Internet JUNKBUSTER Frequently Asked Questions

 What is the Internet Junkbuster and what does it do for me?

The Internet Junkbuster Proxy ^TM blocks requests for URLs (typically banner ads) that match its blockfile. It also deletes cookies and other unwanted identifying header information that is exchanged between web servers and browsers. These headers are not normally accessible to users (even though they may contain information that's important to your privacy), but with the Internet Junkbuster you can see almost anything you want and control everything you're likely to need. You decide what's junk. ^SM

 Is there a license fee / warranty / registration form / expiration?

No, none of these. It's completely free of charge. JUNKBUSTERS offers the software to everyone to copy, use, modify and distribute in perpetuity at no charge under the GNU General Public License.

It comes with no warranty of any kind.

You don't have to register. (There is no way to do so.) We are happy for you to use the software as anonymously as possible. (Your IP address will naturally be disclosed when you download it, so if you work for a web ad company you might want to use a service such as the Anonymizer when you get it. We never want to be given any information that you consider private or confidential.)

We are often asked why we give away a product that many would happily pay for. The answer is that we are determined to carry out our mission: to free the world from junk communications.

 Does it run on Windows? On a Mac? On the AOL browser?

For the latest information on availability, see the Distribution Information page. But you don't need to have it running on your computer if you get your ISP or Systems Administrator at work to run it.

 How can I get my ISP to run the Internet Junkbuster?

First check whether they already are. Most ISPs would announce this on their ``News'' page or their pages for new subscribers. If they state that they are considering whether to install it, allow them time to do it. If they say they will not provide it, you might want to consider switching to an ISP that does.

If they appear to be unaware of it, you might send them email including the follow URL, asking them to provide the Internet Junkbuster for their customers.
http://www.junkbusters.com/ht/en/ijbfaq.html#isps

 Who chooses the options that control what is blocked?

Whoever starts the Internet Junkbuster chooses the options and the blockfile. If your ISP runs it for you, they have to make these decision (though they may give you a choice of proxies, and a way to suggest new URLs to block). If you run it on your computer, You decide what's junk. ^SM

 How do I run the code on my computer?

If you are using UNIX ® you download it, compile it, start it running, and then configure your browser.

If you are using any other operating system you would need to port the code. You are welcome to do this, and if you would like us to consider publishing your ported version, please tell us.

 How can I tell which blockfile and options are being used?

Your ISP should have a page specifying the options they chose, but you can check by going to http://internet.junkbuster.com/cgi-bin/show-proxy-args or to any URL ending in show-proxy-args (even if it doesn't exist). It needn't exist because the Internet Junkbuster 1.4 intercepts the request, blocks it, and returns in its place information about itself. This is also useful for checking that your browser really is going through an Internet Junkbuster.

If you wish to check the header information your proxy is actually sending, a visit to http://internet.junkbuster.com/cgi-bin/show-http-headers will give you the more relevant ones first.

 My browser started giving me ``server not responding'' messages

Once your browser is told to use a proxy such as the Internet Junkbuster, it thinks of it as its server for everything, so this message means it can't talk to the proxy. The Internet Junkbuster may not be running, or you may have specified its proxy address incorrectly. Check that the details you entered are correct. If you have telnet you can try connecting to the appropriate port to see if the Internet Junkbuster is running. If your ISP is running the Internet Junkbuster, you may want to check with them. If you are running it yourself under UNIX ®, try looking at a ps ax to see if it is running. The port specified in its options should be the same one as your browser has configured.

 I've got this great idea for a new feature. Who do I tell?

We'd be very interested to hear it, but please bear a few things in mind.

• Please check this FAQ to see if we've already considered the idea, such as access controls, automatic detection of banners, and replacing ads with something else.
• Don't tell us anything you want to keep confidential or retain some right over.
• We currently have a long wish list of things that we may or may not do in the near future, including a version for your favorite computer and a plug-in version.
• If you don't want to wait you're welcome to improve on our code, publish your version on the Web, and tell us where to find it. Ports to platforms such as the Mac are most welcome.

 My question isn't listed here. Who do I ask for support?

The answer to detailed technical questions may be answered in manual page, or in the source code. Also double-check this page for an answer: using the ``find'' feature on your browser for likely keywords may help.

If your ISP is providing the Internet Junkbuster for you, and your question is about how to use it, check their web page before asking them.

Even though we don't offer the kind of support you might expect if you paid a lot of money for a software product, you can still ask us. But before you do, please consider whether you could ask someone closer to you. And please be patient if we're slow to reply: we never charge consumers for our services, so we have to subsidize consumers with revenue from companies, and our resources are limited. If your company might be interested in paying for a maintenance contract with phone and email support, please tell us.

 What is the proxy address of the Internet Junkbuster?

If your ISP or company is running the Internet Junkbuster for you, they will tell you the address to use. It will be the name of the computer it's running on (or possibly its numeric IP address), plus a port number. Port 8000 is the default, so assume this number if it is not unspecified. Sometimes a colon is used to glue them together, as in junkbuster.pro-privacy-isp.net:8000 but with most browsers you do not type the colon, you enter the address and port number separately.

If you are running the Internet Junkbuster on your computer, the machine will probably be localhost and the port will be 8000 unless you have told the Internet Junkbuster to run on a different port with the -h option.

 How do I tell the browser where to find the Internet Junkbuster?

All current browsers have a place where they are told which proxy to use. You enter the same information under two lines: one for HTTP, and one for the Secure Protocol if your browser supports SSL. If you find some information already entered for your proxy, see the next question. Here are the menus you go through to get to the one to configure your proxy.

• For Netscape 2.01, 2.02 and 3.0: Options; Network Preferences; Proxies; Manual Proxy Configuration View (enter details under HTTP and Security Proxy) OK; OK.
  With Netscape 2.0, follow with Options, Save Options.
• For Internet Explorer 3.0: View; Options; Connections; tick Connect through proxy server box; Settings; enter details into the HTTP Box, with port number in the second box; same with Secure; OK.
• For Internet Explorer 2.0: View; Options; Proxy; enter details; OK.
• On NT for MS-IE: Control Panel; Internet; Advanced; Proxy.
• For MS-IE 4.0: we're told it's the same as for 3.0. Please tell us if you see any differences.
• Netscape Communicator 4.0b2 does not use those settings under NT. It uses Program Files\Netscape\Users\...\prefs.js, a JavaScript file that specifies the user preferences. The format of the file uses carriage return (0x0D) as the line separator, so none of the common editors handle it well: it appears to be one very long line. We know no way to edit this file using NT, so we used another operating system (Linux) and a little tinkering to edit the file to add these five lines, and it worked fine.
     user_pref("network.proxy.type", 1);
     user_pref("network.proxy.http", "localhost");
     user_pref("network.proxy.http_port", 8000);
     user_pref("network.proxy.ssl", "localhost");
     user_pref("network.proxy.ssl_port", 8000);
  (We have received an unconfirmed report that this prerelease version may have a problem with proxies; if you encounter difficulties please try doing the same thing on 3.0 before concluding the problem is with the Internet Junkbuster.) If you have any suggestions relating to Communicator, please tell us.
• For NCSA Mosaic for Windows: Options, Preferences, Proxy; enter details under HTTP.
• For Lynx, Mosaic/X, Grail, and W3O Arena, you can specify the proxy via environment variables before starting the application. This will probably be done with something like either
     setenv http_proxy http://localhost:8000/
  or
     http_proxy=http://junkbuster.pro-privacy-isp.net:8000/ export http_proxy
  depending on your shell and where the Internet Junkbuster lives.

 What should I do if I find another proxy is already configured?

This is the case if you already find values set where you would enter the proxy details, or if anything is entered under Automatic Proxy Configuration (in the case of Netscape and MS-IE 3.0.) It's probably a firewall proxy between your company and the outside world, or a caching proxy if you're using an ISP.

What needs to be done in this case is to use the -f option to tell the Internet Junkbuster the address of the other proxy. Specify a different (unused) port number with the -h option, and configure your browser to use that port. If you haven't done this kind of thing before, it's probably best to consult your systems administrator or ISP about it; check their web page first.

 What if I want to stop using the Internet Junkbuster?

Just go through the same procedure you used to start your browser using the Internet Junkbuster, but remove the details you put in (or if there was something there before, restore it). You may need to use Save Options to make this change permanent.

 How do I install the code?

If you are running Redhat Linux you may prefer to use the rpm instead of the following procedure.

1. Download the tar file (~74k) and place it in a suitable directory.
2. Uncompress and extract the files from tar file.
   
      uncompress -c junkbuster.tar.Z | tar xf -

3. If you wish to be able to use regular expressions in patterns, edit the Makefile and make the change indicated.
4. If your operating system is from Sun or HP examine the Makefile and make any changes indicated inside. It's more work to include regular expressions in some cases.
5. Run
   
      make

6. You can choose whatever options you want from the manual, but a good place to start is a -d 1 option to show each URL as it is fetched. Run it asynchronously:
   
      junkbuster -d1 &

7. Configure your browser (described above).
8. Verify that the Internet Junkbuster is working (described above).
9. Decide on the options you really want, kill the process and start it again. The most popular option is -b to block ads. A sample blockfile is provided as an illustration, but it doesn't really stop ads. More comprehensive ones are available elsewhere. If you develop an interesting blocklist and publish it on the Web, you might want to include the word ``junkbuster'' in it and use the word ``blocklist'' in the file name given in the URL so that others can find it with the query given in the previous sentence.
10. You'll probably want to add an entry to /etc/rc.d/rc.local or equivalent to start it at boot time. (Any output you specify should be redirected to a file. And don't forget the & at the end to run it asynchronously or your system will seize up after the next reboot.)

 How do I get my Internet Junkbuster to talk to another proxy?

You may want to do this if you are using a caching proxy from your ISP or a firewall proxy between your company and the outside world. If you're running the Internet Junkbuster on your local computer, use the -f option to tell it where to find the next proxy, which might be something like -f cache.your-isp.net:8080 depending on your ISP. You tell your browser to use the Internet Junkbuster for HTTP and Security Proxies as before, but you probably want to keep the caching proxy for FTP and other protocols.

If your ISP is running the Internet Junkbuster for you, they have probably already decided whether to chain with a caching proxy. They may even give you a choice of options.

 How does the Internet Junkbuster work with SOCKS gateways?

Version 1.4 offers support for some gateways. The gateway protocol is specified on the command line with options such as -g socks4:yourgw.yourcompany.com:1080 (see the manual for details.) Note that the browser's proxy configuration must not specify a SOCKS host; it should specify the proxy as described above.

 Should we provide the Internet Junkbuster for our employees?

That depends. Try this quick three-point test.

1. Do you want to spend your communications budget on bandwidth that puts a lot of annoying distractions in your employees' faces while they're trying to do their jobs?
2. Do you want current and potential vendors to know quantitative details about the software and hardware platforms that you have?
3. Do you want your competitors to be able to track exactly which of your employees are checking out their web sites?

 I run an ISP. What issues should I consider before offering it?

Here's a checklist we've developed from working with a few ISPs. You may think of more, and we'd be interested if you're willing to share them with us.

1. If you get more than one request for the Internet Junkbuster you may want to tell your customers on your News page that you already know about it and are assessing it.
2. Try the software and verify that it performs satisfactorily.
3. Determine whether customers perceive the service as valuable (and therefore worth the time to set up).
4. Assess the level of security associated with the software. If access is to be restricted (to just dial-in ports, for example) how is this to be done?
5. Consider whether to expect any additional load on computing resources required, and any change in use of bandwidth due to the blocking of large GIFs.
6. Choose the options you wish to provide.
7. Decide whether you want to offer a choice of configurations, such as these three.
   
   1. Banners Blocked, (-b), Wafer with No-Cookie-Copyright notice (-w)
   2. Cookies not stopped (-c with just a / in the cookiefile), User Agent (-u) specified as Lynx
   3. Cookies from browser allowed through (-c) to permit registered services
   If you run a caching proxy, decide whether the Internet Junkbuster will chain with it by default, and whether to offer an alternate with no caching.
8. Decide on a naming scheme for your proxies. If you're running only one proxy on one machine, the simplest way is to just use port 8000 on your main machine, such as our-isp.net. But it would probably be safer to put an entry in your name server and call it something like junkbuster.our-isp.net. If running several proxies, you could either use different ports on the same machine, or if you have the opportunity to distribute the load over a few machines you could use different hostname aliases such as banner.junkbuster.our-isp.net, lynx.junkbuster.our-isp.net and oneway.junkbuster.our-isp.net (corresponding to the examples in the previous point).
9. Prepare a page explaining the Internet Junkbuster to your customers. Here's a real example. You are welcome to copy and modify material from JUNKBUSTERS according to the GPL. You might want to set up a process to check this page periodically and update it when it changes. (A few links can probably serve as well as lot of copying however.) A typical page would probably specify the following.
   
   • A brief explanation stating what the Internet Junkbuster does, with a link to this page.
   • The addresses of the proxy or proxies, with their port number(s).
   • The options used, and how to view the contents of the blockfile (which you can place on your web pages, preferably in a file called blocklist.html or blocklist.txt).
   • An indication of whether suggestions for the blocklist are considered, and if so, how to submit them: to a particular email address, via web-based form, etc.
   • Instructions on how to configure a browser. You may want to include details for only the two major browsers and leave the others to a link.
   • Procedures on how to report problems, give feedback etc.
10. Invite a small number of technologically sophisticated customers to beta-test the service.
11. Announce general availability on your ``News'' page. Tell us if you would like to be included on a list of ISPs offering the Internet Junkbuster.

 What's a Proxy Server Server and how can I make money as one?

Other organizations with web presence and some bandwidth to spare can set up as Proxy Server Servers (PS²s). The idea here is to allow users to choose their proxy configuration, and provide it to them on a semi-permanent basis. Users would fill in a form specifying what options they want in their proxy, possibly even at a very high level, such as ``no ads'' or ``no nudity.'' This information is sent to a CGI script that configures a proxy, starts it running, and returns its address and port number (possibly along with configuration instructions for the browser that the user specified.)

Users could be charged a subscription fee, or the service could be thrown in free in the hope of improving customer retention for some existing business (which is what ISPs are doing). It might be possible to make money by inserting new ads in the holes left where others were blocked, but the original owners might object. PS²s could differentiate themselves by providing frequently updated and comprehensive blocking of ads, or of offensive material based on their own grading system. Some content providers might do it for the chance to be the only company that the consumer permits to set cookies. (Identification could even be done via cookies, but this might not be popular with the kind of user who wants a proxy.) PS²s might sell specific or aggregate information about their users' browsing habits, so the agreement with users on whether they are permitted to do this would be important to both sides.

If your organization establishes a Proxy Server Service you would like publicized, please notify us.

 If I see an ad I wish I hadn't, how do I stop it?

If your ISP is running the Internet Junkbuster, they should have a policy on whether they accept suggestions from their customers on what to block. Consult their web page.

If you are running the Internet Junkbuster yourself, you have complete control over what gets through. Just add a pattern to cover the offending URL to your blockfile. Version 1.3 and later automatically rereads the blockfile when it changes, but if you're running an earlier version you'll need to kill it and restart the junkbuster. If you don't know the process number to give to kill, try this: ps ax | grep junkbuster

To choose a pattern you'll first need to find the URL of the ad you want cover.

Some people use the -d 1 option to display each URL in a window as the request is sent to the server. It's then usually an easy task to pick the offending URL from the list of recent candidates.

Alternatively, you can use View Document Info (or View Document Source if your browser doesn't have that). The Info feature has the advantage of showing you the full URL including the host name, which may not be specified in the source: there you might see something like SRC="/ads/click_here_or_die.gif" indicating only the path. (The host name is assumed to be the same as the one the page came from.)

But ads often come from a different site, in which case you might see something like SRC="grabem.n.trackem.com/Ad/Infinitum/SpaceID=1666" or longer. If the company looks like a pure ad warehouse (as in the last case), you may want to place just its domain name in the blockfile, which blocks all URLs from that site.

If the ad comes from a server that you really want some content from, you can include enough of the path to avoid zapping stuff you might want. In the first example above, /ads/ would seem to be enough. If you don't include the domain name, the pattern applies to all sites, so you don't want such patterns to be too general: for example /ad would block /admin/salaries/ on your company's internal site.

To speed the blocking of images, some UNIX ® users create a shell script called Image: containing a line such as echo $1 | sed s/http:..// >> $HOME/lib/blockfile that adds its argument to the user's blockfile. Once an offending image has been be found using View Document Info it's easy to cut-and-paste the line (or part of it) into a shell window. The same script can be linked to a file called Frame: to dealing with framed documents, and junkbuster: to accept the output of the -d option.

When compiled using the default options, the Internet Junkbuster uses only very simple (and fast) matching methods. The pattern /banners will not stop /images/banners/huge.gif getting through: you would have to include the pattern /images/banners or something that matches in full from the left. To allow you to get what you want here, Version 1.1 and later gives you the option at compile time to include POSIX regular expressions, so you can use /*.*/banners to block and any URL containing /banners (even in the middle of the path). Regular expressions give you many more features than this, but if you're not already familiar with them you probably won't need to know anything beyond the /*.*/ idiom. If you do, a man grep is probably a good starting point).

Don't forget the / (slash) at the beginning of the path. If you leave it out the line will be interpreted as a domain name, so ad would block all sites from Andorra (since .ad is the two-letter country code for that principality).

For a detailed technical description of how pattern matching is done, see the manual.

 How come this ad is still getting through anyway?

If the ad had been displayed before you included its URL in the blockfile, it will probably be held in cache for some time, so it will be displayed without the need for any request to the server. Using the -d 1 option to show each URL as it is fetched is a good way to see exactly what is happening.

If new items seem to be getting through, check that you are really running the proxy with the right blockfile in the options. Check the blockfile for exceptions.

Some sites may have different ways of inserting ads, such as via Java. If you have ideas on how to block new kinds of junk not currently covered, please tell us.

 How do I stop it blocking a URL that I actually want?

You can change the patterns so they don't cover it, or use a simple feature in Version 1.1 and later: a line beginning with a ~ character means that a URL blocked by previous patterns that matches the rest of the line is let through. For example, the pattern /ad would block /addasite.html but not if followed by ~/addasite in the blockfile. Or suppose you want to see everything that comes from a site you like, even if it looks like an ad: simply put ~aSiteYouLike.com at the end of the blockfile. (Order is important, because the last matching line wins.)

 Can I block sites I don't want my children to see?

Yes, but you have to list them in the blockfile, and there are an awful lot of sites that parents may consider unsuitable. Several parental organizations already maintain ``black lists,'' and some may supply them in a suitable format for the Internet Junkbuster, possibly posting them to Usenet.

Children who are technically sophisticated enough to use the browsers' proxy configuration options could of course bypass any proxy.

Many filtering products actually scan for keywords in the text of pages they retrieve before presenting it, but the Internet Junkbuster does not do this. Building a perfectly reliable system is hard, because it's very difficult to state in advance exactly what is obscene or unsuitable.

 Why not replace blocked banners with something else?

Making any change to a document could risk claims of copyright infringement. We think that merely failing to allow an included graphic to be accessed would probably not be considered an infringement: after all this is what happens when a browser is configured not to automatically load images. However, we are not lawyers, so anyone in doubt should take appropriate advice.

In a context where the copyright issue is resolved satisfactorily, a proxy could simply return a status 301 or 302 and specify a replacement URL in a Location and/or URI header.

 Why not block banners based on the dimensions of the image?

Many users have pointed out that most banner ads come in standard sizes, so why not block all GIFs of those sizes? Well, this would require getting the object in order to examine its dimensions before deciding whether to display it, which we don't like to do. A less immediate approach would be to write software that scans the browser's cache of objects periodically, adding offensive URLs to the blockfile automatically so they will never be fetched again. Technology might advance to the point where this could be done based on the content of the images, not just their size. If anyone implements this we would be interested to hear about it.

 What about non-graphic advertising within the pages I want?

The Internet Junkbuster deliberately does not provide a way of automatically editing the contents of a page, to remove textual advertising or to repair the holes left by blocked banners. Other packages such as WebFilter do.

 Does it block ads on the new broadcasting ``push'' systems?

We don't know, because none of us has any of these gadgets yet. If you find you can to use the proxy with them, or have any other advice about it, please tell us.

 Might some cookies still get through? How can I stop them?

Yes, you should expect the occasional cookie to make it through to your browser. We know of at least two ways this can happen; please tell us if you find any others. One way is in secure documents, which are explained below.

Cookies can also be set and read in JavaScript. To see if this is happening in a document, view its source, look in the head for a section tagged script language="JavaScript". If it contains a reference to document.cookie, the page can manipulate your cookie file without sending any cookie headers. The Internet Junkbuster does not tamper with this code. Fortunately this method is rarely used at the moment.

To prevent cookies breaking through, always keep cookie alerts turned on in your browser. Making the files hard to write may also help.

 Exactly how do cookies get created and stored anyway?

When a web site's server sends you a page it also sends certain ``header information'' which your browser records but does not display. One of these is a Set-Cookie header, which specifies the cookie information that the server wants your browser to record. Similarly, when your browser requests a page it also sends headers, specifying information such as the graphics formats it understands. If a cookie has previously been set by a site that matches the URL it is about to request, your browser adds a Cookie header quoting the previous information.

For more background information on how cookies can damage your privacy, see our page on cookies. For highly detailed technical information see the RFC. The Internet Junkbuster will show you all headers you use the -d 8 option.

 If cookies can't get through, will some things stop working for me?

Possibly. Some personalized services including certain chat rooms require cookies. Newspapers that require registration or subscription will not automatically recognize you if you don't send them the cookie they assigned you. And there are a very small number of sites that do strange things with cookies; they don't work for anyone that blocks cookies by any means.

If you want such sites to be given your cookies, you can use the -c option provided you are running Version 1.2 or later yourself. Simply include the domain name of those sites in the cookiefile specified by this option.

It's possible to let cookies out but not in, which is enough to keep some sites happy, but not all of them: one newspaper site seems to go into a endless frenzy if deprived of fresh cookies. A cookiefile containing a single line consisting of the two characters >* (greater-than and star) permits server-bound cookies only. The * is a wildcard that matches all domains.

If someone else is running the Internet Junkbuster for you and has a version that passes server-bound cookies through, you can try editing your browser's cookie file to contain just the ones you want, and restart your browser. To subscribe to a new service like this after you have started using the Internet Junkbuster, you can try the following: tell your browser to stop using the Internet Junkbuster, fill out and submit your subscription details (allowing that web site to set a cookie), then reconfigure your browser to use the Internet Junkbuster again (and stop more cookies being sent). This also requires the -c option, and its success depends on the Web site not wanting to change your cookies at every session. For this reason it does not work at some major newspaper sites, for example. But you may prefer to look at whether other sites provide the same or better services without demanding the opportunity to track your behavior. The web is a buyer's market where most prices are zero: very few people pay for content with money, so why should you pay with your privacy?

 Can I control cookies on a per-site basis?

Yes, since version 1.2 the Internet Junkbuster has included advanced cookie management facilities. Unless you specify otherwise, cookies are discarded (``crumbled'') by the Internet Junkbuster whether they came from the server or the browser. In Version 1.2 and later you can use the -c option followed by a cookiefile to specify when cookies are to be passed through intact. It uses the same syntax and matching algorithm as the blockfile.

If the URL matches a pattern in the cookiefile then cookies are let through in both the browser's request for the URL and in the server's response. One-way permissions can be specified by starting the line with the > or < character. For example, a cookiefile consisting of the four lines
   org
   >send-user-cookies.org
   <accept-server-cookies.org
   ~block-all-cookies.org
allows cookies to and from .org domains only, with the following exceptions:

1. Cookies sent from servers in the domain send-user-cookies.org are blocked on their way to the client, but cookies sent by the browser to that domain are still be fed to them.
2. The cookies of accept-server-cookies.org check in to the proxy and are passed through to the browser, but when they come back to the proxy they never check out.
3. All cookies to and from block-all-cookies.org are blocked.

If the junkbuster was compiled with the regular expressions option they may be used in paths. Any logging to a ``cookie jar'' is separate and not affected.

It's important to give hosts you want to be able to set cookies sufficient breadth. For example, instead of www.wsj.com use wsj.com because the company uses many different hosts ending in that domain.

 Can I make up my own fake cookies (wafers) to feed to servers?

Yes, using the -w option. We coined the term wafer to describe cookies chosen by a user, not the Web server. Servers may not find wafers as tasty as the cookies they make themselves. But users may enjoy controlling servers' diets for various reasons, such as the following.

• Users who consider cookies to be an unwelcome intrusion and a waste of their disk space can respond in kind. By writing ``signature wafers'' they can express their feelings about cookies, in a place that the people in charge of them are most likely to notice.
• Sites running a proxy that logs cookies to a file (such as the Internet Junkbuster does with the -j option on) may want to notify servers that their cookies are being intercepted, deleted or copied. One possible reason for doing this is the uncertain copyright status of cookie strings. Nothing here should be taken as legal advice: we are simply raising a question for any interested parties to consider, and make no representation that such measures are necessary or sufficient. Concerned proxy sites might decide to send a wafer (named ``NOTICE'' for example) containing text along the lines of the following.

  TO WHOM IT MAY CONCERN
  
  Do not send me any copyrighted information other than the document that I am requesting or any of its necessary components.
  
  In particular do not send me any cookies that are subject to a claim of copyright by anybody. Take notice that I refuse to be bound by any license condition (copyright or otherwise) applying to any cookie.

  Any company that tries to argue in court that the proxy site was breaching their copyright in the cookies would be met with the defense that the proxy site gave that company the opportunity to protect its copyright by simply not sending cookies after receiving the notice.

  Cookies can be as long as four thousand characters, so there's plenty of space for lawyerly verbosity, but white space, commas, and semi-colons are prohibited. Spaces can be turned into underscores. Alternatively, a URL could be sent as the cookie value, pointing to a document containing a notice, perhaps with a suggestive value such as
  http://www.junkbusters.com/ht/en/ijbfaq.html#licenses_on_cookies_refused
  But including the notice directly would probably be preferable because the addressee does not have to look it up.

  The Internet Junkbuster 1.4 currently sends a full notice as a ``vanilla wafer'' if cookies are being logged to a cookie jar. This can be suppressed with the -v option, which might be used in situations where there is an established understanding between the proxy and all who serve it.

Junkbusters provides a CGI script that lets you see your wafers as they appear to servers.

It's conceivable that certain wafers might cause fragile servers to malfunction, though we have not seen this happen. If this possibility troubles you, don't use this option.

Any wafers specified are sent to all sites regardless of the cookiefile. They are appended after genuine cookies, to maintain compliance with RFC 2109 in the event that a path was specified for a cookie. The RFC's provisions regarding the $ character (such as the Version attribute) are transparent to the proxy; it simply quotes what was recited by the browser.

 Why would anyone want to save their cookies in a ``cookie jar?''

We provided this capability just in case anyone wants it. There are a few possible reasons.

• It's conceivable that marketing companies might one day buy history files and cookie jars from consumers in the same way that they currently pay them to fill out survey forms. With this information they could gather psychographic information, see which competitors' sites the consumer has visited, and discover what advertising is being targeted at them.
• Some consumers might employ semi-automated means of sorting through their cookie jars, selecting which ones to place in their cookies file for use by their browsers. Their decisions could be based on payments offered, privacy rating systems such as e-TRUST proposes, or their own opinion of the company. It could be done manually or with software.
• Users may even start ``sharing'' cookies among themselves, sending back cookies that servers generated for other visitors. Servers that aren't expecting this possibility will be misled about their visitors' identities. Cookies could be shared among users on a single machine, or across continents via FTP and anonymous remailers. Privacy activists may promote cookie disinformation campaigns as a way to defend the public against abuse. If a significant percentage of people send disinformative cookies, user tracking via cookies may become less reliable and less used.

 If I use the Internet Junkbuster, will my anonymity be guaranteed?

No. Your chances of remaining anonymous are improved, but unless you are an expert on Internet security it would be safest to assume that everything you do on the Web can be attributed to you personally.

The Internet Junkbuster removes various information about you, but it's still possible that web sites can find out who you are. Here's one way this can happen.

A few browsers disclose the user's email address in certain situations, such as when transferring a file by FTP. The Internet Junkbuster 1.4 does not filter the FTP stream. If you need this feature, or are concerned about the mail handler of your browser disclosing your email address, you might consider the products of Kevin McAleavey.

Browsers downloaded as binaries could use non-standard headers to give out any information they can have access to: see the manufacturer's license agreement. It's impossible to anticipate and prevent every breach of privacy that might occur. The professionally paranoid prefer browsers available as source code, because anticipating their behavior is easier.

 What private information from server-bound headers is removed?

The Internet Junkbuster pounces on the following HTTP headers in requests to servers, unless instructed otherwise in the options.

• The FROM header, which a few browsers use to tell your email address to servers, is dropped unless the -t option is set.
• The USER_AGENT header is changed to indicate that the browser is Mozilla (Netscape) 3.0 with an unremarkable Macintosh configuration. (Different versions of the Internet Junkbuster indicated other configurations; our intent is to hinder anyone trying to infer whether our proxy is present.) If you don't like the idea of incorrectly identifying your computer as a Mac, set it accordingly.
• The REFERER header (which indicates where the URL currently being requested was found) is dropped. A single static referer to replace all real referers may be specified using the -r option. Where no referer is provided by the browser, none is added; the -x option with arguments such as -x 'Referer: http://me.me.me' can be used to send a bogus referer with every request.

Some browsers send Referer and User-Agent information under different non-standard headers. The Internet Junkbuster 1.4 stops UA headers, but others may get through. Some search engines encode the query you typed in the URL that goes to advertisers to target a banner ad at you, so you will need to block the ad as well as the referer header, unless you want them (and anyone they might buy data from) to know everything you ever search for.

 Might some things break because header information is changed?

Possibly. If used with a browser less advanced than Netscape 3.0 or IE-3, indicating an advanced browser may encourage pages containing extensions that confuse your browser. If this becomes a problem upgrade your browser or use the -u option to indicate an older browser. In Version 1.4 and later you can selectively reveal your real browser to only those sites you nominate.

Some sites depend on getting a referer header. Wired News relies on referer to decide whether to add a navigation column to the page, so blocking referer causes extraneous columns. In Version 1.4 and later you can use the -r @ option and place a line like >wired.com/news/ in your cookiefile.

The weather maps of Intellicast have been blocked by their server when no referer or cookie is provided. You can use the same countermeasure with the line >208.194.150.32 (or simply get your content elsewhere.)

 Does the Internet Junkbuster conceal my IP address?

Yes, assuming the proxy is running on a machine with a different IP address. Unless the -y option is used, the remote server gets only the IP address of the proxy, not its client. If this address is too close for comfort you can set up a chain of proxies. This makes browsing slower of course.

 Does the Internet Junkbuster thwart identification by identd?

We think so, provided you are not the user running the junkbuster. If your computer (or your ISP's) is running the identd demon, servers can ask it for the identity of the user making the request at time you request a page from them. But if you're going through a proxy, they will identify the user name associated with the proxy, not you. A visit to http://ident.junkbusters.com lets you see what's happening. This test is (quite rightly) blocked by many firewalls; just interrupt the transfer if you get an abnormal wait after clicking. Running other applications may also expose you via identd; the proxy of course doesn't help then.

 Can web sites tell that I'm using the Internet Junkbuster?

With the default options the proxy doesn't announce itself. Obvious indications such as Keep-Alive headers are deleted, but sites might notice that you can cancel cookies faster than any human could possibly click on a mouse. (If you want to provide a plausible explanation for this, change the User Agent header to a cookie-free or cookie-crunching browser).

But when certain options are used they could figure out something's going on, even if they're not pushing cookies. If you use blocking they can tell from their logs that the graphics in their pages are not being requested selectively. The -y option explicitly announces to the server that a proxy is present, and sending them wafers is of course a dead giveaway.

 What happens with Secure Documents (SSL, shttp:)?

If you enter a ``Secure Document Area,'' cookies and other header information such as User Agent and Referer are sent encrypted, so they cannot be filtered. We recommend getting your browser to alert you when this happens. (On Netscape: Options; Security; General; Show an alert before entering a secure document space.)

It may be possible to filter encrypted cookies by combining the blocking proxy with a cryptographic proxy along the lines of SafePassage, but we have not tried this.

 Will using this as my Security Proxy compromise security?

We're not security experts, but we don't think so. The whole point of SSL is that the contents of messages are encrypted by the time they leave the browser and the server. Eavesdroppers (including proxies) can see where your messages are going whether you are running a proxy or not, but they only get to see them encrypted.

 Can I restrict use of the proxy to a set of nominated IP addresses?

We don't provide a way of doing this. It would be easy to add, but before you do please consider why you want to do it. If the reason is security, it probably means you need a firewall.

The -h option provides a way of binding the proxy to a single IP address/port. This can be used in some network configurations to give some selectivity on who can access your Internet Junkbuster, but it doesn't provide a general mechanism. The Internet Junkbuster is not a firewall proxy; it should not be expected to solve security problems.

For background information on firewalls, see an FAQ or these well-known books: Firewalls and Internet Security: Repelling the Wily Hacker by William R. Cheswick and Steven M. Bellovin or Building Internet Firewalls by D. Brent Chapman Elizabeth D. Zwicky. There's free Linux software available, and a large number of commercial products and services. For an excellent security overview, primer, and compendium reference, see Practical Unix and Internet Security by Simson Garfinkel and Gene Spafford.

 Are there any security risks for ISPs or others who offer the proxy?

Yes. As with any service offered over the Internet, hackers can try to misuse it. A well-run ISP will have professionals who are experienced at assessing and containing these risks.

It's possible to set up your machine so that other people can have access to your proxy, but if you lack expertise in computer security you probably shouldn't have your computer configured to offer this or any other service to the outside world.

Hackers can attempt to gain access to the machine by various attacks, which we have tried to guard against but don't guarantee to thwart. They can also use the ``anonymizing'' quality of proxies to try to cover their tracks while hacking other computers. For this reason we recommend preventing it being used as an anonymous telnet, by including the pattern :23 in the blockfile. If you wish to block all ports except the default HTTP port 80, you can put the lines
   :
   ~:80
at the beginning of the blockfile, but be aware that some servers run on non-default ports (e.g. 8080). You might also want to add the line ~:433 to allow SSL.

If you find any security holes in the code please tell us, along with any suggestions you may have for fixing it. However, we do not claim that we will be able to do so.

We distribute this code in the hope that people will find it useful, but we provide no warranty for it, and we are not responsible for anyone's use or misuse of it.

You may also want to check back periodically for updated versions of the code. We do not maintain a mailing list. To get quick updates, bookmark our Distribution Information page.