Slashdot Mirror
More Cookie Investigations
FancyKetchup writes "This time, C|Net is caught up in cookie paranoia with their 'special investigation' into use of cookies on the Senate and House representative websites." From the article: "Sen. John McCain, R-Ariz., for instance, has been a longtime advocate of strict privacy laws to restrict commercial Web sites' data collection practices. In a statement posted on his own Web site, McCain assures visitors that 'I do not use 'cookies' or other means on my Web site to track your visit in any way.' But visiting mccain.senate.gov implants a cookie on the visitor's PC that will not expire until 2035. " Follow up to a story we reported on earlier.
This is a job for the Cookie Monster!
Its simply amazing that after being posted for a few minutes, mccain.senate.gov is now down. Hmmm...think we can take down www.microsoft.com if we all go there at exactly 4:00pm Pacific Standard Time and hit F5 20 times??
Click Click Bloody Click PANCAKES!
I wonder how many people who think that cookies are horrible intrusions into their privacy really dig websites that auto populate their username and password when they visit them.
Also, having a go at the White House for using WebTrends to collect and analyse visitor data is nuts. When you've got a busy and important site like that, good quality analytics are vital. If they didn't have them, you'd probably find the media criticising the White House for not knowing about their visitor demographics, popular pages etc etc.
That article really just smacks of lazy journalism. Whatever next.. discovering their PC has a "Temporary Internet Files" directory?
Never email donotemail@WeAreSpammers.com
I know why people get so upset when cookies are stored, but most of the time it is used for useful things. For example it can be a great way to come back to slashdot and already be logged in. I hate typing in my password all the time. Blah.
I think that if NSA or others decides to keep eye on you - they don't need cookies at all :-)) They have also other more effective technologies in the pocket... So why so big bang around cookies while your phones are being tapped without the court approval?
Well, I've got to get back to work. When I stop rowing, the slave ship just goes in circles.
First of all, I'm guessing its the same cookie that you get if you go to anything.senate.gov
Secondly, whats all the fuss about? Cookies are incredibly harmless compared to everything else floating around the internets. Right?
Oh well. Damn politians. I'm sure John McCain is perfectly correct. He, personally, does not use cookies to track people. He probably doesn't.
"Sen. John McCain, R-Ariz., for instance, has been a longtime advocate of strict privacy laws to restrict commercial Web sites' data collection practices. In a statement posted on his own Web site, McCain assures visitors that 'I do not use 'cookies' or other means on my Web site to track your visit in any way.' But visiting mccain.senate.gov implants a cookie on the visitor's PC that will not expire until 2035. "
Because, as we all know, all politicians are fully versed in technology and its myriad uses.
The theory of relativity doesn't work right in Arkansas.
Can anyone direct me to an easy way to get a "wipe cookies" button in my Firefox toolbar? Perhaps something to make deleting all of my cookies as easy as hitting "refresh" while looking at a high school website?
Trying to use sarcasm in text-based forums does not work.
That all depends on what the meaning of "is" is.
I am unamerican, and proud of it!
"Secondly, whats all the fuss about? Cookies are incredibly harmless compared to everything else floating around the internets. Right?"
wrong wrong wrong.
First just because there there is a lot of other things floating araound, doesn't mean things percieved as minor should be ignored.
Do you know what started the 'don't track cookies' effort withing the government? The white house was tracking people who had cookies from a marijuana advocacy site.
The Kruger Dunning explains most post on
I cleared all cookies and went to mccain.senate.gov - checked the cookies and nothing. Anyone else?
Just because a server sends a cookie doesn't mean that the whole world is tracking what you do. It's precisely this kind of media paranoia that makes development damn near impossible without idiot users bitching about harmless cookies. Guess what. Your ISP has more informaiton about what you do on the net that almost any cookie you can get.
got a link for that thing about the government-marijuana-cookie-tracking thing you menationed?
//mmmm marijuana cookies
not that I don't believe you, i'd just like to read more on it.
If CNet is so concerned about the government using cookies why does CNet use cookies? Why does CNet allow their advertisers to use cookies? Why does CNet and their advertisers use Flash?
Oh, you didn't know that Flash is the new favorite means of tracking you? Hold onto your seat Tonto, you're about to get a wake up call! Flash is far more effective than any cookie ever was and no one seems to notice. Have a look at the contents of:
~/.macromedia
or
C:\Documents and Settings\User_Name\Application Data\Macromedia\
Cookies are unique ID numbers that a remote Web site hands a browser, which automatically regurgitates them upon subsequent visits. They can be used for something as innocuous as permitting someone to customize a Web site's default language for return visits.
Unique ID numbers? Cookies are (essentially) text files, that allow the web developer to write the limited amount of information they can gather on you (or more commonly anything they need to track from page to page) onto your machine so that it can be retrieved at a later date by the same web application that stored them.
The Unique ID number they are talking about is actually the Session ID allocated by the server that identifies an individual browser session. Shut down and then reopen your browser, and you'll (most likely) get a different session ID. The completely stuffed thing about the paranoia regarding cookies is that any information that the browser could determine about you (IP, the port you are using, the page you last visited in order to get the the current page) could simply be written to the servers database - irrespective of whether or not you have cookies enabled.
In the worst case, they can be used to invade privacy by correlating one person's visits to potentially thousands of different Web sites.
OMG - that'll end civilisation as we know it! Of course this assumes that some can get their hands on ALL your cookies. Perhaps with Netscape it wasn't so hard given they were all stored in a single file - but I would think (I've never tried myself but the how of it is not obvious) you would need some sort of ActiveX control or an exploit of some kind to be able to access Cookies other than those from your web site.
dnuof eruc rof aixelsid
if you don't want to be tracked, you shouldn't go on the internet or www anyway. in theory people can always "track" you on the world wide web, its not like you dont leave an imprint by a) connecting and b) by accessing a website or server. it's all logged, your IP address, time visited, etc. but the real question is who the heck cares? and cookies? cookies are used to store information, on the USERS computer. sites use cookies for users convenience. they store a value which the site can later access. they have limited potential for danger, and so called "tracking cookies" are redundant, if someone cares enough, they could track you without a cookie. the ONLY real problem I know with cookies is if someone steals them with XSS and then is able to steal a session or something from you. But thats like saying "the only REAL problem with connecting to the internet is that somebody MIGHT ssh to my computer and steal stuff" or "the only REAL problem with going outside is that I might get run over by a bus".
Ben Forte of ColdFusion fame has quite a good reply to the cookie news items.
I wonder if the government anti-cookie rule / recommendation / whatever it is exactly, has caused some developers to avoid even session cookies by using URL strings instead. These are less secure than cookies because they end up in web logs, get bookmarked, emailed etc. Despite what another post said, I don't think cookie values generally end up in logs.
I admit to using session strings myself because a few years ago lots of people were scared into turning cookies off in their browser. That doesn't seem to be much of a problem these days. I hope this misguided publicity is not going to trigger a return of those days. Likewise for Javascript.
As far as I have seen from experience, the vast majority of cookies in use today are merely for storing a user's session key. They just store your virtual "connected" status (with the otherwise connectionless HTTP) for the duration of your visit to the site, and expire and are discarded after a few minutes of idleness (usually 30 minutes).
Of course, it would be nice to not have session cookies at all, but it appears to the user to be the most transparent. The other main method is to have a session key in the URI. How many times have you seen "?sessionid='somedata'" or "?JSESSIONID='somedata'" appended to the end of a URL?
The other ways, such as hashing the agent's info (ip address, browser, etc) on the server and doing a lookup for every page request, or passing the data back and forth in 'type=hidden' form fields, are less reliable.
I think that if someone would tell the media this missing bit of info, the hype might fade, if only temporarily. There are too many Chicken Littles (Cassandras?) in the world for paranoia to take a permant holiday.
I doubt McCain did this on purpose, but even if he did, should we be surprised?
One thing I'm curious about, does Sen. McCain (or anyone in his employ) run McCain.Senate.Gov or is it all together on one server with all the other Senators web sites? Basically, does he have any control over that site using cookies?
Fly me to the moon Let me sing among those stars Let me see what spring is like On jupiter and mars
Flash is much much much worse. Take a look at this:n /flashplayer/help/settings_manager02.html
http://www.macromedia.com/support/documentation/e
But they are bad. And developers who can't see it are just stupid. Netscape should never have proposed cookies, and IETF should never have accepted them, or any other tchnology which is intrusive and can potentially facilitate spying on users.
BTW, I have never accepted an Internet cookie in my life, and never intend to, and will quash any other technologies that I can (eg disabling Flash). Oh, and I don't mind typing in data, if I need to (actually, I never need to - sites which require my dta are crossed off my list and for all intents and purposes are not part of MY Internet). But theoretically, if I was going to type in my data, the thought of having to do so more than once because, god forbid, I actually won't accept cookies, does not dissuade me one freaking bit.
PS, I am posting this anonymouly only because the stupid Slashdot website developers won't allow me to register with a user name unless I will accept cookies. I would be long gone and slashdot for me a mere useless walled off dead zone of the Internet except for the fact that Slashdot still allows SOME cookie-free value in their website (such as a capability of anonymously posting), so I'll use the meager drippings I find useful here. Cookies suck, Flash sucks, Java Script sucks, active content sucks etc etc etc - but some developers are just clueless.
"McCain assures visitors that 'I do not use 'cookies'
Bush assures citizens that 'we get court orders to do wiretaps'"
You know, this is the thing that really shorts my circuits sometimes. Here we have a president who has effectively admitted, "Yeah, so I attack foreign nations, imprison and torture anyone I want to, arbitrarily decide who's allowed to fly and who's not, spy on anyone I want to, whether the courts want me to or not." And people very earnestly debate whether this is a partisan issue, and if so, which way will the libertarians move?
But hey folks, get the rope ready, start heating the tar and plucking the chickens, 'cause the senate website has cookies!
Crumb's Corollary: Never bring a knife to a bun fight.
well I was close. My memory is failing.
g ency.privacy.ap/index.html
t ml?tw=rss.index
- 06-20-00&cat=AN
http://www.cnn.com/2005/TECH/internet/12/29/spy.a
relevant quote:
"The government first issued strict rules on cookies in 2000 after disclosures that the White House drug policy office had used the technology to track computer users viewing its online anti-drug advertising. Even a year later, a congressional study found 300 cookies still on the Web sites of 23 agencies."
however it still makes my point on one way a cookie can be used for malice.
http://www.wired.com/news/wireservice/0,69945-0.h
shows how cookies can be used to trace you through the web, as it were.
http://shns.scripps.com/shns/story.cfm?pk=COOKIES
"White House ads offering information on marijuana pop up when Internet users search for certain words connected to drugs on Internet search engines like AltaVista or Lycos. The banner ads steer users to the anti-drug site Freevibe.com, which is operated by the White House drug office. A tracking cookie is inserted in the user's personal computer as the site is activated.
Although Freevibe's privacy notice states that "no information, including your e-mail address, will be sold or distributed to any other organization," the site is connected Doubleclick.com. Officials of Doubleclick, a New York advertising firm that is one of the largest companies gathering data on Internet user use, told the Senate Commerce Committee last week it is developing new products that will profile more than 40 million Internet users."
here is an example where your information is tracked and sold.
I won't go into wether or not these particular cases where intended to abuse anyone, but it would be just as easy to use this data for profiling.
Would it be hard to imagine someone thinking "Well, if they are looking for ways to kick a drug habit, then they probable have drugs. Lets go arrest them!"?
oddly, I can't find the story that I heard about it originally.
The Kruger Dunning explains most post on
The trick is that the cookie can be linked to your personal information.
The class "compromising cookie" scenario involves a cookie set by an embedded image from a different server.
Say that Evil, Inc runs a banner server banners.evil.com, which puts ads on kinky.xxx and on yourchurch.org (or maybe just an invisible "web bug" on either site). When you visit kinky.xxx, your browser requests the banner from banners.evil.com, which sets a cookie saying "I went to kinky.xxx and all I got was this lousy cookie". That cookie will be sent along with any request your browser makes to banners.evil.com.
Then you log in to yourchurch.org. Their home page has an image tag with a source like "http://banners.evil.com/spyonme.php?username=your name". Your browser makes this request to banners.evil.com, sending along the cookie that server set eariler. Your browser thus tells Evil, Inc your yourchurch.org username (in the image URL) and the fact the you visited kinky.xxx (in the cookie it).
Evil, Inc phones up your pastor and lets him know so that he can shame you in front of the parish the next Sunday (turns out this is all part of your church's anti-porn crusade).
Tom Swiss | the infamous tms | my blog
You cannot wash away blood with blood
From http://mccain.senate.gov/
:-)
Sorry, the http://mccain.senate.gov/ web page you have requested is experiencing technical difficulties. The Webmaster has been alerted.
You will be automatically redirected to the http://mccain.senate.gov/ Home page after 10 seconds.
I love sites that slashdot themselves. It takes the work away from actually havign to pound the refresh button