Skeptoid

Internet Paranoia

Skeptoid #17
December 28, 2006
Podcast transcript | Listen | Subscribe


Share on Facebook

Follow Skeptoid on Twitter

Today we're going to take a skeptical look at computer security. How real are the threats we are warned about all the time? Do these supposed threats pose any actual danger, and if so, what kind? What steps do we really need to take? This stuff is my business, so I know of what I speak.

In the early days of web browsing, innovative programmers created cookies as a way to store session variables on the visitor's computer. When Bob visits Amazon and tells the server that his name is Bob Smith, Amazon writes "Bob Smith" on a nametag and sticks it on Bob's shirt. This is a cookie. It permits Amazon to accumulate a shopping cart full of merchandise for Bob, and to know where to put each new item without asking Bob to identify himself each time he brings something else to the register. The server can say "Ah, you're Bob Smith, good to see you," and it knows which shopping cart to put Bob's new DVD into. Without cookies, it would be necessary for Bob to log in each time he adds something to his cart. Not only is this inconvenient for Bob, it requires substantially more server resources. Server resources are not infinite. The more efficiently a web server can run, the faster it can serve Bob. And, when Bob's name tag is prominently plastered to the front of his shirt in the form of a cookie, there's less chance for Bob to be misidentified and be sent the wrong merchandise. Cookies are good for everyone.

Skeptoid.com even uses cookies, albeit in a simpler way. When you submit a comment on an episode, the name and hometown that you enter into the comment form are saved on your computer as cookies. This allows Skeptoid.com to automatically fill in these fields for you, the next time you want to submit a comment. Saves you a few dozen keystrokes, and makes your entries more consistent. Just a minor convenience feature. Minor, but still a good thing.

Unfortunately, in the early days of Microsoft Internet Explorer, some genius in Redmond decided that Internet Explorer might seem superior to Netscape — its main rival at the time, if you remember — if it would raise caution flags and warn you about terrifying security risks with scary dialog boxes. Internet Explorer eventually became the only significant web browser and a whole generation of web surfers was raised with the belief that cookies were a security risk to be feared and blocked at all costs. The idea is that an unscrupulous individual might sneak into Bob Smith's office, look in the cookies folder on his computer, and learn that "Bob Smith" is the name he used to identify himself to Amazon.

Cookies are just plain vanilla text files. They contain no program logic or encryption. The good thing about this is they can't contain program code like viruses or trojan horses. The bad thing about this is they contain human readable plain text, so that anyone with access to your computer can read them. Since nearly every other program and data file on your computer uses human readable plain text, is this truly such an egregious security risk? Programmers and software engineers know that it's not, but marketing people never let the truth stand in the way of a sale. If they can convince you that your computer's normal operation constitutes a risk that can be mitigated by purchasing their software, they know they've got lots of sales.

Some people think that cookies can be used to steal credit card numbers or other information from your computer. Not only is there no mechanism by which this could work, it's illogical. The web server is what writes the cookie to your machine, and obviously it can't write anything it doesn't already know.

Referrer codes are another normal function that's being marketed as a security risk. Whenever a web browser visits a server, it sends a referrer code. This is the URL of the web page from which the browser came. This is part of the http specification and is a normal function, it's not the nefarious evil plan of some hacker. Let's say our friend Bob is reading the news on CNN.com and sees an ad for a plasma television from Amazon. Bob's in the market for a good plasma, so he clicks the ad. Amazon's web server receives a referrer code from Bob's browser that tells it Bob linked from CNN.com. Amazon may use the referrer codes to analyze which of their advertisements are most effective, an analysis that's essential to good advertising. If Bob buys something, CNN or some third party may be entitled to a sales commission for referring the business, which Amazon is happy to pay since they're happy to have Bob's business. Amazon may even see where Bob came from and offer him the special CNN discount. The referrer code is great for Amazon. At best it's great for Bob, at worst it's no skin off Bob's nose. Referrer codes are also used for many other useful things on the web.

As you might expect, the security software vendors market referrer codes as a threat too. Their best explanation is that it's none of Amazon's business where you came from. That's true, in a strictly Libertarian sense, but in a practical sense, it's really helpful for them to know. Many services such as Amazon can better customize their offerings when they know where their visitors are coming from. A technology called Collaborative Filtering allows Amazon to say "Visitors from CNN prefer the new Barack Obama rap video." If you use security software to block your browser from sending referrer codes, the best you'll get is a more generic Internet experience. The worst you'll get is that some web services won't work at all.

Viruses are a genuine pain in the ass. If you're running Windows and you use the Internet at all, your computer will probably download at least a dozen new ones a day. There are numerous ways that viruses can be embedded in web pages, in advertisements on web pages, in media presentations, even in some older graphic images. Big money is made by some of the more cleverly designed viruses (or trojan horses, whatever term you prefer). Sometimes all they do is install fake cookies on your computer to tell Amazon that some guy in Indonesia is entitled to a sales commission next time you buy something. Sometimes they make your computer part of a distributed illegal file sharing system. Sometimes they turn your computer into a spam server. Sometimes they install browser toolbars that lead you to more virus pages when you use them. Sometimes they install software that displays popup advertisments. Fortunately, free software such Spybot Search & Destroy or Ad-Aware can genuinely eliminate all, or almost all, of these threats. So what's the Skeptoid angle on these?

The reason people develop viruses and trojan horses is to make money, through advertising or sales commission programs. Really all of the threats described above ultimately lead to money. However, in point of fact, it's no skin off your nose. Sure, some guy in Indonesia will get a sales commission that he didn't deserve, but it didn't come out of your pocket. And it benefits nobody to write a virus that erases your computer or causes some problem. Such viruses do exist, mainly in the early days of the Internet, but since they're not profitable, they've gone almost completely out of fashion. People want your business and they want your money, there's no profit in erasing your hard drive. Invariably, when I make this rant, I get the comment "My aunt had her computer erased by a virus," or "I have a virus that makes my screen go black and deletes my address book." The truth is that software conflicts and system crashes are more likely responsible for these problems. If you own a computer, problems are the price of admission, and you will eventually lose data. But there are a thousand normal operating system problems that will be the most probable culprit. It makes no sense for someone to write a virus that does these things, when they can just as easily write a virus that earns them money. Just as in nature: the viruses that thrive are those that don't kill their hosts.

Use Spybot Search & Destroy and Ad-Aware to scrape this crap off your machine and keep it running lean & mean, but don't buy the expensive commercial software that does no better and that makes claims designed to take advantage of customers with minimal technical knowledge. Or just use a Mac like I do, since none of this crap runs on Unix. And, don't bury your thoughts too deeply in cyberspace. Remember you'll always be most vulnerable to what is statistically by far the biggest threat: that your computer will simply be stolen.

Brian Dunning

References
© 2008 Skeptoid.com

Discuss!

5 most recent comments | Show all 12 comments

Remember, you should always read with skepticism the comments of anyone too lame to put their real name & city.

You are right that cookies (1st party cookies) are no real threat. However, the issue of 3rd party cookies does raise privacy concerns.

You are right in that *most* modern viruses are benign to the infected party, other than use of system resources. But, as some people pointed out, there are known viruses/malware that contain keyloggers and other methods of reporting private data back to a central location.

The concern of modern computer security is not the safety of one's equipment, but the safety of one's personal information (credit card info, bank account info, logins, etc.)

So, yeah, I agree with you, lets not overly concern ourselves with cookies, or referrer (or "referer", as the HTTP spec calls them) headers, and not get too frightened about a virus destroying data... BUT lets also strive to keep our machines clean, to keep them running better, and to protect our data from theft rather than destruction.

Nathan Pinkerton, Harlingen, TX
July 01, 2008 2:52pm

Unfortunately, Macs are no more secure than PCs; they come with similar vulnerabilities and are broken into in similar ways...

Also unfortunate is how some new viruses encrypt all of your files and demand payment to an Eastern-European country for a key to unlock them...

Even more unfortunate is just how little the average person cares about internet security today...

And it will be very unfortunate for the poor grandma to have to call up her internet service provided asking why her internet doesn't work, only to be told that her computer is sending out spam all the time or was used to hack into some other location (and was thus disconnected)...

The lack of security IS a serious problem, albeit one that can easily and effectively be approached with a balance between a careless and a paranoid state of mind. (meaning to use a free anti-virus product along with anti-spyware, and preferably with a firewall as well)

Nikita, Philadelphia, PA
July 11, 2008 1:21pm

That's it. I'm a chemist with 26 years in IS who is in his last year of nursing school. I applaud your scepticallity but over half of your "debunking" is personal spin, alternate and equally unverifiable hypotheses, or just plain ignorance.

Keep on fighting the good fight but do everyone a favor and cut out the opinion. Sticking to facts will improve your credibility immensely.

You /have/ offered me a few hours of entertainment and I thank you but it's painful, watching someone I agree with play the fool when a couple of hours of research would do wonders for your effectiveness.

Cheers,

PC

Peter Camper, Glendale
August 03, 2008 12:13pm

I've mostly enjoyed your episodes so far, however this episode was a real shark jumper. I work in information assurance (cryptography), and while you may view that as biased, I view it as informed.

There are a lot of different types of security issues, and your podcast lumps them all together into the same general bundle of issues, which is not accurate.

For example, you conflate privacy issues (ex. referers), with data reliability issues (virii).

Harmful viruses do exist, and implying that they're ONLY hype generated by antivirus and trojan cleaning companies does a real disservice to your listeners who are not technically savvy.

Privacy is also a valid need by many people, so things like SSL encrypted connections have a real value to protect your financial and personal transactions.

It's important that while your bank's login cookie's plaintext may be known by your browser, it does NOT need to be known by any systems attached the 17 router hops between you and your bank, and it doesn't need to be saved to disk (SSL doesn't save to disk) for some trojan to pick up and mail back it's author.

David, Oceanside, CA
August 06, 2008 10:08pm

I hope you really don't think your Mac can't get viruses and such. Because trust me, it can.

Three of the Macs we have for patron use at the library I work at did. The common man always finds a way to get a virus on his computer. ;P

You should probably have suggested Linux with root directory change instead of Mac. :D Not over-priced and totally virus proof.

Jacqueline Hovey, Buffalo, NY
August 12, 2008 5:17am

Make a comment about this episode of Skeptoid (please try to keep it brief & to the point). Anyone can post:

You can also discuss this episode in the Skeptoid Forum, hosted by the James Randi Educational Foundation.

Join the Skeptalk email discussion list.