by Brian Dunning
Filed under Consumer Ripoffs
December 28, 2006
Podcast transcript | Listen | Subscribe
Today we're going to take a skeptical look at computer security. How real
are the threats we are warned about all the time? Do these supposed threats
pose any actual danger, and if so, what kind? What steps do we really need
In the early days of web browsing, innovative programmers created cookies
as a way to store session variables on the visitor's computer. When Bob visits
Amazon and tells the server that his name is Bob Smith, Amazon writes "Bob
Smith" on a nametag and sticks it on Bob's shirt. This is a cookie. It permits
Amazon to accumulate a shopping cart full of merchandise for Bob, and to know
where to put each new item without asking Bob to identify himself each time
he brings something else to the register. The server can say "Ah, you're Bob
Smith, good to see you," and it knows which shopping cart to put Bob's new
DVD into. Without cookies, it would be necessary for Bob to log in each time
he adds something to his cart. Not only is this inconvenient for Bob, it requires
substantially more server resources. Server resources are not infinite. The
more efficiently a web server can run, the faster it can serve Bob. And, when
Bob's name tag is prominently plastered to the front of his shirt in the form
of a cookie, there's less chance for Bob to be misidentified and be sent the
wrong merchandise. Cookies are good for everyone.
comment on an episode, the name and hometown that you enter into the comment
form are saved on your computer as cookies. This allows Skeptoid.com to automatically
fill in these fields for you, the next time you want to submit a comment. Saves
you a few dozen keystrokes, and makes your entries more consistent. Just a
minor convenience feature. Minor, but still a good thing.
Unfortunately, in the early days of Microsoft Internet Explorer, some genius
in Redmond decided that Internet Explorer might seem superior to Netscape — its
main rival at the time, if you remember — if it would raise caution flags
and warn you about terrifying security risks with scary dialog boxes. Internet
Explorer eventually became the only significant web browser and a whole generation
of web surfers was raised with the belief that cookies were a security risk to
be feared and blocked at all costs. The idea is that an unscrupulous individual
might sneak into Bob Smith's office, look in the cookies folder on his computer,
and learn that "Bob Smith" is the name he used to identify himself
are just plain vanilla text files. They contain no program logic or encryption.
The good thing about this is they can't contain program code like viruses or
trojan horses. The bad thing about this is they contain human readable plain
text, so that anyone with access to your computer can read them. Since nearly
every other program and data file on your computer uses human readable plain
text, is this truly such an egregious security risk? Programmers and software
engineers know that it's not, but marketing people never let the truth stand
in the way of a sale. If they can convince you that your computer's normal
operation constitutes a risk that can be mitigated by purchasing their software,
they know they've got lots of sales.
Some people think that cookies can be used to steal credit card numbers or
other information from your computer. Not only is there no mechanism by which
this could work, it's illogical. The web server is what writes the cookie
to your machine, and obviously it can't write anything it doesn't already know.
Referrer codes are another normal function that's being marketed as a security
risk. Whenever a web browser visits a server, it sends a referrer code. This
is the URL of the web page from which the browser came. This is part of the
http specification and is a normal function, it's not the nefarious evil plan
of some hacker. Let's say our friend Bob is reading the news on CNN.com and
sees an ad for a plasma television from Amazon. Bob's in the market for
a good plasma, so he clicks the ad. Amazon's web server receives a referrer
code from Bob's browser that tells it Bob linked from CNN.com. Amazon may use
the referrer codes to analyze which of their advertisements are most effective,
an analysis that's essential to good advertising. If Bob buys something, CNN
or some third party may be entitled to a sales commission for referring the
business, which Amazon is happy to pay since they're happy to have Bob's business.
Amazon may even see where Bob came from and offer him the special CNN discount.
The referrer code is great for Amazon. At best it's great for Bob, at worst
it's no skin off Bob's nose. Referrer codes are also used for many other useful
things on the web.
As you might expect, the security software vendors market referrer codes as
a threat too. Their best explanation is that it's none of Amazon's business
where you came from. That's true, in a strictly Libertarian sense, but in a
practical sense, it's really helpful for them to know. Many services
such as Amazon can better customize their offerings when they know where their
visitors are coming from. A technology called Collaborative Filtering allows
Amazon to say "Visitors from CNN prefer the new Rick Astley video." If
you use security software to block your browser from sending referrer codes,
the best you'll get is a more generic
Internet experience. The worst you'll get is that some web services
won't work at all.
Viruses are a genuine pain in the ass. If you're running Windows and you use
the Internet at all, your computer will probably download at least a dozen
new ones a day. There are numerous ways that viruses can be embedded in web
pages, in advertisements on web pages, in media presentations, even in some
older graphic images. Big money is made by some of the more cleverly designed
viruses (or trojan horses, whatever term you prefer). Sometimes all they do
is install fake cookies on your computer to tell Amazon that some guy in Indonesia
is entitled to a sales commission next time you buy something. Sometimes they
make your computer part of a distributed illegal file sharing system. Sometimes
they turn your computer into a spam server. Sometimes they install browser
toolbars that lead you to more virus pages when you use them. Sometimes they
install software that displays popup advertisements. Fortunately, free software
such Spybot Search & Destroy or Ad-Aware can genuinely eliminate all, or almost
all, of these threats. So what's the Skeptoid angle on these?
The reason people develop viruses and trojan horses is to make money, through
advertising or sales commission programs. Really all of the threats described
above ultimately lead to money. It benefits nobody
to write a virus that erases your computer or causes some problem. Such viruses
do exist, mainly in the early days of the Internet, but since they're not profitable,
they've gone almost completely out of fashion. People want your business and
they want your money, there's no profit in erasing your hard drive. Invariably,
when I make this rant, I get the comment "My aunt had her computer erased
by a virus," or "I have a virus that makes my screen go black and
deletes my address book." The truth is that software conflicts and system
crashes are more likely responsible for these problems. If you own a computer,
problems are the price of admission, and every owner will eventually lose data. But
there are a thousand normal operating system problems that will be the most
probable culprit. It makes no sense for someone to write a virus that does
these things, when they can just as easily write a virus that earns them money.
Just as in nature: the viruses that thrive are those that don't kill
Use Spybot Search & Destroy
and Ad-Aware to scrape this crap off your machine and keep it running lean
& mean, but don't buy the expensive commercial software that does no better
and that makes claims designed to take advantage of customers with minimal
technical knowledge. Or just use a Mac like I do, since none of this crap runs
on Unix. And, don't bury your thoughts too deeply in cyberspace. Remember
you'll always be most vulnerable to what is statistically by far the biggest
threat: that your computer will simply be stolen.
By Brian Dunning
Please contact us with any corrections or feedback.
Cite this article:
Dunning, B. "Internet Paranoia." Skeptoid Podcast. Skeptoid Media,
28 Dec 2006. Web.
25 Nov 2015. <http://skeptoid.com/episodes/4017>
References & Further Reading
Berners-Lee, Tim. "RFC1945 - Hypertext Transfer Protocol -- HTTP/1.0." Internet FAQ Archives. Advameg, Inc., 1 May 1996. Web. 30 Nov. 2009. <http://www.faqs.org/rfcs/rfc1945.html>
Bidgoli, Hossein. The Internet encyclopedia: Volume 1. Hoboken: John Wiley and Sons, 2004. 253-259,328-329,576.
Kristol, D. "RFC2965 - HTTP State Management Mechanism." Internet FAQ Archives. Advameg, Inc., 1 Oct. 2000. Web. 30 Nov. 2009. <http://www.faqs.org/rfcs/rfc2965.html>
Lavasoft. "Ad-Aware by Lavasoft." Corporate web site. Lavasoft, 30 Nov. 2009. Web. 30 Nov. 2009. <http://www.lavasoft.com/>
Miller, M. Absolute Beginner's Guide to Computer Basics. Indianapolis: Que Publishing, 2007. 148-150.
Safer Networking. "Spybot Search & Destroy." Corporate web site. Safer Networking Ltd., 25 Nov. 2009. Web. 30 Nov. 2009. <http://www.safer-networking.org/en/home/index.html>
White, J. Just the Computer Essentials. Stow: IROL Press, LLC, 2007. 131-132.
©2015 Skeptoid Media, Inc. All Rights Reserved. Rights and reuse information