Back to main EE page

How the Scare-Tactic Application Works

It's a simple application, actually. It took me one hour to write a bogus "investigation" similar to Robin Hood Software's, though it would have taken another hour to make it as pretty.

From: Eric Lee Green 
Organization: The Vast NWO/UN/Vatican/Amish Anti-EE Conspiracy
To: "Funk" 
Subject: Re: hey!
Date: Thu, 21 Mar 2002 08:19:37 -0500
X-Eric-Conspiracy: There Is No Conspiracy

On Wednesday 20 March 2002 10:55 pm, you wrote:
> I get this messaging poping up while using evidence eliminator that I need
> to update, and it's like this error it says! And then it brings me to this
> page where it shows me all this info that they claim to have recorded. But
> what is weird is that I checked the IP and it said the ISP was correct. So
> I'd just like to know if it really is recorded or not! Cause it really
> looks like it's the real thing! So do you think it's just javascript with
> html that just checks your ISP and shows it?

As explained at

when your web browser contacts a site to get a page, the site requires the 
following information in order to reply:

Your IP address
Your browser identification.
(Sometimes) the referring URL. 

The IP address is obvious. The site has to send data back, and it needs to 
know where to send it to!

Your browser identification string might read something like:

Mozilla 4.0 (Compatible; Internet Explorer 5.5; Windows 98; US English)

This tells the site that it's okay to send you Windows-specific web pages 
(that include JavaScript or ActiveX components that only work on Internet 
Explorer), and that you want them in English. 

The referring URL (the URL you were viewing that sent you to their site) is 
generally just logged. I'm sure that the RHS people use it in their scare 
applet too. 

Every web site logs data for a certain time. This is logged on the site side 
in a log file (here is a sample log file line): - - [17/Mar/2002:00:44:06 -0700] "GET /eesucks/ 
HTTP/1.0" 200 5610 "" "Mozilla/4.78 [en] (X11; 
U; Linux 2.4.17-5mdk i686)"

That's a Slashdotter clicking through from my link on Slashdot to get to the site. Note that I don't know WHICH slashdotter, 
just that he's running Mandrake Linux and Netscape 4.78, and speaks English. 
In other words, there's no way for me to identify who this guy is, just 
enough information for me to customize my web site a little for him (e.g., 
I'll send him stuff that I know won't crash Linux Netscape, a notoriously 
lousy browser... and if I were running a commercial site, I might put up ads 
aimed at the slashdot young hi-tech crowd, as vs. if he clicked through from 
AOL, where I might put up ads aimed at middle-aged housewives). 

Now, what Robin Hood Software has is a little site-side script that strips 
that information out of the web request, and builds a scare page with it. 
Note that Evidence Eliminator won't stop you from sending this data. The IP 
address *HAS* to be sent, and the user agent info is needed by many sites so 
they can make your page look right. One of the programs I'm employed to work 
on is a large web application that controls a NAS device, and part of the 
code looks at that browser identification string, and breaks it into its 
components like what Robin Hood Software does, though I'm using it to 
customize the locale (language) so I send back data in German or English or 
etc. depending upon what their local language is, and whether I ship back 
Netscape or IE JavaScript and other commands (the page looks  really ugly if 
I get that wrong). This is normal web programming stuff, in other words, used 
by web guys to send the correct stuff for your browser. The EE guys are using 
it as a scare tactic.

What pisses me off is that the EE guys imply that their bloated piece of 
spamware will "solve" this. No, the only thing that will "solve" this is an 
anonymous proxy service such as The Anonymizer ( ) 
or Freedom WebSecure( ). Something coming through one 
of those services looks like: - - [17/Mar/2002:00:44:06 -0700] "GET /eesucks/ 
HTTP/1.0" 200 5610 - "Mozilla/4.0 [en] (X11; U; IBM 360/CMS)"

(the above is a simulation, for some reason people never seem to feel the 
need to view my web site anonymously, I get maybe 2 hits via the anonymizer 
per week and didn't happen to have a log handy with one of those hits). 

Go to the A4U free anonymizer service at and put the 
following into the box:

Robin Hood Software's scare applet tells me this:

Your IP is under investigation: (this isn't my IP!)

They know you are using: 
Microsoft Internet Explorer v5.x (I wouldn't have this on my computer!)

Your computer is: 
Windows 2000 (I'm running Mandrake Linux!)

You are trying to hide:
The Web-page you were just watching (They don't know!)

Your risk status for further investigation:
VERY HIGH RISK (This is a typical Robin Hood Software lie!)
In other words, using an "anonymizer" type service will hide where you're 
browsing from. Evidence Elimininator will *NOT*, even though their scare ads 
imply they will. They're trying to trick you into buying their software, and, 
alas, some people are easy to trick. 

Let's face it, Evidence Eliminator was a perfectly good little $39.95 file 
wiping program, but that's it. Bloating up the program and selling it for 
$150 via scare ads that imply it'll do all sorts of things it will NOT do is 
a rip-off.

Eric Lee Green             mailto:[email protected]
A Member of the Vast NWO/UN/Vatican/Amish Anti-EE Conspiracy since 1893

There you have it, folks: The REAL scoop on how these scumbags try to trick you into buying their bloated spam-ware.

Eric Lee Green
Last modified: Thu Mar 21 14:56:23 EST 2002