Comments on: How HP bugged e-mail

Commercial online service was used to track e-mail sent to a reporter in Hewlett-Packard's leak probe, investigator testifies.
Images: Commercial e-mail tracking

[Johnny Mnemonic]

Pretexting?

Am I the only person that has been a little
confused by this new term? To me, pretexting
would be something akin to something like
"wmd: a pretext to war", rather than misrepresenting
yourself in order to gain knowledge. Granted, "wmd"
or other pretexts are generally mis-representations,
but they are different in context. The proper
terminology is "social engineering". Commonly
used in the malicious hacker/cracker context
of which this clearly falls under.

[SeizeCTRL]

I'm with you...

I see this more as social engineering. Also, in all honesty, I do not think HP is totally in the wrong here. If someone is leaking trade secrets and whatnot, I think they have a right to determine the leak and follow all necessary trails.

It's funny how the government does this kind of thing all the time... but as soon as a big name company does it, it's the most horrendous invasion of privacy the world has ever seen. Surely people aren't that naive that they believe they have some ulitmate ammount of privacy in this day and age. Is it really that big of a deal that someone got your phone records? The method used is really no different than dumpster diving... chances are you throw away old phone bills. Besides you probably throw away more private information than you realize, so the point it leaves your house and into your garbage can, anyone willing can find out anything about you.

[catch23]

From Dictionary.com

"the misleading appearance or behavior assumed with this intention"
the 'intention' being "to conceal a true purpose or object"

So Social Engineering is just a form of Pretexting. The WMD argument was itself a form of Social Engineering, intending to get people to do somthing based on artifically generated fear.

[rcrusoe]

Another reason to avoid HTML mail

readnotify's use of web bugs and iframes in html email is bad enough, but I understand they also exploit bugs in MS Word docs (and perhaps other documents) to track those attachments.

ASAIK, I would be safe from these methods since my email client mail.app (Mac) is set to display plain text only and OpenOffice doesn't allow these "phone home" tricks.

Unfortunately most of my users have Outlook and MS Office so they have yet another reason to wish MS would put some "features" in their software that are really needed, rather than just ribbon menus.

[catch23]

Try reading the article

They use the same trick with PDF's, so your Mac and defaults mean nothing.
Unless your running a good 2 way firewall (which neither the Mac or PC ships with) your as hosed as the us.
Of course, at least we have ribbon menus.

[mveronica]

Another solution....

you could also encrypt the email attachments or email messages in HTML with email anti-theft software, converting documents into .ecc's. This unfortunately will not stop them from tracking the email, but it prevents them from being able to access its contents.

[ballssalty]

A good firewall...

Another friendly reminder to have a good software firewall like ZoneAlarm installed to prevent this from working and to disable HTML in Outlook.

[hadaso]

Firewall?

A firewall doesn't stop web-bugs if it doesn't stop other outgoing http requsts.

Disabling HTML in Outlook would not work for serious email users because they don't use Outlook... A good email client would render HTML but not the webbugs within it, and othor kinds of nasty things embedded within HTML. FastMail.FM's webmail client have been blocking images and defanging various HTML elements and still showing HTML email for years now (with whiltelisting of trusted sources). Many other email clients, web-based and PC-based do the same.

[jtpickering]

Firstly, I don't give a darn. Secondly, thanks for the additional regs.

"Occasionally, we're asked about privacy and legal issues," Drake said. Essentially, ReadNotify believes an e-mail author can do whatever he pleases with the message, including tracking it. "It is important to understand firstly that just because an e-mail comes into your inbox, it does not make it yours. When a person puts the effort into thinking up an e-mail and composing it: that e-mail is theirs."

So, following this argument, every piece of junk mail and catalogue that appears in my mailbox or is couriered to me is not my property? I wonder if they could fine a recipient if/when the recipient destroys or throws that property away?

Mr Drake, if you do not have a law degree and international legal experience, your opinion in this matter is no more helpful than my 5 year-old's.

Sounds like more legislation is on the way....

[gggg sssss]

sherlock holmes would found a clue

There are many many things you cannot do with that catalogue - you cannot copy the pictures and put them on your website or your own catalogue - you cannot use the text in the same manner for instance - and neither can your 5 year old. Although he might get away with using them in a school project. Even better, if he does, then he furthers the advertiser's message - at no additional cost to him.

[Mark Donovan]

How CNet bugs e-mail

CNet's newletters are bugged. To be fair, the practice is disclosed in CNet's privacy policy, but the bugging is nonetheless as reprehensible and unethical as HP's actions.

It's time that CNet end the use of web bugs in its e-mail. While CNet's disclosure applies to those who subscribe to its newsletters, the web bugs also track forwarded e-mail. There's little difference between HP and CNet bugged e-mail.

Here's a typical CNet web bug. This type of bug is defeated by not loading images from e-mail.

[computerlegalexperts.com]

Potential for abuse???

Well, this is interesting from a privacy perspective. What is remedy the when someone sends something unlawful or unethical and you didn't ask for it?????

Steve
Computerlegalexperts.com
http://www.computerlegalexperts.com

[chuck_whealton]

Re: Potential for Abuse

I agree with what you appear to be saying - that this may have some potential for abuse.

I mean it sounds like at least some of their use of it was warranted; searching for stolen products, etc., but this does seem to have quite a bit of potential to be misused.

Charles R. Whealton
Charles Whealton @ pleasedontspam.com

[hadaso]

web-bugs and the DMCA

Like any other written material, email messages are automatically subject to copyright laws in all countries that have joined the Berne Convention Copyright Treaty, and nothing may be done with them without explicit permission from the author. If the author wishes to control the use of her work using any kind of security scheme, including tracking the distribution of the copyrighted work by use of various tracking techniques including but not restricted to the use of the standard tracking technique often refered to by the name "web-bugs", then it is illegal to circumvent this kind of copyright protection device and doing so violates the anti-circuvention clause of the DMCA!

[SimonHobson]

what about illegal use of a computer ?

Where does neutering web bugs stop being violating "... the anti-
circuvention clause of the DMCA!" and become a legitimate
technique to protect your own computer from misuse by others
who are attempting to have your computer executing something (a
file download) without your knowledge or permission ?

I guess the answer is to follow the money - the DMCA is approved
of by the big money so it trumps other laws. I just wish the US
would keep that policy to itself and stop exporting it to the UK !

[ambigous]

Disclaimer

I found this in ReadyNotify's Terms of Service:

"You agree that You will not..."

"...(vi) transmit, or otherwise facilitate the transmission by anyone, of unsolicited, erroneously labeled and/or intentionally deceptive e-mail messages..."

Considering the nature of their "service," that's a fairly potent disclaimer!

[cowen80194]

Well now we need to create a way to patch this "BUG" before it is exploited by Spammers, and the like.

There are legitimate uses for this possibly but the staggering possibility that this will be abuse by illicit users and that TRUMPS any legitimate use that this "service" may have.

First it starts out with tracking and then it moves on to hidden downloads that contain key logging software and zombie bots.

All that would need to happen is a few email server get attacked and taken over start adding these codes and every unsuspecting person that receives an email would become a target. With all these zombies being created to go an attack at will. DDOS problems would be ram-pent.