Gnomercy
08-29-2002, 01:22 AM
From another email list I subscribe to.
Frequent writer R. Dan Park encountered a new variant of a classic
security scam. It was in the form of a popup ad that--- while remaining
factual enough to be legal--- was still completely misleading. Dan's BS
detectors went off loud and clear, and he forwarded the scam message to
me.
The scam popup ad says:
Your computer is currently broadcasting the following Internet
Address: [your IP address is shown here]. Every time you
connect to the Internet, send email or submit a private
information to a web site, you are broadcasting this unique
address. With this address, someone can immediately begin
attacking your computer. Download Internet Alert to protect
yourself now!...
The scam is based on three statements. The first--- that your computer
is "broadcasting" your IP address--- sounds scary, but it's shouldn't
alarm you at all. Here's why:
When you click on any link, the server you're contacting has to be able
to respond to *your specific PC* out of all the millions of PCs online
so it can send you--- and just you--- the web page, the graphic, the
download, (or whatever) that you clicked to see. So, any HTML
"transaction"-- a click on a link, for example--- MUST of necessity tell
the server your return address, so it can send you the
page/file/image/etc. you asked for. It's not a breach of privacy; it's
how the web works.
In other words, if you didn't send your IP along with your clicks, your
clicks would go out, but nothing would ever come back because there'd be
no "return address" for the server to respond to. For you, the web would
stop dead!
"Anonymizer" sites can mask your true IP address by acting as a relay
station: You connect to the anonymizer site, which in turn contacts
whatever site you're actually trying to reach, using the anonymizer's
own IP as the return address. The second site sends the requested
page/graphic/file/etc. back to the anonymizer, which then sends it to
you. This prevents the second site from knowing your IP address, but the
first site--- the anonymizer site--- *must* know it. So even here,
you're not truly anonymous: You can't be. If you want to do anything
online, someone, somewhere, is going to have your true IP address.
There's no way around it. (The folks behind the scam know this, of
course, but they want to make it sound scary, to frighten people into
making a purchase.)
The scam's second statement--- "once anyone has your IP address, they
can immediately begin attacking your computer"--- is true. It does
happen; there are bad people out there who will hack into systems for
fun or profit. That's why we discuss firewalls and other security
measures so often here: There *are* real threats online, and you do need
protection. But this product? Let's see:
The third statement tries to make the sale: It's clearly intended to
make you infer that their product will prevent the "problem" of the
broadcast IP addresses; and will protect you from hackers. It can't do
the former (if it truly prevented your IP address from going out, you'd
never be able to connect to anything online, ever again), and frankly I
don't care if it can do the latter: If the product were truly good, they
wouldn't have to use scare tactics to try to trick gullible users into
making a purchase.
A rule of thumb I use: The more any offer relies on generalized fear to
make a sale, the more suspicious of the offer you should be.
More info:
http://www.informationweek.com/843/langa.htm
http://www.langa.com/newsletters/2001/2001-07-02.htm#1
http://www.informationweek.com/840/langa.htm
Frequent writer R. Dan Park encountered a new variant of a classic
security scam. It was in the form of a popup ad that--- while remaining
factual enough to be legal--- was still completely misleading. Dan's BS
detectors went off loud and clear, and he forwarded the scam message to
me.
The scam popup ad says:
Your computer is currently broadcasting the following Internet
Address: [your IP address is shown here]. Every time you
connect to the Internet, send email or submit a private
information to a web site, you are broadcasting this unique
address. With this address, someone can immediately begin
attacking your computer. Download Internet Alert to protect
yourself now!...
The scam is based on three statements. The first--- that your computer
is "broadcasting" your IP address--- sounds scary, but it's shouldn't
alarm you at all. Here's why:
When you click on any link, the server you're contacting has to be able
to respond to *your specific PC* out of all the millions of PCs online
so it can send you--- and just you--- the web page, the graphic, the
download, (or whatever) that you clicked to see. So, any HTML
"transaction"-- a click on a link, for example--- MUST of necessity tell
the server your return address, so it can send you the
page/file/image/etc. you asked for. It's not a breach of privacy; it's
how the web works.
In other words, if you didn't send your IP along with your clicks, your
clicks would go out, but nothing would ever come back because there'd be
no "return address" for the server to respond to. For you, the web would
stop dead!
"Anonymizer" sites can mask your true IP address by acting as a relay
station: You connect to the anonymizer site, which in turn contacts
whatever site you're actually trying to reach, using the anonymizer's
own IP as the return address. The second site sends the requested
page/graphic/file/etc. back to the anonymizer, which then sends it to
you. This prevents the second site from knowing your IP address, but the
first site--- the anonymizer site--- *must* know it. So even here,
you're not truly anonymous: You can't be. If you want to do anything
online, someone, somewhere, is going to have your true IP address.
There's no way around it. (The folks behind the scam know this, of
course, but they want to make it sound scary, to frighten people into
making a purchase.)
The scam's second statement--- "once anyone has your IP address, they
can immediately begin attacking your computer"--- is true. It does
happen; there are bad people out there who will hack into systems for
fun or profit. That's why we discuss firewalls and other security
measures so often here: There *are* real threats online, and you do need
protection. But this product? Let's see:
The third statement tries to make the sale: It's clearly intended to
make you infer that their product will prevent the "problem" of the
broadcast IP addresses; and will protect you from hackers. It can't do
the former (if it truly prevented your IP address from going out, you'd
never be able to connect to anything online, ever again), and frankly I
don't care if it can do the latter: If the product were truly good, they
wouldn't have to use scare tactics to try to trick gullible users into
making a purchase.
A rule of thumb I use: The more any offer relies on generalized fear to
make a sale, the more suspicious of the offer you should be.
More info:
http://www.informationweek.com/843/langa.htm
http://www.langa.com/newsletters/2001/2001-07-02.htm#1
http://www.informationweek.com/840/langa.htm