Play Live Radio
Next Up:
0:00
0:00
Available On Air Stations
Watch Live

Science & Technology

UCSD Researchers Uncover "History Sniffing"

UCSD Researchers Uncover "History Sniffing"
Dozens of websites have been secretly harvesting lists of places that their users previously visited online, everything from news articles to bank sites to pornography. A team of UCSD computer scientists -- a graduate student and 3 professors -- found that the practice of "history sniffing" is possible because of a weakness in web browsers which allows websites to do this.

The amount of information we make available about ourselves on the internet is already pretty amazing. But, apparently ad agencies and computer codewriters are always looking for more. Recently, an information collecting code has been identified on some of the most popular sites on the Web. It engages in a practice that's been dubbed "history sniffing."

Guests: UCSD Professors of Computer Science and Engineering

Hovav Schacham

Advertisement

Ranjit Jhala

Sorin Lerner

Read Transcript

This is a rush transcript created by a contractor for KPBS to improve accessibility for the deaf and hard-of-hearing. Please refer to the media file as the formal record of this interview. Opinions expressed by guests during interviews reflect the guest’s individual views and do not necessarily represent those of KPBS staff, members or its sponsors.

I'm Maureen Cavanaugh you're listening to These Days on KPBS. The amount of information we make available about ourselves on the Internet is already pretty amazing, but apparently ad agencies and computer code writers are always looking for more. Recently an information collecting code has been identified on some of the most popular sites on the web. It engages in a practice that's done dubbed history sniffing. Here to tell us about it are researchers at UC San Diego who tracked the program and wrote a paper about the practice. I'd like to welcome my guests, professor Hovav Schocham.

SCHOCHAM: Morning.

MAUREEN CAVANAUGH: You know, you're also professors so can I call you by your first names? Would that be already?

Advertisement

SCHOCHAM: Of course.

MAUREEN CAVANAUGH: Professor Sorin Lerner, good morning.

LERNER: Good morning.

MAUREEN CAVANAUGH: And professor Ranjit Jhala, good morning.

JHALA: Good morning.

MAUREEN CAVANAUGH: They're all with UCSD's computer since and engineering department. And we would like to invite our listeners to join the conversation. Do you take steps to prevent websites from tracking you or do you think people are too concern body privacy on the web? Give us a call with your questions and your comments, our number here is 1-888-895-5727. That's 1-888-895-KPBS. So Hovav, tell us, start us out by giving us an idea of what is this thing called history sniffing.

SCHOCHAM: So browsers decoratelings as you browse around the web deferral depending on whether you visit said the target of that link or not. [CHECK].

MAUREEN CAVANAUGH: That's when you go back to the ago Google and you see that it's changed colors because you've clickod it.

SCHOCHAM: Exactly. And that's really very useful for browsing, because it [CHECK] now it turns out that a combination of browser features means that any site that you visit on the Internet can run java script code on your computer that will determine what the color of a link is, and because links are colored differently, depending on whether you visited them, that means that those sites can determine whether you visited wherever it is that that link would take you if you clicked it.

MAUREEN CAVANAUGH: Right. Okay. All right. So I think I'm getting the basics here. But that differentiating this from the example that I gave about going to your Google page and seeing which sites you've clicked on, this one, you would have no way of knowing; is that right?

SCHOCHAM:

LERNER: Yeah, so you would not know that this would be going on. You're just seeing this particular link being in a different color, but the fact that this information could be taken by someone else, you you would not not know about it.

MAUREEN CAVANAUGH: How how do websites, Hovav, how do they get this code on them? You know, so that people -- so that they're sending this information back to whoever is putting the code into the website?

BY DEFENDANT:

Q. We think of web pages as being essentially static. But really they're quite rich, sophisticated applications that the browser that we use is running on our behalf. And the code for applications, the things thattic mathem do the behaviors that we would like Gmail to have or Amazon to have when we visit them, is a language called java script. And any website you visit can down load and run java script code essentially on its behalf. And again that's used to provide us services that we really like, but it can also have negativity implications if those sites are acting maliciously.

MAUREEN CAVANAUGH: Okay. So is -- would you consider this, history sniffing, a malicious action?

SCHOCHAM: 469 sniffing is unusual in that it allows any site that I visit to learn whether I have used any URL, any other site. Even if those two sites have no business relation between them. So whether I've used some particular bank or whether I have shopped for particular books on my favorite on line book store is not something that I would like everybody on the Internet or anybody on the Internet to be able to learn.

MAUREEN CAVANAUGH: About you.

SCHOCHAM: That's right.

MAUREEN CAVANAUGH: Yeah. I see. Ragid, give me an example if you could, a practical example of what we're saying. So if I go to a website that has this code on it, collect this history sniffing code, what actually do they find out about me.

LERNER: So the way this works is that when you go to one of these websites, it will render [CHECK] [CHECK].

JHALA: Thousands of invisible links on your page that you can't see. And then based on the color of the -- that these links get rendered, again, the color that the browser renders them, not the color that you see, because they're invisible to you, it can tell what banks you've been using, what kinds of cars you've been shopping for, what kinds of medicines you you buy, and so on and so forth, just based on which of these thousands of websites you've been to. And so one of the examples we saw was that there was an ad company, an adplacement company that was trying to conduct some sort of market survey for what kinds -- for whether clients were interested in buying a certain kind of our or not, and the way they were doing this is they were placing these invisible links for several websites that pointed at car companies just to see which car companies were being visited by users.

MAUREEN CAVANAUGH: So Sorin, in theory, let's try to break this down. If I go, let's say I click on the huffington post. And I just want to read about the political headlines. If there is a history sniffing code on that website and an ad agency is getting information about me of all the other websites or many other websites that I have visited, what good does that do them? How do the two of them link up.

LERNER: Soap the ad company would get information about what things you visited, and what that would help them is it would help them identify kind of a profile for you. So for example what kind of, you know, radio station you listen to may actually affect what kind of car you'd be interested in, or what kind of car you're interested in may affect what kind of radio station you're listening to. And so what these ad companies can do with this information is they can actually build a profile for you and then provide you with better ads, with ads that are more targeted towards what you're really interested in.

MAUREEN CAVANAUGH: I see. Okay, aren't they doing that already though.

LERNER: They're doing that to some extent. We don't actually know what they use this information for. We actually just saw that that they got the information. Our study didn't cover what they did with the information. Now, these certainly -- these ad companies certainly do some amount of this already. But what's different here is that basically a particular ad company can figure out information about what other sites you visited without having any kind of -- they can find out any website you visited without having any prior agreement with them whatsoever. So they can just pick any website, for example, the Huffington post can look at, for example, request bank or any radio station or any car site that you visited without having any kind of agreement. And that's different from the other kinds of tracking that other companies do.

MAUREEN CAVANAUGH: On Facebook or other sites like that.

LERNER: Exactly, exactly.

MAUREEN CAVANAUGH: I see. I'm speaking with professor Sorin Lerner, professor [CHECK] and they are all with UCSD's science and engineering diameter, and they wrote a paper about the practice that we're talking about called history sniffing. And we are -- if you'd like to join the conversation, we're taking your calls at 1-888-895-5727. That's 1-888-895-KPBS. So Hovav, how did this come to your attention as a researcher in the computer department at UCSD?

SCHOCHAM: So the practice of history sniffing, the possibility of it and the implications if websites were to engage in it has been something that's been known for almost a decade now. There have been academic papers written about it, this are demonstration sites that request you go to, like whattheinternetknowsaboutyou.com, appropriately entitled, that will run history sniffing on your browser and tell you what it is that it's found. But the thing that we noticed in reading these papers is that no one ever could tell whether any site on the Internet actually performed history sniffing behind your back as opposed to as a demonstration. As something that they would overtly tell you about. And it turned out from talking to don [CHECK] that their student dawn had put together a tool that would allow a browser to be instrumented so that if it visited a set that was performing history sniffing, we would be able to tell.

MAUREEN CAVANAUGH: I see. And what did you tell from that browser, Ranjit? What did you tell from that information? How many sites are running history sniffing programs?

JHALA: So what we kid is -- our student, Don, who really did all the work in this study, to be quite honest, he's phenomenal. He set up an experiment where he was able to point his modified web browser to the top 50000 websites on the Internet. Of so he just sort of systematically cranked through the top 50000 websites and what he found is that about four helped or 500 of them indulge in this particular practice. And that they were -- and in fact there's a bit of a -- there's almost an industry behind that companies provide specifically crafted code that will do history sniffing and they sell this code to other ad providers and so on and so forth. I think Hovav might have the exact figure, he's looking at the paper. About 400 websites that were doing this. And of them were extremely popular websites.

CAVANAUGH: And some of them were?

SCHOCHAM: We found 485 sites that were looking at the color of links and out of those we were look able to determine that 46 out of the top [CHECK] learning about whether you'd visited particular UR Ls and sending that information back over the site.

MAUREEN CAVANAUGH: Can you give us maybe a little taste of who those websites were.

SCHOCHAM: I think the particular stand outs were a site in the top 100 of the Alexis survey, which is a survey of the most popular sites on the net. This is a site that gives a substantial amount of traffic, and it was looking at whether you had visited some of itself competitors recently, and an advising network that was serving ads on many of the popular sites on the Internet that Ranjit talked about earlier.

MAUREEN CAVANAUGH: Now, Sorin, my understanding of this is that the site itself doesn't even have -- can't be completely oblivious to the idea that this code is actually on its website; is that right?

LERNER: Yes, that's exactly right. So there are two kinds of things that we found, one is where the site itself is actually providing the code that does this, but that was actually the minority. Of the more common case was that the site would include an ad from some ad agency or some ad company, and that ad company would then actually insert this history sniffing code. So the original website may not even be aware at all of what's going on, they're just kind of includingab ad, and then the aditself is doing this information gathering.

MAUREEN CAVANAUGH: And to be clear, the aditself, you don't have to click on the ador anything, it's just the adbing there.

LERNER: You don't have to click at all on the ad, these web pages are very sophisticated. What you see as just an adwithout even touching it, in fact is actually complex, because they have to decide a lot of times what adto serve you. So the adgets inserted on the web page in a very complicated way. At the end of the day, it looks for simple, but the actual code that places the adcan actually do the history sniffing, without the original website knowing about it.

Q.

A. Now, are there some browsers that are more susceptible to this code, or maybe the other way around. Are there some browsers that won't allow this code to be -- affect a person's web browsing?

SCHOCHAM: So the good news is that now almost a decade since this attack was initially identified, browsers are starting to fix things. The chrome and safari browsers, if you're using the latest version already incorporate fixes that make the traditional kind of history sniffing impossible. The next version of fire fox, fire Box 4 which is not quite out yet, will as well. So as soon as users update to those versions of their browsers, they're automatically protected.

MAUREEN CAVANAUGH: And there are some websites that were oblivious to this fact that this was going on, have taken steps to get it off their websites haven't they Ranjit?

JHALA: Yes, what Sorin pointed out is that what typical happens is some of these websites, one of the examples we found called morning star, which is a rating agency, they have ads on their web pain, but they don't seven up the ads. They hire some company who then hires somebody else, and several layers down, there's the actual person who provides the ads. So it's one of these, it's like the princess and the 53, there's someone very far down this delegation chain that then sends the code that does the history sniffing. And so morning star found that, you know, one of the 50-threes four down the chain was serving up the history sniffing code. And this was brought to their attention by clients of morning star, and they were quite surprised by the all thing, and so it's -- I guess it's a business process from then on, they have to talk to the people they were talking to, who then talked to their -- the outsourced company and so on. And then they stopped it. [CHECK] 50-threes [CHECK].

MAUREEN CAVANAUGH: We're taking your calls at 1-888-895-5727. And on the line, Emily is calling from Carlsbad, good morning, Emily, and welcome to these.

NEW SPEAKER: Good morning. I have two questions, first one is if the code that can get history information from computer, can they also get your password information? The second one is how can I stop it if I remove or delete all the history information in the cache, does it stop it from sniffing my history?

MAUREEN CAVANAUGH: Great question, thank you Emily. Hovav, all right, if you personally remove your history cache from your computer, can this code actually track it down anyway.

SCHOCHAM: So if your browser doesn't have access to any history information, then it can't decorate links differently, and transfer can't expose any information because it doesn't have it. So one partial solution would be to delete history or to use browsers private browsing mode to effectively to browse without history.

MAUREEN CAVANAUGH: Private browsing mode.

SCHOCHAM: This is a mode that many of the top browsers now incorporate that effectively is in cognito. It does not keep history information, does not keep cache information. The idea behind this is you could use a shared computer it shop for a Christmas gift for your wife without her later finding out based on your browsing that you were looking at something in particular.

MAUREEN CAVANAUGH: Right. And how about that question about passwords? Can it intercept any of your passwords.

SCHOCHAM: I should say that the down side to private browsing is you lose the advantage of getting links decorated differently.

MAUREEN CAVANAUGH: Yes, okay, yes.

SCHOCHAM: [CHECK] does not to the best of our knowledge expose password. So you should be careful on the web, but this is not a way for sites to steal your passwords.

MAUREEN CAVANAUGH: And Sorin, another question came up with someone who couldn't stay on the line. To have to be [CHECK].

LERNER: So no, you don't -- I mean, none of that has to be enabled. The one thing that usually and typically needs to be enabled for this to work is something called java script. And Hovav mentioned that, that's the typical ways that these things are collected. So if you disable java script, that may actually prevent some of this from happening. Unfortunately, java script is actually at the core of many, many web applications for example, things like Gmail and Google memberships issue a lot of those just use java script. So it turns onnut that if you turn it off, you'll actually have a very poor web experience. The other thing to keep in mind is even if you disable java script so our tool doesn't find all the possible ways that you could actually do history sniffing of we were just interested in finding some of the cases. But in fact, there are even ways of doing it without java script. So even if you turn that off, you're not entirely say.

MAUREEN CAVANAUGH: We have to take a short break, but when we return issue we'll continue our discussion about history sniffing and other privacy threats on the Internet net. And we'll continue to take your calls at 1-888-895-5727. We're most interested in hearing how you are keeping your information private on the web. Do you have anything you want to share with us about that? 1-888-895-5727.

Welcome back, I'm Maureen Cavanaugh, you're listening to These Days on KPBS. I'm speaking with professors Hovav Schocham, Sorin Lerner, and Ron legitimate Jhala, they're all with UCSD's computer science and engineering department, and all have taken part in writing a paper about a practice on the Internet called history sniffing, it's another way that adanxietieses and others who want to do that can track your -- where you go on the web. And we are taking your calls at 1-888-895-5727. That's 1-888-895-KPBS. And Sorin, you have gotten a lot of media attention for this particular paper. Tell us a little bit with that.

LERNER: Yeah, so that's been several media outlets that were interested in this story. It started, if I remember correctly, around December. Of the paper came out, I think in November, and then in December, the media atlas started being interested in it. And so there was -- you know, once it got covered by one news outlet, it kind of took off, really, there was the wall street journal, and the New York Times, and the associated press. There was a lot of media attention around this. And UCSD also had a press release on it as well.

MAUREEN CAVANAUGH: And Rajit, what do you think that is?

JHALA: If I recall exactly what happened there was a journalist at Forbes who wrote a very, very nice blog post about it. She summarized the contents of this paper in a way that, quite frankly, I was very impressed by. It was much better than the paper itself, if I may say so.

MAUREEN CAVANAUGH: Accessible, in its accessibility.

JHALA: It was very, very accessible, and it was quite technical, but it was very well done. But anyway, when she did this, I guess a lot of people picked it upright after that, sort of from the BBC, but they also linked to this website. So it was quite interesting for me to see how one's research might be spread into somewhat -- through this means that was unfamiliar to us at least before.

MAUREEN CAVANAUGH: And Hovav, your research has also been referenced by the federal trades commission; is that right?

SCHOCHAM: That's right. So in a speech in early December, David Vladdeck, who is the [CHECK] mentioned history sniffing 591 particular practice that the bureau is concerned about and said that they are -- because of our research, and because of other research that others have done, pressuring browser vendors to fix their browser. I should say also that the Forbes journalist is cashmere hill.

MAUREEN CAVANAUGH: Yes, yes.

SCHOCHAM: And her blog is specifically focused on on line privacy, it's called the not so private parts, and it's really fantastic, not just this post, but absolutely everything that she does.

MAUREEN CAVANAUGH: You're absolutely right. I read a couple of her blogs and they were right. I think that the essence of this is exact leap as you point out, and that is the idea of Internet privacy, and how concerns people are with it. But one of the things I can't seem to figure out is, what do people actually do with the information that they can get from this code, and even from the another -- the other kinds of histories that they can follow on Google or Facebook? You know, where they have the permission to do that, to gather some information about you. What do they do with this information, Rajit?

JHALA: So, first of all, I should preface everything I say about we're speculating here, because our study does not actually track what happened with the information after it went out. That being said, there's actually quite a large industry called -- somewhat euphemistically, maybe, behavioral analytic, which is devoted to, essentially, figuring out how rich a profile can you build about individual users from whatever information you can glean about them. You know? So for example, on Facebook, you might see who their friends are and what kinds of shops they buy things on, and so on and so forth. And in the end, what is being done right now is to build more precise profiles so that we can give you -- so that the company can give you ads that you are very likely to click on. Upon so they just want to serve you ads that are you very likely to click on, and the better the profile they can have for you, the better the ads can be.

MAUREEN CAVANAUGH: I'm wondering, Sorin, what -- is there a clear less than between this and so called malicious activity?

LERNER: Well, so, actually there are uses of this kind of information also for things that are actually quite malicious. For example, there's this thing called phishing attacks, where what happens is you get an e-mail that tells you that, you know, there's an upgrade to your account, or bank account or something like that, and they give you aling, and you click on a link, and that brings you to a web page that looks like your bank, very similar to your bank, but it's not, and you type in all your password, and this malicious website now has your password information for your real bank account.

MAUREEN CAVANAUGH: Right.

LERNER: So the problem is, they don't know what bank you use. So if they're gonna send a blanket e-mail to everybody, let's say bank of America, right, a link to a false bank of America site will be, like, well, obviously this is not for me, obviously this is malicious or something bad's going on. So if they know what website you have been looking at, and if they know in particular what bank website you've been looking at, then they can actually customize this attack page so it basically provides you with a false banking page that looks exactly like your banking page. And that way they can actually be more successful in getting people to type in their user name and pas word into these false pages. And this is an example where this kind of information is used in a clearly malicious way.

MAUREEN CAVANAUGH: And there is no -- it's only the way the information is used that becomes malicious or not. Of the actual program itself, the code itself that can get your information about where you've gone on the web and what you like, it's sort of neutral, isn't it? Hovav?

SCHOCHAM: It works the same, certainly.

CAVANAUGH: Yes.

SCHOCHAM: Whether the site you visit is using history sniffing to mount a better targeted phishing attack or to learn something about you to build a better behavioral profile. I think the cheerer distinction is between history sniffing and other kinds of tracking contents on the web, like cookies, or flash cookies, [CHECK] the difference is really that with history sniffing any site that I visit can learn something about other sites even without a relationship between the 50 and the second site, the site I visit, and the site that's being examined.

MAUREEN CAVANAUGH: Be it's all subterranean,s why.

SCHOCHAM: Where's with cookies, the adnetwork might be able to track me between the first page that I go to, and the other news site and maybe the entertainment site and the blog, but that's because they have ads on each page that are displayed to me, and by the fact of presenting ads on these pages, they are paying for the page and therefore paying for the content that I'm getting maybe for free.

MAUREEN CAVANAUGH: And their goal is therefore rather explicit, where the other can be used for a number of very furious applications, in fact we have a caller on the line who wants to question us about one. Greg is calling from Oceanside. Of good morning, Greg, welcome to These Days.

NEW SPEAKER: Good morning. Of I missed the first part of the show so I'm not sure that this has been brought up, but to me, the 8000-pound gorilla in the corner is the government, and we don't even know how many different agencies are all monitoring what we do, where we go, every mouse click. And I'm also curious if the book marks that I have on my computer can be analyzed by any of these programs.

MAUREEN CAVANAUGH: Okay, thank you for the call, Greg. Who wants to take that? Hovav.

SCHOCHAM: I'd be happy to. In our survey of the Alexa top 50000 site, I'm not sure how many of those sites were actually government siting but certainly none of the sites we found performing history sniffing had any relation that we're aware of to government. So we can't say [CHECK] on the book marks question, again as far as we know, none of these history sniffing techniques allows the book marks file to be exposed or its contents.

MAUREEN CAVANAUGH: Now, you told -- Ranjit, you told us that the browsers themselves can stop this from happening; is that right? I mean the browsers can reconform themselves in one way or another so that this -- they don't allow this code to follow you?

JHALA: Yeah, so what the browsers can do is to, you know, I mean, one can think of this as a bit of a loophole where you allow this random piece of code that's come off the Internet to look at the color of a particular link, which is itself generated by whether or not you've been to the link before, and so on and so forth. And then leak this information out. What the browsers can do is to prevent the code from actually looking from introspecting on the color of these links, and as Hovav pointed out earlier, the latest versions of Firefox and Chrome and Safari already do this, they've sort of -- they've done away with the loophole that allows third party code to do this, so if you upgrade to the newest versions of these browsers, you would be quite safe.

MAUREEN CAVANAUGH: You're not at threat from this particular --

JHALA: From this particular kind of attack, that's right.

MAUREEN CAVANAUGH: Is there any -- yeah, sorry, go ahead.

LERNER: One of the thing that's important there, this is really one of the key things to get out of this, is that you really want to make sure you update your browser and make sure you get the most up-to-date version, because at some time right now, the newest version you down load for some browsers will have this fix. But there's always gonna be various kind was things that come up, so you want to make sure you keep your browser up-to-date so you have the fixes for the problems that people know about.

MAUREEN CAVANAUGH: Now, I want to take another call, but the person at the FTC was referencing your paper for a specific purpose, and that was they're proposing a do not track tool. Tell us a little bit about that, if you would.

SCHOCHAM: I think history sniffing was brought up in his speech as a side note to the do not track discussion.

MAUREEN CAVANAUGH: Uh-huh.

SCHOCHAM: Do not track centers around cookies and other forms of tracking by adnetworks between multiple sites, the idea being if a particular adnetwork serves ads on my favorite news sites and my favorite gaming blog, then my visits to those sites can be risked together, and a particular profile can be built for me. I think the FTC commissioner, I'm sorry, the FTC director, when he brought up history sniffing was saying that this is another technology that on line advisors can use, and one that's potentially more worrisome or at least subject to other forms of regulation and control because it can be done without these links between the sites that I visit, without these ads being present on each of them.

MAUREEN CAVANAUGH: I wonder, as, you know, people who study the Internet and computers, I wonder if sometimes having legislation proposed in in Washington doesn't make you a little nervous because of the level of comp attendance that some of our elected officials show when it comes to understanding the interin the. Different someone recently refer to the Internet as a series of tubes in I don't years? [CHECK] in Washington?

SCHOCHAM: So it's always difficult to keep up with something that changes as fast as the Internet, and I think that's true for people in government, and it's certainly true for me. I don't know that I'm always on top of things. From talking to folks at the FTC, they are very smart. And they certainly have access to quite a bit of information. And they seem to be very interested in doing an excellent job. This was actually about that series of tubes comment, that became an Internet people and vorpopular. Ed felton who was a professor at Princeton wrote on his blog, freedom to tinker, a more positive reading of this speech. In which he said well, are the terminology is off, but the points here are not completely wrong.

MAUREEN CAVANAUGH: Great.

SCHOCHAM: Edfelton by the way, now is the chief technologist for the FTC.

MAUREEN CAVANAUGH: Okay. So then we can all be relieved then. Ray is calling from San Diego. Good morning, ray, welcome to These Days.

NEW SPEAKER: Yes, good morning. I hope all are doing well. Quick question, if you block third party cookies, will that help as well? I understand the new browsers also help. But I'm not quite sure how. But I usually block third party cookies. And it sounds like is java script able to still run against your own page as you visit these sites? It seems a little confusing.

MAUREEN CAVANAUGH: Who would like to take that? Sorin.

LERNER: Yeah, so third party -- I mean, even if you disable third party cookies, these java script codes can still get all the information from you. Of the key reason why this is happening is because websites are actually very sophisticated, when you go to a website, it looks pretty static, but there's actually a lot of machinery going underneath. You get a glimpse of it when you run Gmail or Maps, all these applications are all actually running in your browser, very sophisticated with lots and lots of code returning underneath. And so unless you disable that entirely, you're really gonna be vulnerable to this kind of attack. And the third party cookies, that's not gonna help you at all in this kind of case.

MAUREEN CAVANAUGH: We only have about a minute left, and I know Sorin that I you gave some really good general advice about keeping everything updated, your security systems, your browser applications, all of that, any other good general security advice that you would like to give to people listening.

LERNER: So the other thing that you would to keep up-to-date is your plug-ins, so the browsers themselves, you want to keep them updated, but there's also plug-ins, for example things like Flash, the Adobe Reader, various kinds of plug-ins, you might have Microsoft plug-ins that have ActiveX components or various things like that, for viewing videos, you want to keep all of those up-to-date.

MAUREEN CAVANAUGH: Because they're written to override certain viruses and threats; is that right?

LERNER: Well, because they can have the same kinds of security vulnerabilities and you want to basically have the latest versions so they're not gonna be vulnerable to these things.

MAUREEN CAVANAUGH: I understand. Well, we are out of time. But I want to thank you all so much, professors Hovav Schocham, professor Sorin Lerner, and professor Ranjit Jhala, thank you. And welcome to the media.

JHALA: Thank you.

MAUREEN CAVANAUGH: And if you have any questions or comments please go on-line, KPBS.org/These Days. Stay with us for hour two, it's coming up in just a few empties here on KPBS.