVD into. Without cookies, it would be necessary for Bob to log in each time he adds something to his cart. Not only is this inconvenient for Bob, it requires substantially more server resources. Server resources are not infinite. The more efficiently a web server can run, the faster it can serve Bob. And, when Bob's name tag is prominently plastered to the front of his shirt in the form of a cookie, there's less chance for Bob to be misidentified and be sent the wrong merchandise. Cookies are good for everyone.

Skeptoid.com even uses cookies, albeit in a simpler way. When you submit a comment on an episode, the name and hometown that you enter into the comment form are saved on your computer as cookies. This allows Skeptoid.com to automatically fill in these fields for you, the next time you want to submit a comment. Saves you a few dozen keystrokes, and makes your entries more consistent. Just a minor convenience feature. Minor, but still a good thing.

Update: There are no longer comment sections on Skeptoid.com, but there were when this episode came out. —BD

Unfortunately, in the early days of Microsoft Internet Explorer, some genius in Redmond decided that Internet Explorer might seem superior to Netscape — its main rival at the time, if you remember — if it would raise caution flags and warn you about terrifying security risks with scary dialog boxes. Internet Explorer eventually became the only significant web browser and a whole generation of web surfers was raised with the belief that cookies were a security risk to be feared and blocked at all costs. The idea is that an unscrupulous individual might sneak into Bob Smith's office, look in the cookies folder on his computer, and learn that "Bob Smith" is the name he used to identify himself to Amazon.

Cookies are just plain vanilla text files. They contain no program logic or encryption. The good thing about this is they can't contain program code like viruses or trojan horses. The bad thing about this is they contain human readable plain text, so that anyone with access to your computer can read them. Since nearly every other program and data file on your computer uses human readable plain text, is this truly such an egregious security risk? Programmers and software engineers know that it's not, but marketing people never let the truth stand in the way of a sale. If they can convince you that your computer's normal operation constitutes a risk that can be mitigated by purchasing their software, they know they've got lots of sales.

Some people think that cookies can be used to steal credit card numbers or other information from your computer. Not only is there no mechanism by which this could work, it's illogical. The web server is what writes the cookie to your machine, and obviously it can't write anything it doesn't already know.

Referrer codes are another normal function that's being marketed as a security risk. Whenever a web browser visits a server, it sends a referrer code. This is the URL of the web page from which the browser came. This is part of the http specification and is a normal function, it's not the nefarious evil plan of some hacker. Let's say our friend Bob is reading the news on CNN.com and sees an ad for a plasma television from Amazon. Bob's in the market for a good plasma, so he clicks the ad. Amazon's web server receives a referrer code from Bob's browser that tells it Bob linked from CNN.com. Amazon may use the referrer codes to analyze which of their advertisements are most effective, an analysis that's essential to good advertising. If Bob buys something, CNN or some third party may be entitled to a sales commission for referring the business, which Amazon is happy to pay since they're happy to have Bob's business. Amazon may even see where Bob came from and offer him the special CNN discount. The referrer code is great for Amazon. At best it's great for Bob, at worst it's no skin off Bob's nose. Referrer codes are also used for many other useful things on the web.

As you might expect, the security software vendors market referrer codes as a threat too. Their best explanation is that it's none of Amazon's business where you came from. That's true, in a strictly Libertarian sense, but in a practical sense, it's really helpful for them to know. Many services such as Amazon can better customize their offerings when they know where their visitors are coming from. A technology called Collaborative Filtering allows Amazon to say "Visitors from CNN prefer the new Rick Astley video." If you use security software to block your browser from sending referrer codes, the best you'll get is a more generic Internet experience. The worst you'll get is that some web services won't work at all.

Viruses are a genuine pain in the ass. If you're running Windows and you use the Internet at all, your computer will probably download at least a dozen new ones a day. There are numerous ways that viruses can be embedded in web pages, in advertisements on web pages, in media presentations, even in some older graphic images. Big money is made by some of the more cleverly designed viruses (or trojan horses, whatever term you prefer). Sometimes all they do is install fake cookies on your computer to tell Amazon that some guy in Indonesia is entitled to a sales commission next time you buy something. Sometimes they make your computer part of a distributed illegal file sharing system. Sometimes they turn your computer into a spam server. Sometimes they install browser toolbars that lead you to more virus pages when you use them. Sometimes they install software that displays popup advertisements. Fortunately, free software such Spybot Search & Destroy or Ad-Aware can genuinely eliminate all, or almost all, of these threats. So what's the Skeptoid angle on these?

The reason people develop viruses and trojan horses is to make money, through advertising or sales commission programs. Really all of the threats described above ultimately lead to money. It benefits nobody to write a virus that erases your computer or causes some problem. Such viruses do exist, mainly in the early days of the Internet, but since they're not profitable, they've gone almost completely out of fashion. People want your business and they want your money, there's no profit in erasing your hard drive. Invariably, when I make this rant, I get the comment "My aunt had her computer erased by a virus," or "I have a virus that makes my screen go black and deletes my address book." The truth is that software conflicts and system crashes are more likely responsible for these problems. If you own a computer, problems are the price of admission, and every owner will eventually lose data. But there are a thousand normal operating system problems that will be the most probable culprit. It makes no sense for someone to write a virus that does these things, when they can just as easily write a virus that earns them money. Just as in nature: the viruses that thrive are those that don't kill their hosts.

Use Spybot Search & Destroy and Ad-Aware to scrape this crap off your machine and keep it running lean & mean, but don't buy the expensive commercial software that does no better and that makes claims designed to take advantage of customers with minimal technical knowledge. Or just use a Mac like I do, since none of this crap runs on Unix. And, don't bury your thoughts too deeply in cyberspace. Remember you'll always be most vulnerable to what is statistically by far the biggest threat: that your computer will simply be stolen.

By Brian Dunning
Follow @BrianDunning