[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[FW1] [Fwd: Doubleclick]

To: fw-1-mailinglist@lists.us.checkpoint.com
Subject: [FW1] [Fwd: Doubleclick]
From: Chris Brenton <cbrenton@sover.net>
Date: Tue, 21 Mar 2000 01:02:17 -0500
Comments: SoVerNet Verification (on pike.sover.net)sover.net from arc6a213.bf.sover.net [209.198.112.214] 209.198.112.214Tue, 21 Mar 2000 00:59:06 -0500 (EST)
Reply-To: cbrenton@sover.net
Sender: owner-fw-1-mailinglist@lists.us.checkpoint.com

Ohla,

I received over a dozen requests for the original DoubleClick info I
posted. With this in mind I decided to just repost it to the list. Part
of the problem was that my last post referenced an e-mail I had actually
submitted to another list.

Enjoy!
Chris
-------- Original Message --------
Howdy all,

Sorry I've been so quiet as of late. Been wrapped up in a number of side
projects.

I've had a number of people/clients querying me as to what they can do
about DoubleClick ads as well as information that is submitted to them
by different sites on the wire. Thought I would post the results here
for anyone who is interested. If you are not sure what I'm talking
about, let me digress for a moment.

Here's a great test. Try the following:
go to http://www.altavista.com
enter in some search parameters
sniff your workstation's connection
Hit the "Search" button

What you will see is pretty interesting. Your search parameters will be
submitted back to Altavista. You will also see a unique connection get
generated to http://ad.doubleclick.net/ and your search parameters will
be submitted there as well. The full log entry will look something like
this:

[Sat Dec 18 23:36:04 1999]
http://ad.doubleclick.net/adi/altavista.digital.com/result_front;kw=your+search+words;cat=stext;ord=1834078127

So Altavista if forcing your browser to connect to DoubleClick and let
them know what you are searching for. Kind of "Big Brother" if you ask
me. Also, what's this "ord" field append to the end??? Hummm...

I received a great post from an individual who has done some wonderful
work in this area. I will keep the poster anonymous unless they ask me
to post their name. A clip from their e-mail is as followed:

>In fact, the ord= value includes the altavista's cookie.  Using my
>running junkbuster proxy, I asked to search for "doubleclick bait" and
>altavista issued me this cookie:
>
>www.altavista.com       AV_UID=48a3; expires=Friday, 31-Dec-99 12:00:00 GMT; 
>path=/; domain=.altavista.com;
>
>and the reply page included two image/link pairs pointing to:
>
>http://ad.doubleclick.net/ad/altavista.digital.com/result_front;kw=doubleclick+bait;ord=1397269248
>
>Now, if you convert 1397269248 to hex, you get:
>
>% perl -e 'printf "%x\n", 1397269248;'
>5348a300
>
>which includes the substring 48a3 from the AltaVista cookie.  This
>isn't a coincidence, since I have verified the same pattern several
>times in the past.  Although recent IDs have been short (as in
>"48a3"), older ones were longer and adopted some minimal
>byte-rearranging, perhaps in the hope that no-one would notice.

This is just one example. The poster included many others. Suffice to
say that it appears the "ord" value and your Altavista cookie are
related.

So what good does this do DoubleClick? Check this link:

http://mail.altavista.com/

If you get e-mail though Altavista they now have lots of info to
associate with your cookie ID. I'm _not_ saying they do anything with
the info, just that its available. AV offers a number of other services
you can "register" for as well. ;)

You may also want to have a look see at:

http://doc.altavista.com/legal/privacy.shtml

which is AV's privacy statement. Note that there is no mention of
forwarding your search and cookie info to DoubleClick. In fact, the
first line item is pretty funny: "We pledge that AltaVista will not use
information about you without your permission.". ;)

I know I sound like I'm picking on AltaVista, but in fact there are many
other sites that do exactly the same thing. The above is only an
example.

So what to do about it?
The first reaction is to simply block all access to DoubleClick's
network. This will prevent your internal systems from being able to
connect to DoubleClick's servers and forward the above mentioned info.
Of course the problem here is that many modern browsers (IE 5 for
example) break when you do this displaying a page stating that the
destination site could not be reached. This results is users complaining
when ever they can not access a site which redirects traffic to
DoubleClick.

I found a slick way to get around this problem. On your internal DNS,
simply setup an authoritative record for the doubleclick.net domain.
Then add a single "A" record that points "ad.doubleclick.net" at a local
Web server.

The results are pretty cool. Local users receiving the above redirection
will be sent to this Web server. No more info getting forward to
DoubleClick. The bonus is that the client's are unable to pull down ads,
thus resulting in reduced bandwidth utilization on your Internet link.
Its amazing how much faster the Dilbert homepage downloads when you
filter out all the ads. ;)

I've even rolled this out at an ISP with no problems in connectivity.
The only "issue" is if you organization really wants to be able to
communicate with DoubleClick. If so, the above fix will break that
connection.

Hope people find this helpful,
Chris
-------- Original Message --------
Greetings all,

Back on 12/19/99 I posted a rather verbose message to the Firewalls list
on how a number of search engines are taking the search criteria you are
entering and submitting it back to DoubleClick. Basically what you see
is just after submitting your parameters to a search engine, your
browser connects to ad.doubleclick.net in order to send something
similar to the following:

http://ad.doubleclick.net/adl/site_you_searched.com/result_front;kw=Tell+me+about+rashes;cat=stext;ord=119996981

Where the "kw" string is your list of search parameters (key words?) and
"ord" (based on research by Adrian Colley) is a hex conversion of your
cookie ID. In other words, your ID and what you've been looking for gets
sent back to DoubleClick. 

Based on this article: 
http://news.cnet.com/news/0-1005-200-1531929.html?tag=st.ne.1002.tgif

this info may eventually get correlated with the rest of your personal
info. Kind of a "personality profile" if you will, similar to the modern
day credit report. Do a search on "evil hacker sites" and this gets
associated with your profile. Of course the problem is that if your five
year old searches for "pictures of naked monkeys" they may associate
these key words with your ID as well.

This has organizational security implication as well. For example how
much would your competitors pay to know what info you are searching for?
IMHO given the number of sites involved in this "info sharing" the
practice has become a few steps shy of placing a sniffer outside your
firewall. 

As mentioned in that original post, I've setup a "DoubleClick honeypot"
to ID the sites that are submitting this info back to DoubleClick. The
list I have so far is:

aj.com
ajkids.com
altavista.digital.com
anywho.com
av.com
babycenter.com
boston.com
buy.com
corptech.com
drcoop.com
greatdomains.com
hoovers.com
imdb.com
infoseek.com
foodtv.com
redhat.com 
remarq.com
rocketlinks.com
rtq.net
yellowpages.com

The two that really bug me are RedHat (happens from their search page,
not the main page) as you would expect them to be more sensitive to
these kinds of issues and drcoop.com as the site is for searching
medical info (I now know *way* too much about what ails my users ;).
Note that these are *not* just ad partners, these sites forward your
search info back to DoubleClick. 

Since this is all outbound TCP/80 traffic, it burns right though most
firewalls. If you try and block all HTTP to DoubleClick, many browsers
choke and kick an error back to the user. The only real effective means
of killing this traffic is to proxy through JunkBusters or a honeypot
similar to my setup (detailed in my 12/19 post).  

Just curious if there is anyone out there that can add/delete from the
above list. I'm also wondering _why_ they do it. Do this sites receive
some form of financial return for submitting this info? Why don't they
state what they are doing in their privacy statement?

I'm also wondering if people feel an ORBS kind of setup is in order.
It's really starting to trouble me just how much information is getting
reported back to a single agency under the guise of "target
advertising". If the government was doing this people would be freaked.

Thoughts? 

All input appreciated,
Chris
-- 
**************************************
cbrenton@sover.net

* Multiprotocol Network Design & Troubleshooting
http://www.amazon.com/exec/obidos/ASIN/0782120822/geekspeaknet
* Mastering Network Security
http://www.amazon.com/exec/obidos/ASIN/0782123430/geekspeaknet


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================
Follow-Ups:
- Re: [FW1] [Fwd: Doubleclick]
  - From: Bill McCabe <dfb2000@mediaone.net>
Prev by Date: [FW1] SecuRemote and IE5
Next by Date: Re: [FW1] DoubleClick
Prev by thread: RE: [FW1] SecuRemote and IE5
Next by thread: Re: [FW1] [Fwd: Doubleclick]
Index(es):
- Date
- Thread