Slashdot Mirror
Nevercookie Eats Evercookies
wiredmikey writes "Anonymizer, Inc. has developed Anonymizer Nevercookie, a free Firefox plugin that protects against the Evercookie, a javascript API built and made available by Samy Kamkar (same guy who brought you the Samy Worm and XSS Hacking to Determine Physical Location) who set out to prove that the more you store and the more places you store it, the harder it is for users to control a Web site's ability to uniquely identify their computer. The plugin extends Firefox's private browsing mode by preventing Evercookies from identifying and tracking users."
In development now: ForeverEverCookies, then NeverNeverCookies, then SuperCantTouchThisCookie, then ImGonnaEatYourDamnCookiesForBreakfast.
Liberal? Conservative? Compare perspectives at Left-Right
The company says that Nevercookie will be available as a free download later this month.
Premature story.
I look forward to reading this exact same story, except with details, in less than a month.
I live in constant fear of the Coming of the Red Spiders.
I hope that this "Nevercookie" addresses the issues raised by "Evercookie" in a systematic way, rather than just defeating Evercookie point-by-point.
Evercookie's creator explicitly noted that his work was a simple proof of concept, cooked up fairly quickly, as a way of raising the issue of covert persistent data storage on the web. He further noted that people who actually do evil for a living are probably at least as creative as he is, and have a whole lot more time to work on the problem. Simply defeating Evercookie, as released, will probably save you from a few of whatever the analytics world's equivalent of a script-kiddie is; but will do next to nothing against the issues that Evercookie was designed merely to demonstrate...
I just use Linux for most of my surfing, but light VMs are very easy to set up and worth doing for the education.
I like Portable VirtualBox for Windows use because I can make a self-extracting .rar of the complete program with VMs for backup:
http://www.dedoimedo.com/computers/portable-virtualbox.html
Grab a light Linux distro like DSL (small download, speedy performance), and install to VM from the .iso:
http://www.damnsmalllinux.org/
You can then play with MANY operating systems, and if they screw up, delete their VM. If you have bigger problems, reload by extracting the backup. :)
"This post is an artistic work of fiction and falsehood. Only a fool would take anything posted here as fact."
My name is Geoff and I created "nevercookie". I'm a researcher at Anonymizer. I can assure you all that it is not vaporware, it works and has been pretty thoroughly tested, it's just that marketing wants to brand it and make it all slick before we release it to the general public (which should be in a week or two). I've sent out a few beta versions for friends in the security field to test out, and I might be able to send out a few more if anyone is interested in field testing it early (I'll ask my boss). To address concerns about how it works, it's pretty simple actually. When private browsing mode in firefox is initiated, the external data storage of Flash and Silverlight is quarantined (this is done because the browser normally can't touch these things cause they are browser independent, this is the most obvious place that an evercookie can respawn from (unless you clean it manually)). Then a clean, temporary user profile is spawned for the current browsing session, eliminating any lingering cached data. There's actually a decent explanation here: http://www.anonymizer.com/learningcenter/#lc_labs