Why is Dilbert spying
on me over at the Dilbert Web site (http://www.dilbert.com)? It
seems that every time I visit the Web site, my computer is reporting
back to a Web server at "host1.net". This is all very
strange.
Here is what I know about this monitoring system so far. Earlier
this week, I installed an add-on to Internet Explorer called the
Comet Cursor. The add-on comes from a company called Comet Systems
(http://www.cometsystems.com). The add-on, which is distributed
as an ActiveX control, changes the Windows cursor to interesting
pictures depending on what Web site I'm at. For example, at http://www.dilbert.com,
I get a head shot of Dilbert. Over at the Hitchcock site, the cursor
turns into a knife (Ha, ha). The folks at Comet System believe that
Web surfers are more likely to click on a banner ad if they see
a cute cursor instead of the boring old Windows arrow cursor.
However, the real interesting stuff is happening under the covers.
This add-on is quietly sending back to Comet Systems information
about what sites that I'm visiting that have the Comet Cursor enabled.
The clever programmers at Comet Systems are using an HTTP POST command
to send this information right through my firewall. For example,
here is what the POST command looks like from www.dilbert.com:
POST /bin/a/p_l_i2 HTTP/1.1
Content-type: application/x-comet-log
Comet-key: 2834ae3baba25bae2ab2b648492e221f
Comet-url: http://www.dilbert.com/
User-Agent: Comet Cursor
Host: host1.net
Content-Length: 325
@id_c,@id_client,@id_v,@id_cust,@u_page,@e_fl,@l_fl,@up_p,@up_v,
@id_entry,@u_cc
52364320,be34724ad-a283-11d3-a67f002078900337,"1,5,0,182",177,
http://www.dilbert.com/,0,1,0,"",-39609727243380943645173,
http://umweb1.unitedmedia.com/cometcursor/cursors/dilbert.cur|
http://umweb1.unitedmedia.com/cometcursor/cursors/dilberth.cur
I got this POST information by using a packet sniffer to observe
what data is being sent in and out of my computer. The POST happens
after the Dilbert home page is completely downloaded by Internet
Explorer.
You'll notice that the POST is going to host1.net, a Comet Systems
Web server. Information in the POST includes the URL for the Dilbert
Web site and my customer number at Comet Systems ("be34724ad-a283-11d3-a67f002078900337").
The customer number is a GUID generated by my computer and contains
the MAC address ("002078900337") from my Ethernet adapter.
Wow!
Some other Web sites that I found that are using the Comet Cursor
include:
AT&T -- http://www.worldnetnow.com/
Hitchcock -- http://www.hitchcock100.com/mainsite.html
Doonesbury -- http://www.doonesbury.com/ieindex.html
Garfield -- http://www.garfield.com/
The Garfield Web site is particularly interesting. It practically
forces people to install the Comet Cursor ActiveX control. Every
time you visit the site in Internet Explorer, it keeps asking you
if want the Comet Cursor add-on. It looks like the only way to get
it to stop asking is to give in and answer "Yes".
I was wondering if you could talk with someone at United Media,
the folks who run the Dilbert Web site, to see if they were aware
of how Comet Systems is monitoring the site? I'm also curious to
know what Comet is doing with all of the information that they are
gathering. I couldn't find any mention of this monitoring system
at their Web site. |
|
