Un-killable 'Evercookie' Killed ... Sometimes

Trailrunner7 writes "The persistent method that security researcher Samy Kamkar introduced last week for storing tracking data on a user's machine, known as the 'Evercookie,' is even more worrisome when used on mobile devices, according to another researcher's analysis. The Evercookie is a simple method for forcing a user's machine to retain browser cookies by storing the data in a number of different locations. The method also has the ability to recreate deleted cookies if it finds that the user has removed them. Created by Kamkar as a demonstration of a way that sites could use to persistently track users even after they clear their browser cookies, the Evercookie has drawn the attention of a number of other researchers who have spent some time looking for methods to defeat it. A researcher in South Africa took a look at the way the the Evercookie works on both Safari on the desktop and on mobile devices, and found that it can be undone in some circumstances. However, he also found that the mobile version of Safari fares far worse in its handling of the Evercookie than the standard version does."

Solution:

[DarkKnightRadick]

Don't accept cookies.

Re:Solution:

Better solution. Do all your browsing from a virtual machine running in non-persistent mode.

Re:Solution:

That's not the solution. The whole point of the "evercookie" is that it doesn't just use regular HTTP cookies to store information, but also abuses all kinds of common browser features related to CSS, caching, embedded Flash objects and anything else that can be exploited to store state. If all he did was store a cookie only, then any browser worth its salt could easily purge it from the browser history.

So even if you just block cookies, that doesn't prevent this hack to work. You may need to block a whole range of features from JavaScript to HTTP caching to Flash support. It's certainly possible, but not something that an average user is prepared to do.

Re:Solution:

Don't accept cookies.

No, not a solution. RTFA. It doesn't matter whether you accept cookies or not. The only two methods of protection are (a) use Safari in private browsing mode, and quit and restart the browser between each and every site; or (b) block absolutely all javascript everywhere without any exception ever. Neither of these is really satisfactory.

Plus, these evercookies transfer from one browser to another because they get stored as LSOs.

Re:Solution:

[DarkKnightRadick]

That is pretty nasty.

Did anyone test FF or Chrome private browsing mode? (and no, I won't RTFA, who wants to risk a cookie like that?)

Re:Solution:

[DarkKnightRadick]

Even I'm not prepared to do that and I don't consider myself average (nor above average, but whatever).

Re:Solution:

[Sulphur]

Don't accept evercookies.

They are made in highly automated hollow trees by elves with no visible means of support in a forest alleged to be enchanted.

Re:Solution:

[AHuxley]

yes someone when to much trouble to get deep tracking in every web device sold or 'given' away.
Some strange "law enforcement" junk ad banner on a site of interest could be very useful.
Who would give it a second thought or think to do some deep clean.
One visit via a spammed link in a dark forum, chatroom and you track yourself with your own hardware.

Re:Solution:

[thePowerOfGrayskull]

Don't accept cookies.

Also use Links2. (Links is crap, of course. ANd only losers use lynx...)

Back in the real world, some of us do actually want to use the web for doing more than viewing static HTML pages. One or two of us even appreciate those awful persistent logins that cookies enable...

Re:Solution:

[Lumpy]

And do not run flash.

I find sandboxie does a fantastic job of killing the evercookie every single time. Are CS professors lacking in education lately?

If your browser runs in a sandbox that is destroyed when you exit the browser, the evercookie cant live... No way no how.

Re:Solution:

[geminidomino]

What about this extension?

Re:Solution:

I would, but I don't think there's an app for that.

Re:Solution:

[geminidomino]

Nevermind. Been reading up... damn these things are vile...

So we need a browser that runs in its own sandbox and disables a ton of standard user features.

Advertiser scum.

Re:Solution:

[nmg196]

> Don't accept cookies.

RTFA

Re:Solution:

Even I'm not prepared to do that and I don't consider myself average (nor above average, but whatever).

Yes yes, pedantic, just mod me down, but what you are saying there is you considerer yourself below average, which is probably not the point you were trying to make.

Re:Solution:

[cyclomedia]

No, you just need a browser that runs in a sandbox that saves NOTHING between runs of the exe. Someone in an earlier story on the evercookie suggested running in a VM, then destroying the VM and creating a new clone. All it would require the user to do is remember their passwords.

Re:Solution:

[Tacvek]

I just tested Chrome's private browsing mode. The "cookie" was set, but did not survive when the session was closed. The most likely way for the cookie to survive a private browsing mode is though Flash's Local Stored Object feature. I've not checked with firefox.

Re:Solution:

[geminidomino]

It would make actually downloading anything that you might want to download into a colossal hassle, though, so that's not really a solution.

Re:Solution:

[GameboyRMH]

That's actually pretty easy to do. I recommend booting a BackTrack4 LiveCD in a VM, it comes with Firefox with NoScript and Flash installed right out of the box. If you want to download something and you're really paranoid, save it to a shared-device USB stick (closed-source VirtualBox or VMware required).

Re:Solution:

[DarkKnightRadick]

I'm hoping CCleaner will still get it, then.

Re:Solution:

[DarkKnightRadick]

lol

Re:Solution:

[DarkKnightRadick]

I use persistent cookies myself, but when I decide to clear them all out, I like knowing they are all cleared out. I no longer have that assurance (or option).

Re:Solution:

[DarkKnightRadick]

nice way to be redundant.

Re:Solution:

[DarkKnightRadick]

You are right. I see above-average as being those over-achieving wizards of computing. I am no wizard, but nor am I Joe Schmoe using a computer only occasionally.

Frist Psot

Frist Psot

Evercookie is clever

[Nichotin]

For forum administrators, it is a very clever way to keep many ban evaders out. While it is not un-killable, it is pretty much a pain in the ass to get rid of, since it will get back if you miss a single one and visit the site again. Read the list of the places it stores its cookies, and be amazed how many there actually are. So, 1) ban user, 2) place cookie, 3) user signs up again, 4) your site detects the evercookie + new registration, 5) verify and ban again (unless the user suddenly becomes a good user, of course).

Re:Evercookie is clever

While it is not un-killable, it is pretty much a pain in the ass to get rid of, since it will get back if you miss a single one and visit the site again.

Didn't we used to call this kind of stuff "malware"? When did it become acceptable, no matter how annoying or unwanted the user is, to put something on their computer without their knowledge that is hard or near-impossible to remove?

Re:Evercookie is clever

[countSudoku()]

Not if they visit using a Live CD based OS. Ooops, sorry, just broke your new thing there. :) I'm not above using a Live CD to do things, and to collect stuff, which is stored on other things. IPs won't even help that now. Looks pretty broken. Hope the evercookie is chocolate.

Re:Evercookie is clever

[Yvan256]

Malware is executable software. The evercookie isn't software, it's a simple marker.

Re:Evercookie is clever

Oh please. There are plenty of malicious sites that do unwanted things to your computer that don't leave an executable. It doesn't have to be "executable software" to be malware.

Re:Evercookie is clever

[tehdaemon]

Malmarker then? Maldata? Evilbytes? I suppose at some level pedantry about word definitions makes sense, so fine, don't call it malware. But it is in the same 'badness' class as most malware, and needs an equally bad name to go with it.

T

Re:Evercookie is clever

[The+Wild+Norseman]

Malware is executable software. The evercookie isn't software, it's a simple marker.

The cookie resides on my hardware, doing something (tracking -- albeit doing something passively in this case) which I only wish to grant it for a limited amount of time. When the makers of this cookie make it extremely difficult to delete, which takes away the control I have over the data on my computer, then I see no practical difference between this passive cookie and active malware. Just MHO.

Re:Evercookie is clever

[pclminion]

Just put it in the ToS for the site that you use "advanced measures to track banned users." Presto, now you're not being underhanded about it, which is really the critical difference between malware and other forms of software.

Re:Evercookie is clever

[MagicM]

I'm not above using a Live CD to do things, and to collect stuff, which is stored on other things.

You sound like a fascinating person and I would like to subscribe to your newsletter.

Re:Evercookie is clever

And you can never visit any registration sites from a public or shared computer again... one user gets banned, all future users are detected as circumvention attempts.

Re:Evercookie is clever

[Yvan256]

If we on Slashdot start calling cookies "malware" then it's no different than when ordinary computer users don't know the difference between a virus and a trojan.

Next thing you know we have teachers who think Linux is a Windows program and that no computer can run without a Microsoft OS.

Re:Evercookie is clever

[Sponge+Bath]

"advanced measures to track banned users."

"enhanced interrogation techniques" - A familiar meme.

Re:Evercookie is clever

[_Sprocket_]

Not if they visit using a Live CD based OS. Ooops, sorry, just broke your new thing there. :)

I would suspect you represent a very small minority.

Re:Evercookie is clever

[couchslug]

"Not if they visit using a Live CD based OS."

VMs aren't just for running "installed" operating systems. :)

A live CD image boots nicely under QEMU and VirtualBox. Grab some .isos and enjoy.

http://www.damnsmalllinux.org/ is small, light, and fast, but you can run Ubuntu and similar images.

If you remaster your image with custom software, you can use it as easily as a premade .iso.

Re:Evercookie is clever

[pclminion]

Yes, installing a cookie on a user's system after informing them that you will be doing so, is equivalent to waterboarding enemy combatants in secret holding facilities. Get real.

Re:Evercookie is clever

It's not a cookie either. A cookie goes in one place via an established set of rules and I can get rid of it by telling my browser to delete all cookies, none of which describes this thing.

Re:Evercookie is clever

[c0lo]

4) your site detects the evercookie + new registration, 5) verify and ban again (unless the user suddenly becomes a good user, of course).

Good-bye posting from Internet cafe's from a guest account.

Re:Evercookie is clever

[CCarrot]

If we on Slashdot start calling cookies "malware" then it's no different than when ordinary computer users don't know the difference between a virus and a trojan.

Ordinary cookies don't actively fight removal by the user, and once they're gone, they're gone.

Ordinary (non-malware) applications don't actively fight removal by the user, and once they're gone, they're gone (okay, other than some leftover user/config data sometimes, but the program itself is gone and no longer does what it was designed to do).

The 'Evercookie', on the other hand, behaves exactly like malware in that it actively resists being deleted by the user, even to the point of rebuilding itself after deliberate removal attempts, and all for the benefit of a third party.

Re:Evercookie is clever

[drcheap]

Malware is executable software. The evercookie isn't software, it's a simple marker.

And what puts that "simple marker" on your computer? Oh yeah, JavaScript, which last time I checked is executable software.

Re:Evercookie is clever

[Firehed]

It's a fairly complex storage mechanism, designed to get around a user's preferences. In the wrong hands, it's very dangerous. I'd certainly call it closer to malware than, for example, the recent iPhone jailbreaks - which are so kind as to patch the security flaw that let the software run in the first place. Yet by your reasoning, jailbreaking is malware and evercookies are harmless. If you think that ad retargeting (ads that basically follow you around the web) is creepy, wait until they know with 100% certainty that you're a known user in some known demographic.

Re:Evercookie is clever

[drcheap]

Next thing you know we have teachers who think Linux is a Windows program and that no computer can run without a Microsoft OS.

Some do.

Re:Evercookie is clever

It's more than a marker if it's capable of detecting attempts to remove it and respawning itself.

Re:Evercookie is clever

[Firehed]

Putting something in the TOS to "not [be] underhanded" is, in itself, being underhanded. Or perhaps you're that one non-crawler in my server logs with the request to /about/terms, in which case I take that back.

Re:Evercookie is clever

If only they knew how wasted it is to show me ads about Microsoft anything, they would stop instantly.

Re:Evercookie is clever

[Jstlook]

You sound like a dull person and I would like to subscribe to his newsletter.

Re:Evercookie is clever

[KiloByte]

How do you store a marker on a computer without software? Does it leave a physical marker other than a magnetic charge on the disk?

"Software" means a "string of bits", not a "program". This is the definition I was taught, and it is the most popular one.

As for example the Wikipedia article mentions, there is also a rare narrower definition which says what you meant. It has gained some popularity recently, but it suffers from being badly imprecise: what about PostScript? What about Perl's POD? What about PHP which can range from 100% HTML to 100% code? What about Windows metafiles? What about PDF? What about a "picture" file that causes a buffer overflow to pass some shellcode?

Re:Evercookie is clever

[cheater512]

Next you'll whine that the website I created left some cached files on your computer.

Re:Evercookie is clever

[LoudMusic]

I think you misunderstand. This is just going to the trouble of using all methods that the client computer allows to uniquely identify the client computer in the future. It's not doing any haxy work to maliciously place markers. It's only doing things that the client PC is already set to allow.

Re:Evercookie is clever

Putting something in your Terms of Service isn't the same thing as informing the user, even if it's legally regarded to be so.

Re:Evercookie is clever

[thePowerOfGrayskull]

Not if they visit using a Live CD based OS. Ooops, sorry, just broke your new thing there. :) I'm not above using a Live CD to do things, and to collect stuff, which is stored on other things. IPs won't even help that now. Looks pretty broken. Hope the evercookie is chocolate.

Sooo... what's your point again? What percent of the population uses a LIveCD installation? And of that percentage, what further subset does so without any persistent storage (flash drive, etc) for user settings? (And if one person replies to me "I do, so there" [or its equivalent] , consider yourself virtually smacked for missing the point.)

I'd say it's not broken until there's a less drastic means of evading it. If the only way to do so means - a) clearing history after every page and b) disabling cookies and c) disabling javascript OR d) running a Live CD OS ... well, I think it's pretty safe to say this is gonna be around for a while.

Re:Evercookie is clever

[severoon]

Well, ok, it's just data, not software. But what ought we call the algorithm that nestles that data gently on the tip of a steel-toed boot and then forcefully plants that data squarely in your browser's brown-eye?

Re:Evercookie is clever

[ls671]

Not directly, more precisely; javascript is 'indirectly' executed ("interpreted") by an interpreter program.

I realize that I am picking on you a bit but still, I consider the precision worthy ;-)

Re:Evercookie is clever

[davidbofinger]

It's not the same concept but "malcontent" deserves to be coined.

Re:Evercookie is clever

So you'd happily trade in your current evercookies for viruses?

Re:Evercookie is clever

[Nefarious+Wheel]

But ... don't they have to have the password to /root in order to do this?

Oh, wait...

Re:Evercookie is clever

Well, due to the popularity of Wubi, Linux now is a Windows program.

Re:Evercookie is clever

[waveclaw]

The Microsoft-is-the-computer idea is already well entrenched. You don't buy a computer anymore. You buy Windows or your buy a Mac.

I bought a cheap, pre-built computer sitting in the font of a store to replace one of my (cheaper, older, dead) personal development servers. It had a Microsoft OS on it. I asked for the PC tech running the store to remove the OS and give me the price difference.

His first reply was that PC's don't work without Windows.

I told him I was going to just put Linux on it.

They guy has been building and selling PCs at this place for years. His reply?

"Uh, I don't think Linux runs on PCs."

I just waited for him to crudely zero out the boot block on the HD I was going to trash anyway, bought my 'useless' PC and walked out.

Evercookie is just another salvo in the silly Medieval/Industrial Age Idea of a war of control between producers verses consumer. Remember to be a good sheep, don't open those, you'll void the (useless) warranty! It comes in any color you want, as long as that color is black.

Re:Evercookie is clever

[uninformedLuddite]

Exactly right my fiend! I only recently watched a TV series called The Lone Gunmen on DVD. If you cannot get rid of this 'ever'-cookie how in hell are you meant to stop your cookie being compromised?

Re:Evercookie is clever

[stompertje]

Why would ordinary users have to know the difference between a virus and a trojan? Teach them a few simple rules for safe computing that anyone can understand and that's it. I don't need to know how a Diesel engine works or how it differs from other engine types, as long as I put in the right kind of fuel (oblig. car analogy).

Re:Evercookie is clever

The rest of the world won't care what Slashdot thinks is malware, but a clueless journalist who first makes his foray into the computer world and sees an undeleteable tracking device that can be installed on your computer will tell his opinion to the masses and that'll probably stick.

Just like how hacker now means a bad guy and not someone proficient in programming.

Re:Evercookie is clever

[L4t3r4lu5]

This.

If I want to be tracked permanently by a website, I'll create an account and log in. They can trace me by logging my actions while logged in. Any site which tracks me without me logging in to an account had better let me delete their tracking cookie, or they'll very quickly lose my business.

I do mean business, too. They're in the business of serving me advertisements. I'll not be looking at them if I stop visiting the site.

Re:Evercookie is clever

Ever heard of coLinux? (http://www.colinux.org/)

Wine brings Windows user space to Linux, but coLinux brings the Linux kernel into Windows

If you are stuck at work with a Windows box there is nothing better than to have good old Linux running as a service and having all the goodies native. (take a look at the http://www.andlinux.org/ distro for a smooth start)

Oh, BTW, all of this just to say that coLinux it is actually "a Windows program and that no computer can run without a Microsoft OS" (32bit versions only for now...)

Re:Evercookie is clever

If it's able to use another executable or part of the shell on the OS to recreate itself it's malware. It doesn't matter if it uses/directs e.g. "echo" which pipes the output to a file. It's fucking malware. FYI even if it's a fucking script running on a website and not on your computer it's still fucking malware it just happens that it's not running on your computer. You are a fucking idiot.

Re:Evercookie is clever

[pacinpm]

I know, I know, let's call it... Evercookie!

Re:Evercookie is clever

[Chowderbags]

Wait until computers come preloaded from $Big_computer_manufacturer with your name in the evercookie and online advertisers link into databases to find out your income, address, if you're married, if you have kids, if you're republican or democrat, if you've got a pet, if you have a hunting/fishing/gun license, etc. They'll still send you ads for things you don't give a shit about, but if you don't start buying they'll slowly get creepier and creepier, and then the computer will tell you that it could replace you with a poorly paid actor if you don't cooperate. Before you know it, terminators are roaming the world looking for John Connor. Ok, the first part will still probably happen, then enough people will complain that some congresscritter comes up with a hamfisted solution that is completely unworkable, unenforceable, and without teeth if it were enforceable. But people will feel like something good happened.

Re:Evercookie is clever

[bankman]

If we on Slashdot start calling cookies "malware" then it's no different than when ordinary computer users don't know the difference between a virus and a trojan.

I know this one: Trojans prevent me from getting viruses. So one is good and the other is bad, right?

Re:Evercookie is clever

[GameboyRMH]

All that nasty browser plugin malware (mywebsearch/coolwebsearch) has been called malware from day one, and it isn't executable software...

Re:Evercookie is clever

[GameboyRMH]

Malware is an umbrella term that covers viruses, trojans and things like malevolent browser plugins and word processor macros (which are not executable software).

Cookies (whether of the traditional, HTML5 or Flash kind) have been classified as "privacy risks" or something like that by many PC antivirus apps, which is a fair classification. Evercookies AT LEAST belong in this category - they're worse than any one of the technologies it exploits. Whether privacy risks should be classified as malware is open for debate, but any kind of cookie made to resist detection and easy deletion is closer to malware than a mere "privacy risk" IMO.

Re:Evercookie is clever

But Linux is a Windows program: www.colinux.org

Re:Evercookie is clever

Stop doing that! Buy from people who WANT to support you. errr

http://open-pc.com
http://thinkpenguin.com
http://system76.com ... anybody else????

Re:Evercookie is clever

A simple marker that wastes my hard drive space, therefore stealing resources, time and money from me. If I ever find something like this on my PC, I won't hesitate to prosecute the person(s) responsible to the fullest extent of the law.

Re:Evercookie is clever

How about calling it 'Hey little girl, want a cookie' ware. It should be outlawed, however, governments of the world have such a desire to trace and track people today that they will probably never do anything about it.

Re:Evercookie is clever

[stilldead]

JavaScript is directly executed. If I am a Lieutenant and I give and order to a Private and it is directly executed is it more of an execution than if I am a General and I give it to a Colonel, and they give that order is given to a Captain, and then it is given to a Lieutenant, and then it is given to a Private and it is directly executed as stated. No, computers are layers. If you think anything else you are an (FLAMING) Idiot.

If only...

[NoobixCube]

I wish I had an evercookie. A magical cookie that regrows every time you take a bite out of it sounds like an amazing idea.

Re:If only...

Only if it stays fresh... ...and doesn't have raisins.

Re:If only...

[Pieroxy]

So how does that work with Cookie Monster that eat up several cookies at once? Can it regrow if you eat it all up or do you necessarily have to have just a bite?

Re:If only...

[Yvan256]

Imagine what happens if you try to eat the whole cookie at once.

Re:If only...

You pick it out of your shit.

Re:If only...

[_Sprocket_]

I wish I had an evercookie. A magical cookie that regrows every time you take a bite out of it sounds like an amazing idea.

Stay away from the one with blueberries in it.

Re:If only...

[Anne_Nonymous]

You shit cookies for the rest of your life?

Re:If only...

[Erikderzweite]

It will obviously regrow as you digest it (giving you diabetes and making an average US citizen look thin in comparison to you).

Re:If only...

[Sulphur]

The raisins got up and flew away.

Re:If only...

[Thing+1]

No ever cookie here, but I do have some recursive brownies...

Re:If only...

[Col.+Klink+(retired)]

Sounds so good, I wish I had two!

Re:If only...

No doubt tail recursion :)

Re:If only...

[zwarte+piet]

Think of the savings! You'd never have to eat again!

Well for Linux anyway

[al0ha]

A combination of FlashBlock and perhaps RequestPolicy, combined with caching set to 0 and a block on the ever cookie creator domain results in no ever cookies being successfully set on FF 3.6.10 on RHEL 5.4 - I'd venture to guess it will be the same for other OS running FF at least.

If I don't block the domain cookie creation then just a standard cookie is created.

Re:Well for Linux anyway

Make the folder ~/.macromedia read only. Works with Linux, but not in Windows.

Re:Well for Linux anyway

[Jah-Wren+Ryel]

Make the folder ~/.macromedia read only. Works with Linux, but not in Windows.

I just tried it under linux.
When I made the empty ~/.macromedia directory read-only, the flash plugin consistently crashed.
So I made sure that Flash_Player sub-folder was created by the plugin first, deleted any cookie files and then did a recursive chmod -R a-w ~/.macromedia and it seems to work fine now.

Re:Well for Linux anyway

After testing, this setup made evercookie demo unable to recreate test id after restarting firefox and navigating back to demo website samy.pl.
- firefox with "clear history when firefox closes", all plugins disabled except "mozilla default", "shockwave flash" and "java(tm) platform.."
- noscript without any whitelisted non-local addresses (demo website allowed, of course)
- adblock plus
- https-everywhere
- betterprivacy with "delete flash cookies on start", "also delete flashplayer default cookie...", "on cookie deletion also delete empty cookie folders"

btw, demo website got stuck in some infinite loop making ff gradually slower overtime until i closed the tab with the site.

Re:Well for Linux anyway

[notsinge]

It's fairly easy to block the cookie being set in the first place. For example, a combination of NoScript and CSLite does that perfectly. This is a risk for places where you *need* to allow JS and accept cookies. Think Gmail, it won't let you log in unless you accept cookies and JS from gmail.com & google.com. Given their business model is built on tracking you and collecting you personal data, this is a quick optimisation for them.

Re:Well for Linux anyway

combined with caching set to 0

Yeah, that's definitely useful in real life...

Ufortunately

[antifoidulus]

Now that the Cookie Monster has gone all health food we cannot rely on him to help us out here.

Re:Ufortunately

shows the Muppets have been taken over by faggots, just like Disneyland

Re:Ufortunately

Lies and propaganda. :) (And it's been around for longer than you think. Guess how old that clip is. Here's a hint: that's Run DMC he's spoofing.)

Re:Ufortunately

[monkyyy]

no disney is still ran by idiots who started it

how does it work?

so? how does it work?

Haha!

A researcher from AFRICA is looking into these cookies on SAFARI! That's a great joke.

Re:Haha!

It's this kind of blatant racism that made me move to Reddit.

Re:Haha!

Actually, wouldn''t that be continentism?

Re:Haha!

Isn't the very name "Reddit" rascist? How offensive...

Re:Haha!

Hey dude, I thought you moved to Reddit

Re:Haha!

Well Fark you too

Re:Haha!

Perhaps you should have stayed there...

Re:Haha!

[GameboyRMH]

It's not racism, just a lame joke.

well, actually

[bhcompy]

It mentions mobile devices.. you could just use Skyfire and get flash without having to worry about flash evercookie issues since it's rendered remotely

Re:well, actually

Don't forget to ignore all the permissions it asks for on Android...

Stopping this isn't hard

Just run the browser inside a sandbox http://www.sandboxie.com/ and regularly delete the sandbox contents.

Re:Stopping this isn't hard

[monkyyy]

sounds to hard

i`d rather have a monopolysoft product always running using 10% of my cpu
and go to speedupmypc.com when ever i see one of their helpful ads

Why Safari

[willoughby]

I admit I didn't RTFA but why are they talking about Safari? Are other browsers immune? Is any browser immune?

Re:Why Safari

[_Sprocket_]

If you can't be bothered to RTFA, you likely can't be bothered reading an explanation.

Re:Why Safari

[BUL2294]

For some reason, TFA only mentions Safari. No mention of IE (though Silverlight is mentioned) or Firefox, just Safari & Chrome. I don't know if that's because the author hasn't gotten around to testing Firefox or if it's immune--but Silverlight & Flash could be holes for FF.

Frankly, I never trusted Google's ability to vet Apple's (Webkit) code for security holes... And I just don't trust Apple.

And what the hell is "HTML5 database storage"--and why would I want to give any app persistent storage? Seems like a great way to store malware...

Re:Why Safari

[jimshatt]

As far as I can tell, Safari handles evercookies the best (the least bad) of all browsers. I haven't tested Safari, but FF and IE are not immune. TFA states that in some cases evercookies can be undone on Safari (after thoroughly purging data and restarting).

Re:Why Safari

[CODiNE]

And what the hell is "HTML5 database storage"--and why would I want to give any app persistent storage? Seems like a great way to store malware...

If you use gmail on an iPad in Safari when you log in for the first time with a username it'll as if you give permission to make a 10MB storage file on the device for that users email cache.

It does this for every gmail account you log on with. If you accept, then the next time you go to gmail it loads the default view with the cache and then the new emails pop up at the top of the inbox much quicker than loading it all from scratch.

It's just a faster way of loading your emails and giving it more of an "app" feel.

I'm assuming the database is encrypted.

Re:Why Safari

I got rid of it in Firefox 3.6.11 by closing all tabs, manually emptying the cache and closing and restarting the browser. Didn't think it would be so easy.

I also have Adblockplus (not sure if it played a role), BetterPrivacy (to delete Flash LSOs at the end of a session), only session cookies, no Java, no Silverlight, no session restore. No Flash or Javascript blocking, the browser should still be usable. But these are my default settings anyway. So apparently Firefox takes care of the nastier stuff!

Now if the site used panopticlick, it would win. But there's no easy solution to that. I want web servers to know stuff about my client. If that makes me trackable, so be it.

Re:Why Safari

[Gollum]

Dominic chose to start his efforts to remove the evercookie with Safari. Others have tried with Chrome and FF, etc. No browser is immune, although those that do not support HTML5, or flash are a lot better off.

Re:Why Safari

[Tacvek]

The database storage feature is an evolution of a feature originally found in Google Gears. The original purpose was to permit offline capable websites. For example, one could store several years worth of calendar data in a fairly small amount of space, so would it not be convenient to let Google calendar do that, and also request caching of itself such that you could visit it when offline and still see your calendar?

Now, you might be one of those users who would say that is absurd, I will use my desktop calendar app when offline, since that synchronizes with Google Calendar (or whatever online calendar provide you use, if any).

But people are using fewer and fewer desktop clients for things. The GTalk in GMail and Facebook chat have replaced separate IM clients for many people. Outside of of tech circles, one almost never sees desktop e-email clients for personal use. (Though businesses still frequently use Outlook).

Re:Why Safari

[Carewolf]

And what the hell is "HTML5 database storage"--and why would I want to give any app persistent storage? Seems like a great way to store malware...

The "HTML5" local storage idea is one of a few trojan horses embedded into HTML5. It is mostly ignored because no one actually is planning on implementing HTML5 in its entirety, but the pure evilness of the idea has made it one of the first that Safari has implemented, and yes: It is similar to cookies, only more powerful (so they more like hash brownies, really) and by being an "experimental" feature Safari is not giving you the option to disallow them or clear them. Nasty stuff.

Re:Why Safari

Safari in Private Browsing mode completely stops Evercookie, no other browser does this yet.... yet being a couple of days ago when I was doing research.
This is why they mentioned Safari

Evercookie = Nevercookie

[the_raptor]

With Adblock plus, NoScript and BetterPrivacy Firefox addons I had to whitelist the domain before "Evercookie" would even work. And even then as soon as I revoked permissions for everything except NoScript the only bit that stuck was the cache image "cookie". Considering there are already addons to prevent normal cookies and flash cookies it would take all of a day, after this method for "eternal cookies" appeared in the wild, for an addon to be released that blocked it.

The only message from this and previous articles is "most people are stupid and don't follow basic steps to maintain their security and privacy".

Re:Evercookie = Nevercookie

Because from what you just described as necessary to keep out these Evercookies, this isn't "basic steps". This is advanced knowledge of how cookies and browser technology work and interact. Four different browser specific addons should not be required to maintain privacy, and that is the point. People aren't stupid, they just don't know. Arrogance about it won't help.

Re:Evercookie = Nevercookie

[psyclone]

The problem with that method is that you still have to clear your entire cache (specifically PNG files and HTML5 local storage, though you can't pick and choose) AND browser history, even when using privacy enhancing extensions. Samy's method uses external sites for the browser history hack, but it could easily use the same domain.

I'm one of the few that likes the 'awesome bar' and I rarely use bookmarks anymore as history serves my needs, and is quicker from the keyboard too. (Versus a hierarchy of bookmarks I must mouse through.)

Perhaps we need a whitelist like system for storing history and disk cache... only allow the sites we need/want to trust.

Re:Evercookie = Nevercookie

[joe_frisch]

It takes quite a bit of knowledge to know when to allow and forbid various forms of scripting and cookies, many legitimate websites require these to be functional. (Try blocking everything with Noscript and then use lots of mainstream sights). I don't think people should need to be expert to have privacy. One of the great advantages of advanced civilizations is that the allow people to specialize, there are just too many fields for a person to be expert in everything.

Re:Evercookie = Nevercookie

Haven't you heard? Specialisation is for insects.

Re:Evercookie = Nevercookie

[maxwell+demon]

While I'm using those extensions as well, it's not something for everyone. Sometimes it can take some time to find out all things to enable so that the site works.

Re:Evercookie = Nevercookie

A few things:

1) So if say Slashdot.org is a trusted domain and they started using "evercookies" you would be affected?

2) The proper phrase should be "most people are ignorant and don't follow advanced steps to maintain their security and privacy".

Requiring 4th party add ons for a 3rd party browser would qualify as "advanced" for the vast majority of the populace.

Evercookie my ass

[Wolfling1]

Workstation rebuild every couple of months. Its a great way to scrub out those nasty zero day trade viruses too.

Re:Evercookie my ass

[MichaelKristopeit+47]

and once they log in to any service that is a member of the evercookie corporation of sites that share data, all the links are recreated.

Re:Evercookie my ass

[psyclone]

Exactly. We need to prevent the storage in the first place, just like CookieMonster does in whitelist-mode, not clean it up later.

Re:Evercookie my ass

[MichaelKristopeit+62]

you also have to turn off ALL caching, which is not always feasible, and greatly cripples many applications optimized for it's use.

the best solution is to add more garbage to the signal than not... as long as it is profitable to rely on the data, corporations will rely on the data. make the data work against them.

CCleaner to the rescue.

[DigiShaman]

For Windows PCs.

Install CCleaner. De-select the option to only remove files older than 24 hours. Flush all browser cache, temp files, and temp application items. Basically, select all except for the "Wipe Free Space" option. Reboot, run again to be sure.

Evercookie should be nuked from orbit.

Re:CCleaner to the rescue.

[geminidomino]

"Wipe free space" is pretty nice too (though not for every run).

Run it overnight once a week. :)

Ever cookie

This is no different than hacking your placing something on a computer that dont belong to you.
That the owner of said computer dont want.
You should be able to file charges.

Any attorney general not all over this is a pile of human shiit.

Killing the evercookie is easy

Just boot up a VM, with the user's home account created in ramdisk upon bootup. The rest of the system is read-only (ala diskless linux).

The evercookie is cleared upon each bootup.

Re:Killing the evercookie is easy

[dvhh]

I am pretty sure that my mom is ready to do that, and especially like the part where she can't seem to keep her bookmak

Re:Killing the evercookie is easy

[Runaway1956]

Your mom is a pretty smart chick. She can keep bookmarks in her head.

Evercookies don't exist!

Some of these comments are fun as hell. In a moving attempt to show manhood, the random slashdotter boldly states: "Heck not on my machine, y'all! I use a combination of rat poison, anthrax and a couple nukes every 3-4 days on the hard drive: the evercookie can't do anything to me"... Fun times.

Chrome removes w/out restart or 3rd-party software

While the "Evercookie" is a mildly clever way to track people who don't know how to set up their computers properly, it's far from permanent on a moderately well set-up system.

I just tested myself, in Google Chrome. I can clear the "Evercookie" from my system so it can't recognize me, without using any third-party software or extensions, and without even having to restart the browser or close any tabs except that which set the cookie. (Might not even have to close that, but couldn't be bothered trying.)

All that's required is to visit the Silverlight and Flash websites, disable local application storage, then go to Tools :: Clear Browsing Data in Chrome's menu.

Hey presto, the cookie is completely gone and can't be restored by the site. It really couldn't be a whole lot easier.

+1 Funny

[zooblethorpe]

Ah, but for mod points...

Cheers,

Not so hard...

[gmuslera]

NeoPacman just need to take the red pill, and will be ready.

Me too man

These brownies give me the munchies

Why I dont run my browser as me anymore

[DarkOx]

Its reasons like this and others I no longer run my browser under my own user account. I have a separate account I run the browser as, actually two there is one I use just to access my bank, and give it permissions on my X server. It has no group memberships that will let it do anything other than read access to system binaries and libraries, basically its only a member of users. I than give my own user account permission to run the browser as the other user with sudo.

This way I can delete the entire home directory from time to time, or anytime I suspect something fishy has happened.

Re:Why I dont run my browser as me anymore

[DarkOx]

replying to my own post--

  yes sometimes its a bit of a headache if I want to upload a file or anything I usually have to chmod it long enough to accomplish that and than put it back.

Re:Why I dont run my browser as me anymore

[PReDiToR]

You're not the only one doing this.

I have several browsers and several accounts on my machine.

Love Linux, hate malware.

Re:Why I dont run my browser as me anymore

[hAckz0r]

I'm not sure if you are using Linux or not (you say you have an X server), but if you are and have the right hardware you might want to look at Qubes-os.org. Each network application is made to run in its own Xen VM, with fast startup and a read only file system. Any persistence can be undone easily and reverted back to a good known state. You simply use one browser instance for banking and another for cruising the web, and neither instance can affect the other.

btw - I used to do what you are suggesting, but I added a few extra capabilities to it. First I created a SElinux locked down user account and configured an admin script using Inotify to scan the users "Download" directory, and if it found a new file it first virus scanned it, and if clean, it placed it in that users "Shared" directory. That Shared directory was read only for that restricted account, but that same directory was also mounted via sshfs into the normal users account (mine). Any files downloaded instantly (after the initial scanning) appeared into my Shared directory. All user/group permissions were automatically managed by the file mapping, and because the locked down web user was a restricted account it could not write to anything I didn't give it explicit permissions to. You can't store a cookie if you can't write to anything. What made it great was that the Inotify script kept a complete log of every read and write that the browser was attempting and I could then tweak those permissions to make it quite usable. I just place files to upload in "my" shared directory, and retrieve downloaded files from that same directory. The restricted user had only read permissions to that single shared directory, and write permissions to only what I wanted it to have. It worked great. All it needed was an icon on the desktop to do an ssh into that account to run the ff browser and nothing could escape to anywhere else on the system due to the SElinux OS permissions. Any attempt to circumvent the browser would raise all kinds of monitoring flags and ring bells (figuratively) so it was interesting to see what websites were actually doing nasty deeds.

Re:Why I dont run my browser as me anymore

[notsinge]

The user account you run your browser under makes no difference. This is about tracking you around the web. If you log into Google as your real identity, it sets a cookie (evercookie or otherwise), then every site you visit with adsense enabled marks your real identity down as having visited that site. You could be running your browser as whatever user you like in a chrooted Quebes VM all in a BSD jail and none of that will do a damn thing to stop this.

ok who has the right to place a cookie,

[Stan92057]

ok who has the right to place a cookie, that cant be deleted by the computer owner? That sound like malware to me even if its not an exe it collects data and sends the data when requested. Who would be stupid enough to place undeleteable cookies anyways? the repercussions would not be very good for there business. On a side note i don't believe web sites,business have the right to spy on where i come from or where i go outside of there site,they do however have the right to see what we do on there site. If you want information from a user ASK,don't TAKE without asking

people aren't stupid, software is stupid

why do users have to jump through FLAMING HOOPS to get privacy?
Every new "security update" brings with it unwanted features that compromise your security (webstore...)

It's not just this one researcher.

The technique he dreamed up will be copied by thousands of not-so-nice people and companies.

And since most internet users are idiots, the new evercookie system will work on >95% of computers.

All slashdot readers know how to sidestep this sort of thing.

But most non-slashdot people are clueless.

That won't work

[psyclone]

How does that prevent HTML5 local storage? How about the BrowserHistory storage? (e.g. domain/path/unique/1st-byte, domain/path/unique/2nd-byte, etc.) And CSS history storage? The most ingenious method is PNG RBG value storage! You block all images too?

I use NoScript (but I still temp-allow the primary site, otherwise why browse at all), CookieMonster in whitelist-only mode, and BetterPrivacy to delete flash LSOs on startup and shutdown. This still does not prevent the Ever Cookie.

Did anyone here read the original documentation?

Re:That won't work

[maxwell+demon]

RequestPolicy blocks anything going to third party sites (i.e. anything not from the domain in the main page's URL), unless you allow it. Unless the site relies on the external site which sets the evercookie (in which case you'll have to either allow it or just live without that site), with RequestPolicy that site will never be able to set/get evercookies because it won't ever even get contacted. That takes care of any cookie mechanism ever invented, and every cookie mechanism ever to be invented, as long as it's from a third party (which is the case you'd care most about).

Re:That won't work

[psyclone]

Correct, RequestPolicy doesn't stop the same domain, but it can block 3rd party access.

Until you allow a 3rd party site (like a major one such as facebook/google/etc). Which is just like the other whitelisting methods, except you can't clear the EverCookie by expunging select cookies/LSOs. You are forced to clear your entire history and file cache.

What sucks about the EverCookie is that there is no browser extension to selectively block or clear history or cache; so to clear them, you have to wipe everything.

That said, keeping a hard stance against even temporarily allowing remote scripts in RequestPolicy and NoScript is your best bet. Unfortunately, 3rd party scripts are nearly required these days. (E.g. loading jquery from googleapis, which could set an EverCookie.)

Re:That won't work

[maxwell+demon]

What sucks about the EverCookie is that there is no browser extension to selectively block or clear history or cache; so to clear them, you have to wipe everything.

The Web Developer extension has separate options for clearing history, cache and HTTP authentication.

Restrict write permissions in the browser?

[Reziac]

Seems to me such stuff could be defeated (or at least rendered easily findable) if the browser is only allowed to write data to certain directories regardless of what some script might wish, unless the user actively specifies elsewhere (such as to save a download). Also seems to me this could be programmed into the browser so the user need not worry about it (indeed, would not need to even know about it).

Someone will probably point out flaws in this scheme, but the concept is to make the "cure" as simple as possible.

Re:Restrict write permissions in the browser?

[ekhben]

I believe this is what you're looking for. Mac OS X has a sandbox facility built in to the kernel that allows you to specify a profile for applications to limit the system calls, and arguments to system calls, that can be made.

The two biggest flaws are that badly written applications need a ton of permissions to even work, or specific permissions that mean an attacker could do something terrible anyway; and that application updates can introduce new permission requirements, forcing you to keep the sandbox profile up to date to retain functionality.

Both could be fixed by application developers embracing the sandbox technology. Chrome for OS X uses this system facility to protect parts of itself, for example, so it's generally designed to only require a simple profile and updates include a new profile where necessary.

Safest is still a snapshotted VM that you roll back daily, but that's far from the most convenient :-)

Re:Restrict write permissions in the browser?

[Reziac]

Sounds like it's at least a good start (tho I'm not a Mac or Safari user).

Maybe best of all would be a generic sandbox that any browser could run inside of, built for each of the common OSs. I don't know how practical that is, tho as you say it probably would be a good idea if browsers were designed as a sandbox from the gitgo.

I think I'll be using the VM approach myself, if I ever move the internet connection to a more "modern" setup. One good thing about antiquity, it won't even RUN modern malware.

Simple

evercookie accomplishes this by storing the cookie data in
        several types of storage mechanisms that are available on
        the local browser. Additionally, if evercookie has found the
        user has removed any of the types of cookies in question, it
        recreates them using each mechanism available.

        Specifically, when creating a new cookie, it uses the
        following storage mechanisms when available:
          - Standard HTTP Cookies
          - Local Shared Objects (Flash Cookies)
          - Silverlight Isolated Storage
          - Storing cookies in RGB values of auto-generated, force-cached
                PNGs using HTML5 Canvas tag to read pixels (cookies) back out
          - Storing cookies in Web History
          - Storing cookies in HTTP ETags
          - Storing cookies in Web cache
          - window.name caching
          - Internet Explorer userData storage
          - HTML5 Session Storage
          - HTML5 Local Storage
          - HTML5 Global Storage
          - HTML5 Database Storage via SQLite

        TODO: adding support for:
          - Caching in HTTP Authentication
          - Using Java to produce a unique key based off of NIC info

Yeah, it doesn't get any simpler. How come browsers don't just block this with a simple line of code.

Is this an Evercookie?

[tpstigers]

I'm seeing a lot of sudden chatter about something called 'epoclick.com'. It seems to be some form of redirect. I've seen reports of it affecting Firefox and Chrome, in Windows and OS X. It sounds like an Evercookie to me. I really hope it's not a virus.

Seriously!?

[Rizzen]

This cookie is hard to remove? Really? I spent less than 5 minutes and defeated it. This thing is a joke. Just use the private browsing option in Firefox or Chrome; simple. I cannot fathom why this thing keeps getting so much attention.

Re:Seriously!?

[Carewolf]

Removing the cookie is not enough remove an ever-"cookie", it is not just a cookie, it is similar to cookie, but has multiple ways of storing itself, and if you remove the cookie part it will just recreate it based on one it's many other methods of storing user-data. The reason it is getting so much attention, is because it is really hard to get rid off, and you haven't even come close yet.

Private browsing, using a browser without the stupid HTML5 data-storage spec, disabling all caching, disabling flash, and perhaps a few extra tricks should do it though.

Re:Seriously!?

Disabling flash and clearing my cache also defeats this. Its not as "ever" as they make it out to be.

My point is that I find it hard to believe that these researches are "struggling" to figure out how to defeat it when I took me less than a minute to do so.

What about corruption?

[SeaFox]

What happens when a site requires cookies to function properly (for session tracking and such) and the the EverCookies become corrupted? You can't just tell the user to "clear out their cookies" to solve the problem. You've just permanently broken your website on that computer unless you do allow a way for a user to remove them.

Lynx

[pjt33]

From reading the list of attacks I think Lynx should be, provided you tell it not to store the "normal" cookie.

In the current form

[LinusMartensson]

as far as I can see, not all cookies have to be deleted to twarth this 'evercookie'. It seems far easier to simply swap the cookie data in accessible places, tricking the script to return erroneous data. However, this could be defeated if the cookie content was signed to prove its origins. Furthermore, I'm curious as to whether or not this type of cookie could potentially work across domains, considering the multitude of data storage methods that may not all be isolated to a single domain.

Story Updated

[notsinge]

If you're interested, I updated the entry to make the *two* problems clearer (there's a much bigger than evercookie privacy problem on the iPhone) and what I think Apple needs to do to fix it. http://singe.za.net/blog/archives/1016-Killing-the-Evercookie-Part2-MobileSafari.html

I killed the evercookie,it was easy

[Crypto+Gnome]

I just called the Cookie Monster, and let him deal with it.

cd ~; rm -rf .mozilla .macromedia - there, done.

[Viol8]

Evercookies my arse.

Solution?

[DaVince21]

Is the evercookie generator a script? Because if that's the case, you could just block the script.

Evercookie does us all a favor

[bradley13]

It might have been malware (maldata?) if the guy had sold his work to unscrupulous companies. Instead, the researcher who developed the Evercookie has done us all a favor: he published exactly what Evercookie does. This makes everyone aware of the problem, and you can bet that browsers and add-ins will address the problem soon.

Evercookie makes it clear that browsers need a central administration panel to manage all data that can be stored - directly or indirectly - by websites. I expect that the next major browser releases will include exactly this.

Add-ins like Flash are a more difficult problem: Really, they should only be allowed to store data through the browser, so that their storage can also be properly managed. However, Adobe (and Microsoft, and Apple, and...) will try to keep this off the radar screen.

Ways to kill evercookie

1) Reformat and reinstall OS
2) Restore HD backup (yes, some of us back up our data)
3) Put the browser in a sandbox and clear out the sand when you are done

Solutions 1 and 2 already work on every virus ever created.

Re:Ways to kill evercookie

[maxwell+demon]

1) Reformat and reinstall OS
2) Restore HD backup (yes, some of us back up our data)

Wouldn't you restore the evercookie as well, then?

About that Adobe Settings Panel...

[fsmithred]

From a link in the article that takes you to Jeremiah Grossman's site: http://jeremiahgrossman.blogspot.com/2010/10/killing-evercookie-google-chrome-wo.html

3) Delete Flash Local Shared Objects (LSO)

Go got the Flash "Website Storage Settings panel"
Click "Delete all sites"
Click "Confirm"

Adobe's "Website Storage Settings Panel" does NOT remove Flash Local Shared Objects from your hard drive; it only removes them from the list that the panel shows you. Look in the following directories after you run it.
/home/$USER/.macromedia/Flash_Player/#SharedObjects/
/home/$USER/.macromedia/Flash_Player/macromedia.com/support/flashplayer/sys/
/home/$USER/.adobe/Flash_Player/AssetCache/

Immunity to everything

[EmagGeek]

I browse in a VM that reverts all disk changes when it is powered off.

Fun for Tinfoil Hat Wearers and Spooks

[h00manist]

Tinfoil hat owners, spooks and company are likely busy with this stuff. People are never concerned of course - they are protected by their privacy laws -- on paper. In practice,all sorts of illegal data is *never* secretly collected by *any* weird groups, who *always* abide by all laws, and are *never* made available under *any* negotiated secret agreements or channels. Such backroom agreements and channels don't even exist, except in the minds of tinfoil hat, paranoid weird people's fertile imagination. Everyone on this side has their rights protected, except the enemy of this side and the other sides.

turn the tables

[Gnaythan1]

can you modify this evercookie to do something interesting to the database that's accessing it? after all its on YOUR computer, and you don't want it. you tried to delete it, but it came back. seems to be fair game to make it do what YOU want.

Re:turn the tables

[Whyte+Panther]

Given that all these cookies likely do is tell the server you are acessing "I'm unique user #138756918", and are REALLY good at remembering that number, I doubt there's much you can do to mess with their servers. All the data about what it means to be unique user #138756918 is kept as far away from you as possible.

FYI

[tunapez]

Malware (also: scumware), short for malicious software, is software designed to secretly access a computer system without the owner's informed consent.

This is the point where

[Phred+T.+Magnificent]

This is the point where it starts to make sense to browse from a VMWare instance, and roll back to a prior snapshot afterward. Or, to browse from a Kubuntu live CD session. Etc...

Solution

[Fuzzums]

I only browse with a virtual machine that is copied from a clean original every day ;)

What needs to be killed...

Is samy kamkar, apparently

To defeat evercookie

Why not just call ec.set on the tracking item's name and let the evercookie code do the unique ID stomping for you?