Slashdot Mirror

← Back to Stories (view on slashdot.org)

Introducing the Invulnerable Evercookie

Posted by CmdrTaco on from the evil-and-clever dept.

An anonymous reader writes "Using eight different techniques and locations, a 'security' guy has developed a cookie that is very, very hard to delete. If just one copy of the cookie remains, the other locations are rebuilt. My favorite storage location is in 'RGB values of auto-generated, force-cached PNGs using HTML5 Canvas tag to read pixels (cookies) back out' — awesome."

16 of 332 comments (clear)

  1. "That's the great thing about evercookie" by tomalpha · · Score: 3, Insightful
    From TFA:

    That's the great thing about evercookie

    I disagree. Strongly.

    I guess it's good that this is out in the open so we know about it, and hopefully the major browsers can all do something to help prevent it. But still: don't like, don't like at all.

    1. Re:"That's the great thing about evercookie" by PhilHibbs · · Score: 4, Insightful

      There's no possible justification for this project.

      "To show everyone what the black hats and spammers are going to be doing", sounds good enough to me.

  2. And now... by Haedrian · · Score: 4, Insightful

    Whenever someone goes through all the trouble of adding additional ways of tracking people - someone goes through all the trouble of finding ways of removing it.

    There's no such thing as Invulnerable - See also: DRM and Copy-Protection

    1. Re:And now... by cheater512 · · Score: 2, Insightful

      No, but the people who do the tracking dont care about you.
      They want everyone else who doesnt try to evade tracking, which is a lot more people.

  3. Re:Not hard to beat at first glance. by Shrike82 · · Score: 4, Insightful

    That's NoScript at work. If you use BetterPrivacy (another FF extension), it removes the LSO at browser shutdown. YMMV

    I take your point, but most people use neither of these things and will be at the mercy of persistent tracking. Of course anyone who doesn't know what a cookie is probably won't be affected by this in any way (i.e. they're already being tracked through regular cookies). Especially since "Private Browsing" modes have been shown to retain information.

    --
    You can advertise in this sig from as little as £99.99 a month!
  4. Developers take note by Monoman · · Score: 5, Insightful

    If you have to go to great lengths to work around customers doing things like deleting cookies then you are doing something wrong or evil.

    --
    Keep the Classic Slashdot.
    1. Re:Developers take note by Sarten-X · · Score: 2, Insightful

      ...or you're doing something that users expect to "just work". My grandmother had a perfectly fine time using GMail, until my uncle heard that cookies should be deleted for privacy. I got a phone call after that where I had to figure out why "email isn't working".

      I can see valid uses for this, and I can see malicious uses. I suppose it's good that something's out there making us developers think about these techniques.

      --
      You do not have a moral or legal right to do absolutely anything you want.
    2. Re:Developers take note by Anonymous Coward · · Score: 2, Insightful

      That's not a problem with cookies being easy to delete, that's a problem with the user not understanding what they're deleting. In the same way that making it imposible to delete word documents is a bad idea, making it imposible to delete cookies serves no beneficial purpose to the user.

  5. Re:Browser on a VM then? by NevarMore · · Score: 4, Insightful

    No. You could also stop using the Internet.

  6. Not Really by Greyfox · · Score: 3, Insightful
    It might just drive more users to noscript and flashblock. I have to explicitly trust a site before I allow it to do those things, and if I happen to run across a site that requires them during casual browsing, I do not allow them access to those capabilities. If you're the sort to look over your shoulder that much, being able to browse the web with some level of comfort should more than offset any degradation of the web experience.

    Advertisers and site operators might complain that this behavior costs them revenue, but they should have thought about that before going all Big Brother on us. If you're going to try to trick me into clicking an ad on your site, I don't want anything to do with your site anyway. And I do occasionally click through ads on Slashdot and Google.

    --

    I'm trying to teach myself to set people on fire with my mind... Is it hot in here?

    1. Re:Not Really by Chatterton · · Score: 2, Insightful

      It will not drive more users to noscript and flashblock because then websites will not 'just work' anymore and it will be a pain to them to whitelist every script they don't know what they do for every websites one by one...

  7. Re:Not hard to beat at first glance. by h00manist · · Score: 5, Insightful

    who doesn't know what a cookie is probably won't be affected by this in any way (i.e. they're already being tracked through regular cookies).

    There's all kinds of databases on people available. Search and you shall find.

    All data circulates easily and is simply very hard to stop. It is indeed like speech, it just happens, anyone can do it. Copyrighted data, personal data, credit data, secret data, whatever. Bottom line, gathering and selling various gray-black-market data is illegal immoral etc, and very doable and very interesting for companies and organizations of all types. Not unlike downloading movies is for many - illegal but easy and interesting data. It's the interests that are different.

    --
    Build your own energy sources from scratch. http://otherpower.com/
  8. Cookie? by kurokame · · Score: 4, Insightful

    Let's see. A remote website infects your computer with code which does things on your system without your consent and resists your attempts to delete it through the use of hidden copies. I think we have a word for this already. Starts with a V.

  9. Re:Not hard to beat at first glance. by dkleinsc · · Score: 4, Insightful

    Thhe purpose of "Private Browsing" isn't to protect your privacy from websites while you surf, it's to protect your privacy from your SO when she comes home and sees your web history.

    --
    I am officially gone from /. Long live http://www.soylentnews.com/
  10. Re:Privacy for 99% of people doesn't exist by Anonymous Coward · · Score: 1, Insightful

    You're confusing privacy and secrecy.

  11. Re:Remember? by cgenman · · Score: 3, Insightful

    Hidden form values have the annoying tendency of breaking the back button. That, in my mind, is a far greater sin than cookies.

    --
    The ______ Agenda