Ugly Mail: Gmail Extension to Expose E-mail Tracking

Nice idea, but I would like it to work for other browsers and other e-mail programs.

Posted on April 1, 2015 at 1:13 PM • 69 Comments

Comments

Mace MonetaApril 1, 2015 1:25 PM

For GMail, on any browser, just change the setting (General tab) for image handling to:

 Ask before displaying external images

Ron ObviousApril 1, 2015 3:00 PM

Thunderbird has also had that setting (block external content) for eons now. I believe it's the default setting. Or is there more to tracking blocked here than just external images?

Chris BeckApril 1, 2015 3:41 PM

Further defense-in-depth for when an email contains a mix of trackers and desirable images can be obtained by using Ghostery or HTTPSwitchboard or a reasonable hand-drawn facsimile.

BernieApril 1, 2015 4:07 PM

I agree with the earlier comments: if this is a new/important thing for Chrome than it is WAY behind the times. Almost every real email client has had that kind of facility for years. And folks addicted to web-based email have been able to block all of that for years also [ghostery, adblock, etc]. Does this extension do something that the 'standard' email machinery hasn't done for a while now?

AndrewApril 1, 2015 5:03 PM

Back in high school I was fascinated by Netscape's mail client - it allowed you to send formatted text!

Now I'm rooting for peaceful plain text devoid of the color cacophony, external images and artistic fonts.

Man, I must be getting old... :D

AradApril 1, 2015 5:30 PM

No thirdparty can track you through GMail, only google can. Have you seen this?
https://support.google.com/mail/answer/145919?hl=en

How Gmail makes images safe

Some senders try to use externally linked images in harmful ways, but Gmail takes action to ensure that images are loaded safely. Gmail serves all images through Google’s image proxy servers and transcodes them before delivery to protect you in the following ways:

  • Senders can’t use image loading to get information like your IP address or location.
  • Senders can’t set or read cookies in your browser.
  • Gmail checks your images for known viruses or malware.
In some cases, senders may be able to know whether an individual has opened a message with unique image links. As always, Gmail scans every message for suspicious content and if Gmail considers a sender or message potentially suspicious, images won’t be displayed and you’ll be asked whether you want to see the images.

ThomasApril 1, 2015 6:07 PM

Arad - your assertion that only Google can track you is wrong and is contradicted in the last paragraph from your Google quote!

"In some cases, senders may be able to know whether an individual has opened a message with unique image links".

So the unique link loads, sets a cookie in your browser and, Abracadabra, you're being tracked.

Unique image links are very common and of itself is a good reason for ensuring that your mail client blocks external images.

There are other ways to track you such as your browser ID, SSL ID or lots of other pieces of unique information.

Have a look at this website

BuckApril 1, 2015 6:32 PM

@Arad

That last tidbit is a little interesting... I would've thought that they'd automatically fetch all incoming images. This way, senders wouldn't know whether or not a gmail user had opened a message... Plus, other benefits (data = money = power)..?

65535April 1, 2015 6:46 PM

@ Arad

“…In some cases, senders may be able to know whether an individual has opened a message with unique image links.” – Arad

You seem to be well informed about Gmail.

Could you please clarify those “cases” where senders know whether an individual has opened a message with "unique image links" and how it is done.

I would guess that Google’s Proxy servers must know when an image in opened on a Gmail message approximately where it was opened and whether it was marked as spam.

I would also guess that Google’s special services sell’s that information. I would further guess there is a “non-disclosure” agreement on said information and how it is obtained and sold.

Could you discuss more about Google’s mail image proxy servers and their exact abilities? Thank you.

Dirk PraetApril 1, 2015 6:52 PM

@ Arad

No thirdparty can track you through GMail, only google can. Have you seen this?

For an ordinary machine (laptop, desktop), this applies to Gmail through a web interface, not to those using a traditional MUA. In Thunderbird, all remote content is blocked by default. If (for some reason) you wish to enable enable remote content, you can still do so selectively by additionally installing AdBlock Plus and adding custom filters where necessary. As in Firefox, Thunderbird also allows you to reject cookies.

Lesson learned: doing your mail through a web interface is a bad idea for more than one reason.

A Nonny BunnyApril 2, 2015 1:00 AM

Frankly I'm more worried that everyone can read my email in-transit than that the sender knows whether I've opened it.

@Buck

That last tidbit is a little interesting... I would've thought that they'd automatically fetch all incoming images. This way, senders wouldn't know whether or not a gmail user had opened a message...
I suspect google fetches/proxies the image the moment you open the email, not when their server accepts the email. And if they're unique image links then the sender will know which email has just been opened.

LynxApril 2, 2015 3:41 AM

@Arad: "Gmail serves all images through Google's image proxy servers and transcodes them before delivery"

It is not just about the images, it is also the same for every link inside your mail.

Gmail also replace every link by a redirect page hosted on their servers. This is how Google learns everything about your clicking on links included in *your* e-mail.

WinterApril 2, 2015 5:29 AM

@65535
"Could you please clarify those “cases” where senders know whether an individual has opened a message with "unique image links" and how it is done."

My guess, each email gets an inline single pixel image with a unique code in the image name, say Graphix-65535.gif. When the image is requested, this is an indication the email message has been opened.

BuckApril 2, 2015 5:37 AM

@A Nonny Bunny

I have no doubt that is what the text suggests, I'm simply wondering why that is..?

Peter A.April 2, 2015 6:43 AM

Haha, I still use mutt (with w3c if there's no plaintext section in MIME message). The message text (either plain or HTML) and attached files are sufficient for communication - any image linked externally from HTML is either useless decoration, spam, or tracking device.

AnuraApril 2, 2015 7:04 AM

I don't even use webmail. Thunderbird blocks images, and I rarely click links in email.

Clive RobinsonApril 2, 2015 7:43 AM

The problem is one of role reversal that benifits the initiator, that was not envisaged in the original system design.

EMail was essentially designed as a "push" service, and under normal circumstances the originator would not know what happened on the otherside of the transport agent, unless the recipient chose to reach out.

However by later incorporating a "pull" technology (HTML) the roles get reversed, and the Email user client "reaches out" without the users consent due to "user convenience" built into the upgrade user client.

Worse is the use of "web mail" where the server is not under the control of either the sender or recipient but some third party. Because they can modify the pull back links (URLs in this case) to their own advantage.

If you think about it this is not the only pull back service that can be booby traped. You can do similar through the Domain Name Service or any other service that requires either resolving or pull back.

For a well connected observer the nature of TOR (low latency) alows these links to de-cloak users as well...

Solving these issues is not going to be either easy or possible with many services.

paulApril 2, 2015 9:44 AM

Reading mail as plaintext also helps guard against phishing, because (assuming that the phisher bothered to supply a text version at all) you can see immediately where all the links actually go.

The people who host my email account are somewhat younger than I am, but I do wonder what's going to happen in another 10 years or so...

A Nonny BunnyApril 2, 2015 1:28 PM

@Buck

I have no doubt that is what the text suggests, I'm simply wondering why that is..?
My first thought would be: to not do work unless you have to.

But that implicitly presupposes that a lot of mail doesn't get read -- otherwise you don't save work. And while there is a lot of spam, if that were the only issue, you could just treat them separately (pre-proces regular mail, and on-demand-process spam). Another counter argument is that preprocessing has the advantage that you can do it when servers are not busy with requests or other processing.
Maybe it's just out of consideration for the sender. Either so their server doesn't get hammered by gmail after the start of an email-campaign, or explicitly so they can track their campaign.

65535April 2, 2015 7:42 PM

@ Winter

“My guess, each email gets an inline single pixel image with a unique code in the image name, say Graphix-65535.gif. When the image is requested, this is an indication the email message has been opened.”

That is a reasonable guess.

@ Lynx

“It is not just about the images, it is also the same for every link inside your mail. Gmail also replace every link by a redirect page hosted on their servers. This is how Google learns everything about your clicking on links included in *your* e-mail.”

This is more along the lines I was thinking about. But, we still don’t know the exact mechanics behind it.

@ techie
"AdBlock? Srsly? please switch to uBlock immediately... same with Ghostery..."

Interesting. Let me take a stab at it. So, Adblock and Ghostery gain information when you unblock a site. I then guess that “unblocked” site goes into a database which then is then resold.

Am I close?


BuckApril 2, 2015 10:01 PM

@65535 & Winter

I'm not really sure it's a reasonable 'guess' any more than it's a reasonable fact... The top three links I get when using Google to search for 'unique image tracking' are:

See also: my own personal experiences
Although, what @name.withheld and I are discussing there is even more useful than what we're talking about here... It allows you to track users like a super-cookie across websites instead of the simple boolean yes/no it was/wasn't opened. Shortly after my exchange with Anura, I realized that the 'private browsing' feature in most browsers would prevent caching and therefore the super-cookie as well... However, even without caching, the sender will still know if it's been opened! Who has opened it may still be up for debate though. ;-)

As for every other non-image link, they shouldn't be able to track you unless you click it or your client has some silly link prefetching functionality enabled

BuckApril 2, 2015 10:06 PM

@A Nonny Bunny

I never actually considered the conscientious bandwidth saving, but I suppose it is a valid possibility... Thanks!

LynxApril 3, 2015 2:37 AM

@65535: "But, we still don't know the exact mechanics behind it."

open your gmail account in lynx browser. If you encounter a redirect loop, go to https://mail.google.com/ ; then look at urls of links in your inbox.

For example, in my mail, http://news.sciencemag.org/scientific-community/2015/03/editor-quits-journal-over-pay-expedited-peer-review-offer was replaced by
http://www.google.com/url?q=http%3A%2F%2Fnews.sciencemag.org%2Fscientific-community%2F2015%2F03%2Feditor-quits-journal-over-pay-expedited-peer-review-offer&oi=H&otze=3&eha=m08U3uBB0G5tw92sElDVxGkFw1h92-eCmM
(I randomized letters and numbers after the first & sign).

mesrikApril 3, 2015 9:30 AM

@all

Isn't it kind of moot to be (overly) concerned about mail security if you choose to use a free cloud service which do not even have any firm guarantee availability (best effort if any as it's free) and which data can be located basically anywhere over the world, servers under varying legislatures.

Google for sure trawls all emails to harvest any keywords they can use to provide ads for your screen same time it tries hard to avoid anyone else being to do that for their clients (protecting it assets). Any other ad-funded "free" service will likely do the same or soon be belly up for lack of funds.

I mean, if you need to be or should be concerned that your unencrypted mail is not been read by third parties or only those capable reading it on transit, you need to set up mail services for yourselves somewhere you feel comfortable and being trustworthy.

I know just everyone can't straight out. But even those can get someone to set it up for them. Spending some money helps, if too busy, not any kind of skills with systems or no interest to learn a bit.

Of course running services for own need cost something, but there is no free lunch, improving security tends to come with some costs. The system also needs some periodic attention, so it should be monitored and updates run at least, but for a small need time spent for this is not big deal.

A small mail server for a personal use is not that hard to have and overly expensive. Simple setup on some Linux/*BSD, setup MTA, RBLDNS, SpamAssasin, ClamAV and then some IMAP -server is quite straight forward to set up. And once done doesn't cost any more than running a small web server with apache some web site somewhere. It's quite low maintenance solution too unless your email address is super popular with spammers or otherwise receive huge volumes of mail, then you put extra effort in spam filtering and tuning to have inbox in decent condition.

Having backups could be done with attic-backup (compressing, encrypting, deduplicating and mountable snapshot repository, a very nice tool) with a external disk or some remote disk space over ssh.

For a MUA then there are many viable clients available, if only web based solution fills the need then it's bit tougher, but setting up something like Zarafa (not free software) with additional modules gets you same what you get approximately what you get with Exchange + OWA.

But then, if you simply just need to solve that Google URL rewriting talked above and be done, that can be quite easily solved with Firefox using GreaseMonkey and Straight Google user script, that does the trick quite nicely. Of course once you have GreaseMonkey installed, know some js and understand browser DOM enough, you can stretch pretty amazing hacks with it. I've fixed many many annoying features some sites have, mostly erased/dropped content that did bug me enough.

:-) riku

who_uses_kmailApril 3, 2015 12:55 PM

Kmail + Gmail-imap user here.

I click on a Kmail-created inline "enable html by clicking here" and the message is legible with no images downloaded.

Since I don't need the images 99.9% of the time to read the email, I've forgotten how kmail's option to download images works. I know it's optional somehow.

It's a good email client. Works for me. Everyday.

who_uses_kmailApril 3, 2015 1:13 PM

@mesrik,

For the vast majority of users, they see the exchange of cost-free email service in exchange for acknowledged surveillance a fair deal.

Running your own service doesn't cost much. You can practically run a small business on a very low-power PC now and the Internet norm for email servers all run on Linux and at minimum cost-free, if not Free.

What would it cost?
static IP address from your ISP.
ISP has to open port 25. Some ISPs won't do this for "home" service and that's a deal breaker.
DNS record.
Firewall config to open 25 and an imap port of your choosing.
pretty much any old PC will do.

Old late-model single cores will be 98% idle, but be a little power hungry. A modern low-power PC, like an eeebox will be mostly idle too. Just don't install xorg-x11. You won't need it anyway. Install Debian or Centos, or whatever.

I do exactly this with an ISP that opened port 25 to my address, I have unlimited, unmetered bandwidth. Email is not a big consumer compared to say, netflix.

mesrikApril 3, 2015 3:37 PM

@who_uses_kmail

For the vast majority of users, they see the exchange of cost-free email service in exchange for acknowledged surveillance a fair deal.

Exactly, but those complaining about security, not willing to put money and bit of effort where the mouth is feels odd. If security is problem, don't use public cloud, pay up and/or spend some time setting it up.

I have fairly good grasp of setting up those services, I've done these things professionally over 30 years. Being a generalist, long time sysadmin & networking and past 15 years more on security too.

But unlike you suggested I wouldn't use a old PC for a home mail server, but a RPi model B v2 instead.

It's dirt cheap, fast enough and doesn't use much power though. Spare parts easy to get for years to come etc. You get quite nice tiny server from it when you run it headless, using couple of USB ports to SanDisk Cruzer Fit 16GB/32GB disks, setting up software RAID+LVM, using MicroSD just for OS. Tiny, cheap, easy set-up, low-power and storing spares cheap too. What more could you ask for a tiny server?

RPi + microSD + 2x CruzerFit USB flash drives + case + PS is around 75-80,- total.

Reason why I dislike idea of using old power hungry PC's, it's wasting energy a lot. We should all remember that it's not just power our system consumes and how much more cooling is needed locally (see PUE). Because each watt wasted accumulates and power plants and energy grid capacity need not just to match but to exceed the need even the peak times and that will force expanding these services. That is expensive, very expensive indeed.

Many do not realize that, but it's unfortunate fact and will bite our collective arse in future unless we get better at moderating our power consumption.

Thus using any old computing device which isn't power efficient and is powered extended periods (like servers need to be) should not be used any more.

Using that kind of device for something for short periods is OK, but do not any more build servers powered 24/7 of old inefficient PC's, please.

Thus if need is more than that home email service on RPi or some small low power PC (Soekris, PC Engines, ...). It would be worth would a hosted virtual server somewhere or co-located server suit the need. If not then before setting up some old PC for email server it's worth remembering that server hardware, performance and energy efficiency have all improved significantly over the past 5 years. And disk quite cheap these days. I wouldn't fall back to that old desktop PC unless budget would be almost zero and no other options would be possible. (And in that case I would seriously consider if my time is worth being involved at all...)

65535April 3, 2015 6:33 PM

@ lynx

That is interesting.

I am at a customer’s site. I cannot use Lynx at this time. Is there a way to view what you have in Firefox? Say inspect element or view page source code?

I cannot open any Gmail that is not https. I used inspect element in a picture and looks much longer than your example.

But, I get the idea behind the recoding of the link to make it unique and traceable. Is the link reformatting done with a browser GUID or UUID? Or, based upon some algorithm linked to browser GUID/UUID?

lynxApril 7, 2015 2:44 AM

@65535

(1) I cannot reproduce that gmail "feature" in firefox. Even emptying the noscript whitelist.

Is there another Lynx user that can reproduce this Gmail "feature" ?

(2) When posting here (on https://www.schneier.com/blog/) the https response always is always a few seconds late. There is no such delay when browsing that site, even when previewing a draft of a post. This delay gives the TLA a link between my IP and my posts here. Do all posters here have such a delay when they post here?

lynxApril 7, 2015 2:45 AM

That delay was 12 seconds for previous post, before receiving "HTTP/1.1 200 OK".

Nick PApril 7, 2015 5:16 AM

@ lynx

Their MITM attack system is designed to respond faster than the web site itself. I tried SSL on this site in two different browsers, Firefox and Chrome. They both did the handshake in a fraction of a second. My phone browser usually takes about a second. A 12 second delay is probably from connecting using unoptimized, obsolete technology.

Nick PApril 7, 2015 5:21 AM

@ lynx

I decided it might be more scientific if I actually downloaded and tried Lynx to see what happens. It loads Schneier.com in about half a second on my machine, too. Old technology still keeping up. You problem might be anything from your machine to networking system to router to ISP. I've seen each cause delays in web browsing. Much troubleshooting ahead I'm afraid.

lynxApril 8, 2015 3:24 AM

@Nick P: "I actually downloaded and tried Lynx to see what happens."

Did you try to *post* a comment here with lynx ?

@Nick P: "It loads Schneier.com in about half a second on my machine, too."

Same for me. I have the same responsiveness on google.com for example, and am used to click fast. From time to time, I even tilt their bot detector, although I am not a bot. The message I get is neither http://blog.jayare.eu/googles-answer-to-automated-requests-and-queries.html nor http://forums.mozillazine.org/viewtopic.php?f=38&p=6064695 but I'll post it here next time I encounter it.

(Did you try to log in a gmail account with lynx, to see if links in your mail are also bundeled by google ?)

Nick PApril 8, 2015 5:26 AM

@ lynx

I'm posting this message from Lynx. Interesting how you get to see the world. I like the other way it looks better. Let's see how well this goes.

Nick PApril 8, 2015 5:32 AM

@ lynx

Ok, that submit took about 22 seconds. I'd have predicted that if I knew you were talking about submits rather than page loads. The submit feature on this blog can take a significant amount of time. Then, the comment might take a few minutes to appear. I've always attributed that to the server or app being slow. It's always taken a bit of time. It especially did after they modified the site.

So, that's all I think it is. Given what the site uses, I doubt that NSA (or any passive eavesdropper) would have to MITM everyone's SSL. Bruce's site is high priority enough that they've already hacked it to get the private key. Then, they just use their automated, passive system to collect and decrypt the messages. Certain names, IP's, or keywords get a person additional scrutiny. To the users, there's no difference in performance. You really have to be on their shitlist before you notice the difference. And it's not the speed of the browser you notice. ;)

Nick PApril 8, 2015 5:39 AM

Last post on the subject. The above post took just over 10 seconds. That's twice as fast. Indicates I was in a cache of some sorts that accelerated it. Definitely the server.

You should assume your web activities are intercepted anyway, though. You never know what's in the middle or on the other end. Just put a minimum of sensitive things on the web. If it's sensitive and must go online, use excellent security measures on your machine along with software such as GPG or Truecrypt to send the data.

BoppingAroundApril 8, 2015 10:56 AM

Nick P,
There is a joke regarding government surveillance of comms. It says that should you land yourself on some government's shit-list, you won't experience performance and quality drawbacks. Quite the opposite, your internet connection and/or phone line quality will be as good as they have never been.

name.withheld.for.obvious.reasonsApril 8, 2015 1:06 PM

@ Nick P

Bruce's site is high priority enough that they've already hacked it to get the private key. Then, they just use their automated, passive system to collect and decrypt the messages. Certain names, IP's, or keywords get a person additional scrutiny. To the users, there's no difference in performance. You really have to be on their shitlist before you notice the difference. And it's not the speed of the browser you notice.

So how long have YOU been on the fecal list(s)?

There are probably a dozen or so contributors that are at risk of a higher level scrutiny. Thus far I'd guess that even though the outspoken here are targeted but their activities are considered benign. Keyboard commandos do not represent a great threat to NS unless they go rogue.

Strange how a mathematician, either theoretical or applied, can be deemed a NS risk. In summary--it just doesn't add up...

name.withheld.for.obvious.reasonsApril 8, 2015 1:17 PM

@ Nick P

I'm posting this message from Lynx. Interesting how you get to see the world. I like the other way it looks better. Let's see how well this goes.

Try this for a "safe" and "educational" browsing experience...

lynx -source https://www.schneier.com | xxd | more

or

w3m -dump_both https://www.schneier.com | xxd | more

By the way, xxd is synonymous with hexdump or od -cx

Nick PApril 8, 2015 4:10 PM

@ name.withheld

re browser

Haha. Basically, a much harder to read version of the view page source command I use in Firefox.

re The List

"Strange how a mathematician, either theoretical or applied, can be deemed a NS risk. In summary--it just doesn't add up..."

Crypto and advanced technologies can be considered munitions. They also slow law enforcement and intelligence agencies down in theory. So, it's aiding the enemy or obstruction. Probably how their mindset would look at it. That so many laws stretch their mindset toward reality makes the situation worse.

"So how long have YOU been on the fecal list(s)?"

A passive one for 14 years. A more serious one for half that or less. Past that, I don't know and the above are semi-guessing. Known unknowns.

Nick PApril 8, 2015 4:14 PM

@ BoppingAround

That's funny. If they modified it, that would be more likely to be true. Their real technique is the best: change nothing. There will always be *some* effect. Additionally, the Internet companies being cheap asses and increasing volume of traffic make its quality nondeterministic. This means they just have to keep the latency down to make the change very stealthy. The Snowden leaks indicate they went with this obvious choice.

name.withheld.for.obvious.reasonsApril 8, 2015 8:09 PM

@ Nick P

Crypto and advanced technologies can be considered munitions. They also slow law enforcement and intelligence agencies down in theory.

This form of reasoning (not yours, but the common assumption) could lead one to believe that potatoes are potential weapons of mass destruction. I better go to the kitchen and hide my carrots (Shhh...I'm hunting wabbits). My response to this can be no more informative than to suggest a new episode of Moose and Squirrel for the kiddies...

Hah--slowing down idiots is mostly the responsibility (effect) of the idiots themselves. One need not produce any inductive (the cognitive type) impedance, the mindset you mention is sufficient to produce biases and non-rational responses to any number of circumstances...the whole thing reminds me of the Maoist revolution/purges.

name.withheld.for.obvious.reasonsApril 8, 2015 9:34 PM

@ Nick P

Past that, I don't know and the above are semi-guessing. Known unknowns.

Reminds me when in 2003 I was telling everyone that Donald Rumsfeld is an idiot...my circle included the likes of Casper Weinberger...needless to say I took a lot of grief for my comments. Couldn't help it--the Pentagon is populated with nothing but "YES WO/MEN". Later, post 2008 (after the surge), I was vindicated and under a whispered conveyance received information that I was in the clear (off one list at least).

I find myself again ringing the alarm bells regarding what lies ahead--DoD is the defacto governance structure today in the United States. Just read all the Joint Publications out of DoD--their objectives and assertions are plain as day. When the U.S. executive, across agencies, claims superior egis to all else...we can assert that a representative democratic republic is sunk.

lynxApril 9, 2015 2:24 AM

Thank you Nick P for having tried Lynx.

@Nick P: "The submit feature on this blog can take a significant amount of time."

Why ? This is the only website I know which a response delayed of at least 10
seconds for each submit.

@Nick P: "Then, the comment might take a few minutes to appear."

My comment is usually already on the page loaded by Lynx by the submit button.

@Nick P: "Bruce's site is high priority enough that they've already hacked it to get the private key. Then,
they just use their automated, passive system to collect and decrypt the messages."

This is not enough to locate TOR users. The TLAs need this submit delay to locate them.

(I never used TOR, I respect all applicable laws, and I take measures against illegal activities only when they are not state-sponsored.)

Nick PApril 9, 2015 12:06 PM

@ name.withheld

Yeah, calling out the DOD leadership as idiots while trying to work and socialize with them can bring trouble. Truth be told, I'd have had plenty to say to Casper Weinberger (see Iran-Contra part) without Rumsfeld's involvement. One of those pal's of H.W. and their schemes who also avoided jail time. And with statute of limitations plus a pardon!?

Stuff we're seeing now, the patterns, go that far back. Americans didn't act on them and now they're stronger than ever.

"When the U.S. executive, across agencies, claims superior egis to all else...we can assert that a representative democratic republic is sunk."

This has been known a long time. Whether micro-managed or a cartel of cartels, the elites have long ruled this country while wielding both financial system and military for their purposes. I've only vetted the biggest quotes but the Henry Kissinger one, collected at Bilderberg by a Swiss diplomat, is the one to focus on. It's identical to Hitler's Reichstag fire and feigned invasion technique that led to massive executive power in that country. The exact same pattern played out in this one by people strongly connected with same organizations and policy groups.

And it worked. It *always* worked. They're increasing the frequency of it to once every few years spread across different fake (or created) threats. Their power gains are also increasing at a faster rate. With media's participation, the big picture won't form and hit American's collective consciousness hard enough to cause an effect. They chase distractions put in front of them instead. The democracy experiment has utterly failed: resulting instead in a plutonomy protected by a police state with a P.R. team (mainstream media) marketing it as a republic committed to its people with some bureaucratic issues.

Sad but true.

Nick PApril 9, 2015 12:23 PM

@ lynx

"Why ? This is the only website I know which a response delayed of at least 10
seconds for each submit."

Not sure. I know it's a Perl application (slow) running on one or more servers that get plenty of traffic. The comments are passed through various spam filters. Then the whole page is updated. There's plenty of room for slowdowns in that vs the highly optimized (esp CDN-connected) websites you're used to. That the Moderator (and site) previously said comments may take several minutes to appear shows there's delays in the submission pipeline. I wouldn't worry about it given what you post is public.

"My comment is usually already on the page loaded by Lynx by the submit button."

Mine varies considerably. The one I submitted above took a few seconds. The others I submitted took almost half a minute. The network and server load are usually responsible for such variations in most web applications. It's why I'm not worried. That and I assume that NSA has compromised both my device and the site. Considering it public turns the unknowns into a known. Then, I just guess at the effects of the known and create countermeasures.

"This is not enough to locate TOR users. The TLAs need this submit delay to locate them."

Maybe, maybe not. If a mere delay is all it takes, then the FBI wasted a lot of effort going through the trouble to get malware on the machines to send I.P. addresses. Either they didn't think of delays as identifiers or they didn't work well enough on an Internet full of all kinds of delays. Matter of fact, Tor has delay schemes built into it that might further complicate it. Still a good idea worth research by those analyzing Tor security, though.

lynxApril 10, 2015 2:59 AM

@me: "My comment is usually already on the page loaded by Lynx by the
submit button."

@Nick P: "[for me this] varies considerably. The one I submitted above
took a few seconds. The others I submitted took almost half a minute."

I bet, this time, that it is *your* usual browser that is caching
content, creating a delay between your submit success and the update
of your display (for lynx, this delay is at most two seconds).

@Nick P: "I wouldn't worry about it given what you post is public."

Do you believe that some TLAs worry enough about this discussion site
to try http://cryptome.org/2012/07/gent-forum-spies.htm ? Then you
could worry about http://en.wikipedia.org/wiki/Stasi#Zersetzung and
could want to remain anonymous. Think, for example, to any Chinese
persone wanting to contribute here ...

Did you notice that quote: "When you have the budget of the NSA and
you have the choice of A or B, you do both." (quote of Bruce Schneier,
according to the broadcast I viewed, and to Richard Robbins'tweet:
http://seen.co/event/personal-democracy-forum-2014-new-york-ny-2014-249/highlight/85887

Hence my two answers at the end of this post.

@Nick P: "If a mere delay is all it takes, then the FBI wasted a lot
of effort going through the trouble to get malware on the machines to
send I.P. addresses."

Third possibility: A mere delay is an interesting identifier, *and*
some TLAs got malware on the machines to send I.P. addresses.

@Nick P: "Given what the site uses, I doubt that NSA (or any passive
eavesdropper) would have to MITM everyone's SSL. Bruce's site is high
priority enough that they've already hacked it to get the private key.

Third possibility: the TLAs are MITMing everyone's SSL *and* got the
private key.

Nick PApril 10, 2015 8:45 AM

@ lynx

I repeat that you are putting entirely too much effort into determining if FBI is intercepting *public* content and ID'ing you as a reader of a mainstream, security blog. That you use Tor in the first place got you way more scrutiny. You're in NSA's collection system to some degree for sure.

WaelApril 11, 2015 3:00 AM

@Nick P,

Mine varies considerably. The one I submitted above took a few seconds. The others I submitted took almost half a minute.

Doesn't that tell you something? The game is afoot! Think a cron job that periodically updates and filters things. I was able to predict it and post at exactly the right moment I wanted, which no one payed attention to ;) I am aware that the delay in the posting time doesn't affect the timestamp of the post, though.

Also, if you notice, the comment will post almost immediately on the thread, but will be delayed before it shows on the last 100 coments page.

Clive RobinsonApril 11, 2015 3:51 AM

@ lynx, Nick P, Wael,

Another time difference to think about is that befor a preview and a post.

Normally I see little or no time delay on preview whilst 10 or 20 seconds is not unusuall for a post. Sometimes post times out sufficiently for the network to trigger a resend which causes me to get the error page. This normaly, but not always, occurs when I'm on the move or the signal is weak and the phone cell hops. Other times the timeout is sufficient that I get an error message from the phone saying the site is unavailable or down.

Thus for me the timing oddities are normal, but do vary with load, for instance the recent "short story contest" made the site almost unusable.

Nick PApril 11, 2015 11:37 AM

@ Wael

"I was able to predict it and post at exactly the right moment I wanted, which no one payed attention to ;)"

You're about as psychic as I was when I predicted my IRC pals had a monitor and keyboard in front of them.

"Think a cron job that periodically updates and filters things."

Better than a con job that instantly updates and fails to filter things. Facebook's "privacy" options come to mind.

"Also, if you notice, the comment will post almost immediately on the thread, but will be delayed before it shows on the last 100 coments page."

Yes I did. Actually, I've noticed that the actual page sometimes does that. Further, if one is linking to a post, it's important to note that the link that appears in the bar after the submit isn't the link to the comment. It has a # in it with an id but is apparently a submission id. I caught this double-checking a link to a post I just wrote which took me to the page instead. Right-clicked the comment's link, once it eventually appeared, to see it was different and took me to the comment successfully.

Moral of the story: always wait for the comment to appear and get the link from it.

@ Clive Robinson

Preview vs Submit delay

Yeah, that's true. It either explicitly or incidentally enforces a good concept of forcing revision before submitting. I write my posts in a text editor with some revision before cut n pasting them into the comment box. The Preview still catches some times because it changes how I see them. Plus, my editor doesn't do spellcheck. There have been times when I just wanted to go ahead with a submit but run into the delay.

My tactic for that is to have a separate tab for each one I'm replying to. I usually have them open anyway to keep my reading organized. So, I write/revise in the text editor, drop the result into the comment box, hit submit, switch tabs to do other things, and close that tab later after I've seen the submit succeed. No mental delay: just an extra tab to check on later.

WaelApril 11, 2015 12:17 PM

@Nick P,

You're about as psychic as I was when I predicted my IRC pals had a monitor and keyboard in front of them.

LMAO :)

BuckApril 11, 2015 9:47 PM

@Wael

I was able to predict it and post at exactly the right moment I wanted, which no one payed attention to ;) I am aware that the delay in the posting time doesn't affect the timestamp of the post, though.
In my experience, you can't really tell about that time delay... It definitely depends if the timing is slower in either the upload or download phase of your transaction.
@Nick P
You're about as psychic as I was when I predicted my IRC pals had a monitor and keyboard in front of them.
The big difference here is that @Wael was correct, while @Nick P forgot that one of his IRC pals was blind! B-)

Nick PApril 11, 2015 9:58 PM

@ Buck

I was about to counter that then I wondered... wait, do the computers the blind use come with a monitor by default or do they not use one at all?

Answer: "Damnit, man! I'm not a psychic!"

WaelApril 11, 2015 10:33 PM

@Buck, @Nick P,

I'm always right. Thought I was wrong once but... I was wrong :) @ Nick P also forgot that one of his pals was a quadriplegic with no keyboard ;)

you can't really tell about that time delay

I wasn't talking about delays related to server load and other traffic latencies. I was taking about the seemingly periodic task thats's triggered every few minutes to run a script which moves comments from a thread to the 100 most recent posts.

BuckApril 11, 2015 10:48 PM

@Wael

Yes, how offensive of me to discount the keyboard-less... Of course, it's the 'seemingly' periodical (or scheduled) tasks that guide us so! ;-)

WaelApril 12, 2015 2:33 AM

@Buck,

I noticed you're having formatting issues with blockquotes. What do you think of this? The only three postings I found with a certain commonality...

One,
Two,
Three

Even the Mod, when he spoke to me... This advice will fix your formating :)

BuckApril 12, 2015 6:46 PM

@Wael

What do you think of this?
Honestly, I think it's awesome! I love fun with numbers!! Did you know..?
1 + 1 + 1 = 3

As for the formatting issues... There was a brief moment in time (right after the latest site redesign) when the blockquote was treated as an inline element, and that made many of my prior comments awfully illegible. Since that style was changed, I frankly couldn't care less about a missing line feed post-quote! The carriage return is plenty obvious enough to separate the different thoughts - though I suppose it might get tricky with copypasta...

Google = Adverts & Tracking Of EveryoneApril 18, 2015 10:18 AM

So it should not be forgotten why here and elsewhere we still have people promoting and defending Google products.

Here is one major reason:

Five Reasons Why Google+ Died
http://www.forbes.com/sites/stevedenning/2015/04/17/five-reasons-why-google-died/

In April 2011, Larry Page became CEO of Google and embraced Google+ with a passion. After watching Eric Schmidt run Google for a decade, Page in his first week as CEO sent a companywide memo tying 25% of every employee’s bonus to Google’s success in social. [...]
“Page wants employees to advocate Google’s social networking features to family and friends,” wrote ComputerWorld. “‘When we release products, try them and encourage your family and friends to do the same.’”

lynxJuly 10, 2015 2:50 AM

@me "It is not just about the images, it is also the same for every link inside your mail. Gmail also replace every link by a redirect page hosted on their servers. This is how Google learns everything about your clicking on links included in *your* e-mail."

@65535: "This is more along the lines I was thinking about. But, we still don't know the exact mechanics behind it."

The redirects were reproduced by Lenny Zeltser from Internet Storm Center: https://isc.sans.edu/forums/diary/How+Malware+Campaigns+Employ+Google+Redirects+and+Analytics/19843 basically, you need to activate the basic HTML mode.

@Buck: I bet that, without basic HTML mode, gmail has another way (JavaScript ?) to monitor your clicking on links included in your mail.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.