>Perhaps I can atone for my sins.
...;-]...and your message should be construed as atonement...;-]
>In this morning's newspaper (reference follows), I found an article of
>some interest. In it, there was an interview with a beta tester of IE
>4.0. Apparently, IE 4.0 - if left unattended - will routinely initiate
>a connection to Microsoft. Purportedly, this feature (not a bug, a
you've editorialized the story beyond what was written, did you speak to
the anonymous individuals yourself? "routinely" was not mentioned
anywhere. In both cases described both users noticed it once and
disabled the "feature". However, it could be configured to do so
"routinely", but it doesn't by default.
>feature) allows updates and special web pages to be downloaded while
>the user is away from the teriminal (busy, asleep, etc.) These updates
>are then stored on the hard disk drive of the user. According to the
>beta tester:
Nowhere does the story say this?? The feature, called "Subscriptions",
allows you to specify web sites/pages which you wish to have downloaded
to you automatically. This can be triggered by a change on the web
site/page, or at intervals. This is sort of like a caching proxy, in
that you would already have the most up-to-date versions of the page
downloaded and cached, making access to them seem faster. The idea is to
schedule these updates to occur when the machine is "idle" (for which
there is a process that determines when the machine is idle). If you are
directly connected, this means that while you're not working on your
machine, it can be working for you (which I personally think is a good
idea). If you are a dial-up user, then normally the system will prompt
you to connect to your ISP for such caching. However, since both W95 and
NT4.0 can be configured to automatically connect to your ISP when you
ask for Internet content (a feature which was really designed to act
like an ISDN dial-on-demand connection), its possible that the
combination would mean the system would dial your ISP automatically.
This dial automatically thingy is not new to IE4, its been there since
'95 was released. The channel thingy, or subscriptions (channels are
pre-defined service providers of push content which you can subscribe to
and specify what you want, PointCast is one of them for example) is
again a configurable option. If there was a paux faux in any of this it
was the default subscription which automatically checks for new channel
providers (which is what one of the two people experienced).
>The article suggests that I.E. 4.0 not only initiated the connection,
>but actually activated dial-up networking to make that connection.
>Presumably, on 95 boxes that are networked (e.g., not dialup), this
>feature would also operate.
Yes, of course.
>Of particular interest is this: one beta
>tester reported that while he was sleeping, 4.0 downloaded
>approximately 250K of info from MS. More bizzare yet is this: in
>addition to the 250K download, his machine also UPLOADED 58,000 bytes
>of information. The beta tester reported that he did not know what
>data had been uploaded.
First of all, anything done with a subscription is logged by default, so
if there were subscription updates they can be viewed. Secondly, the
history file should have been updated as well, indicating what sites
were visited. Finally, cookies and normal HTTP requests could account
for the upload content quite easily (depending on where he was
attaching). If content hasn't changed, I could quite easily send that
much data to get that little data in return.
>I am wondering this: suppose such a box was located behind a firewall
>but was allowed outside access. Does this not constitute an EXTREME
>security risk?
Certainly, if we're going to start the conspiracy theorist stuff again.
Let's see, all I have to do is put a sniffer on my wire for a single
night and in the morning I could blackmail MS for billions of dollars or
report all that credit card stuff their transmitting from my machine to
their web servers, right??
Their cookies are no bigger than anyone else's (and if you don't want
any you can turn them off), so unless their opening an SSL connection
that I haven't seen in 4+ months of running the alpha and beta, they
ain't sending squat. Just plain old HTTP requests to get the pages
you've asked for, and the updated channels information you haven't asked
for (but get by leaving the Channels ActiveDesktop program running,
which can also be turned off btw).
There are lots of programs capable of automatic pulls, or polls, that do
the same stuff. A monitor of any of them would likely yield a similar
amount of outgoing traffic, albeit to a far less media-interesting site.
>If 4.0 is capable of uploading information from a local
>drive of a 95 box, it can presumably do this from badly managed shares
>as well, no?
First of all, where is it stated that this stuff originated from the
local drive of a 95 box?? I mean, the user info supplied to today's
average webserver is a couple of k all by itself, not to mention another
k for a cookie. So if we say a single connection to a web server (doing
nothing else) results in about 3k of outgoing transfer data, then we're
talking about 20 connections to make more than 58k, right? Of course ASP
sites store temporary information in cookies as well, and repeated call
for the cookie from page to page, so a single session with an ASP web
site might result in, well, 58k of outgoing transfer data in a single
site.
Really, just put a sniffer on and watch it yourself, its pretty harmless
(albeit chatty) HTTP stuff.
Cheers,
Russ
|
|
