Posts Tagged ‘google’

« Older Entries

moxie’s proxy

Sunday, January 22nd, 2012

Moxie Marlinspike, a security researcher probably best known for his SSL proxy tool, likes google even less than I do. His googlesharing website says:

“Google thrives where privacy does not. If you’re like most internet users, Google knows more about you than you might be comfortable with. Whether you were logged in to a Google account or not, they know everything you’ve ever searched for, what search results you clicked on, what news you read, and every place you’ve ever gotten directions to. Most of the time, thanks to things like Google Analytics, they even know which websites you visited that you didn’t reach through Google. If you use Gmail, they know the content of every email you’ve ever sent or received, whether you’ve deleted it or not.

They know who your friends are, where you live, where you work, and where you spend your free time. They know about your health, your love life, and your political leanings. These days they are even branching out into collecting your realtime GPS location and your DNS lookups. In short, not only do they know a lot about what you’re doing, they also have significant insight into what you’re thinking.”

His solution to this problem was interesting. He came up with the idea of a proxy system which would intercept all google queries, strip off identifying material (such as cookies and UserAgent strings and other HTTP headers) substitute new identifiers and mix the requests up with those from other users before forwarding to google. Implementation depended upon a Firefox addon (nothing for other browsers) which identified google queries and forwarded them to the proxy. All other traffic was untouched.

image of googlesharing proxy

I stopped using google (except via scoogle) some time ago, and when Moxie’s new proxy first surfaced I thought it interesting but susceptible to the same problem I discussed in mid 2009 when writing about Hal Roberts’ experience of GIFC – all you are doing is shifting knowledge of your searches from google to a new intermediary. However, Moxie later addressed this problem with the release of version 0.20 of his addon so I thought I’d take another look at it. Unfortunately the addon won’t work with FF 9 (which I am using). Moxie’s proxy is not the only one out there however. Because he released the code under an open source licence, others have picked it up. I found one at gs.netsend.nl. They also provide an updated FF addon which will work with versions up to 15 (i.e. probably around next wednesday given the speed with which Mozilla is currently shipping new FF releases).

Once the addon is installed, it gives you two proxy options in the preferences settings – one is the original proxy.googlesharing.net, the other is gs.netsend.nl itself. In testing I found that the original googlesharing proxy seemed to be off-line, but when using the netsend.nl proxy I was reassured to see the message “Search results anonymized by GoogleSharing” added to the google homepage. I was even more reassured that my sniffer showed a connection to vps1101.pcextreme.nl on 31.21.98.201 and not to any known google network.

So, will I use it? Maybe. But the proxy mechanism seems to be unreliable. In many tests, the proxy connection seemed to be bypassed and the connection was obviously made direct to google (as evidenced by my sniffer). I think this failure is doubly unfortunate because it does not fail safe (i.e. the connection does not simply fail with an error message, it passes you direct through to google). This could lead the unwary to think that they are protected when in fact they are not.

I prefer not to use google at all. And in those cases where I do want to compare results with another search engine I prefer to do so via tor. But it is one more option in my toolkit if used carefully. And if using it pisses off google, then it is worth it occasionally.

Tags: , , , , , , , ,
Posted in free software, net tools, network (in)security, privacy, tips, tricks and howtos, trivial musing | 4 Comments »

google buys advertising

Wednesday, November 23rd, 2011

In an interesting reverse of the norm, google paid for three full page adverts in the guardian a couple of days ago. Today there is yet another full page ad in the same paper. I assume they have run similar campaigns in other UK newspapers over the past few days, The ads are quite intriguing in that they seem to be addressing potential concerns about the use of well established web technologies. Today’s ad, for example, was about cookies. Each ad points to a google site giving further detail.

These adverts cannot have been cheap. What are they worried about?

Tags: , ,
Posted in multimedia, privacy, trivial musing | No Comments »

a double googol

Thursday, October 13th, 2011

It seems that google has lost a recent battle to wrest control of the goggle.com domain away from its owner. I wonder if they’ll want to have a go at me next.

Tags:
Posted in trivial musing | No Comments »

google opt out village

Saturday, October 9th, 2010

The Onion News Network reports:

This is not satire……

Tags: , , ,
Posted in privacy, trivial musing | No Comments »

it’s not that I’m anti google

Saturday, September 4th, 2010

I’m just pro privacy. And google just happens to be one of the worst offendors when it comes to breaches of my privacy. El Reg yesterday ran an article pointing to the consumerwatchdog.org ad depicting Eric Schmidt as a “privacy pervert”. Deliciously, that ad is hosted on youtube.

But consumerwatchdog have long campaigned about google’s attempts to trample on users’ privacy. The video below shows how google’s chrome browser fails to protect the user’s privacy even when “incognito mode” is used. Incidentally, the video also shows how google’s javascript based, supposedly helpful, “stem searching” capability during searches effectively adds a keystroke sniffer to your PC. Note that this capability is not specific to chrome, it happens whatever browser you use when you use google’s search engine.

Be careful out there.

Tags: , , , ,
Posted in privacy, trivial musing | 2 Comments »

phone home

Sunday, August 29th, 2010

Google’s chrome browser first appeared back in 2008, since when many commentators have sung its praises. Apparently it is “blindingly fast” (well, let’s face it firefox can be a tad slow, particularly if loaded down with a swathe of plugins) “clean”, and “simple”. Until recently I had not tried chrome (for some fairly obvious reasons) but I thought it might be interesting to fire up a copy in a VM just to see what all the fuss was about. So I did. And whilst I was doing that I ran tcpdump and etherape to see what was happening under the hood. What I found intrigued me.

First I spun up a completely new clean install of ubuntu in a virtualbox VM. Then I downloaded the latest chrome .deb from the google site and installed it. Before launching chrome for the first time in the guest system I fired up the sniffers in the host system. This is what I found:

image of etherape capture

Note that etherape shows five connections which are instantly recognisable as going to google servers (the 1e100.net domain), three to verisign, and a further three to IP addresses with no associated names (these appear to be either youtube or google image cache machines – also owned by google of course). You can ignore the rlogin.net servers, they are all mine.

A quick look at the tcpdump record shows that the verisign connections all check for SSL certificates and/or revocations – perfectly sensible and understandable. But the google connections are less illuminating until you follow the tcp streams. Two of the connections are SSL encrypted so it is not possible to be certain what is carried in them, but they appear to be certificate exchanges (or updates), a third gets a certificate revocation list whilst two more get simple html or xml schema probably associated with building the welcome screen (I didn’t explore in detail). One connection gets a shockwave flash file and two get and set cookies in the youtube domain. At least one of the google connections also gets and sets cookies in the google domain.

Now none of this is inherently suspicious (well, alright, it might be) but the point is that all this happens upon first connection and without reference to the user. And if you don’t want google (or youtube) cookies on your machine you will have to delete them when first you use the browser. I have an instinctive (OK, partly irrational) dislike of software which “phones home” without telling me – and chrome does that on quite an impressive scale. I’m not sure what would happen in prolonged usage of the browser because I wasn’t impressed enough to want to use it in anger.

I’ve trashed the VM of course.

Tags: , , , , , , ,
Posted in linux and unix, network (in)security, networks and networking, privacy, trivial musing | 2 Comments »

they are taking over the entire net

Monday, August 2nd, 2010

Some time ago I disabled my wp-recaptcha plugin because it had the unfortunate side effect of marking all comments as spam. I don’t have a particularly high comment rate, but the ones I do get, and which get past akismet, are usually OK. Apparently a flaw in version 2.9.6 surfaced when wp-recaptcha was used in conjunction with wordpress 2.9.2. I obviously got caught with this when I updated my wordpress installation so when I noticed the problem I just disabled wp-recaptcha. Of course I have since updated wordpress again and I noticed that the plugin had also been updated to 2.9.7 so I thought I would upgrade and reactivate. Upon doing so, however, I discovered that my public/private key pair had disappeared as a result of the deactivation and I was invited to apply for a new set. OK, no problem, happy to do so but a bit peeved that the keys seemed to be deleted when the plugin is deactivated. This strikes me as unnecessary.

But, and this is now a big but, this is what I was greeted with when I attempted to get a new set of keys:

“reCAPTCHA is now part of Google. In order to use it, you must create a new Google Account or sign in with an existing Google Account.
If you are a previous user of reCAPTCHA, you can migrate your old account after signing in with a Google Account.”

Yikes! It seems that re-captcha is now part of google. The chocolate factory have bought yet another piece of internet infrastructure which will no doubt feed the maw of the advertising goliath with statistics gained from my site.

Well bollocks to that. It can stay disabled. I’ll look for another captcha mechanism.

Tags: , , ,
Posted in privacy, trivial musing | No Comments »

scroogle is having a problem

Sunday, July 4th, 2010

I posted a note about scroogle back in January. Scroogle offered an SSL interface to the google engine, and, moreover, didn’t lumber its users with google cookies and sundry other irritations. Since then, however, google themselves have started to offer an SSL interface and, coincidentally, scroogle seem to have started to have some problems.

If you visit the scroogle SSL interface, you get a redirect to a notice which explains why some changes made at google mean that scroogle can no longer work properly. Scroogle managed to get a workaround in place for a few days, but it seems that another google change has finally killed that too unless google can be convinced to help out – unlikely in my view. The scroogle redirect page (dated 1 July 2010) has the following line from Daniel Brandt:

“Thank you for your support during these past five years. Check back in a week or so; if we don’t hear from Google by next week, I think we can all assume that Google would rather have no Scroogle, and no privacy for searchers.”

That in itself is bad enough, but as a separate new posting explains, scroogle now seems to be the target of a botnet aimed at swamping its servers. As Brandt goes on to say:

“Google has a few hundred thousand servers, while Scroogle has six. They can put up with sites that spread malware, but our bandwidth is limited. Even if Google relents and the output=ie interface returns, this Scroogle malware problem could still be increasing at that point. Eventually it alone might shut down Scroogle.”

Sad. I hate to see the little guy lose out.

Tags: , , , ,
Posted in networks and networking, privacy, security, trivial musing | No Comments »

are you /really/ sure you want that mobile phone

Sunday, January 10th, 2010

The launch of the google nexus one “iPhone killer” reminds me just how prescient Dr Fun’s cartoon of 16 January 2006 (see third cartoon down from the top on the right) really was.

I just love the way the google employee in the video says at the end that Verizon and Vodafone have “agreed to join our program”.

Oh yes indeed.

Tags: , ,
Posted in privacy, trivial musing | No Comments »

using scroogle

Saturday, January 2nd, 2010

For completeness, my post below should have pointed to the scroogle search engine which purportedly allows you to search google without google being able to profile you. Neat idea if you must use google (why?) but it still fails the Hal Roberts test of what to do if the intermediate search engine is prepared to sell your data. I actually quite like the scroogle proxy though, particularly in its ssl version because anything that upsets google profiling has to be a good thing. Besides, the really paranoid can simply connect to scroogle via tor.

(Odd that google seem not to have tried to grab the scroogle domain name. If they do, let’s just hope that they get the groovle answer.)

Tags: , , , ,
Posted in privacy, security, tips, tricks and howtos, trivial musing | No Comments »

« Older Entries