Beta Version of Nevercookie Released

wiredmikey writes "Anonymizer has released a beta version of Nevercookie, the recently announced Firefox plugin designed to protect against the Evercookie, a JavaScript API built and made available to prove that the more you store and the more places you store it, the harder it is for users to control a Web site's ability to uniquely identify their computer. Evercookie is a more persistent form of cookie that enables the storage of cookie data in a number of different locations, such as Flash cookies and various locations of HTML5 storage. This allows websites to track user behavior even when users have enabled private browsing. Because an Evercookie stores data in locations outside of where standard cookies are stored, an Evercookie can rebuild itself unless users go through a number of steps to completely clear and reset their local storage."

Excellent..

[Lanteran]

but as usual, only the technologically inclined who also care about privacy will use it. That is, not many.

Re:Excellent..

[phantomcircuit]

Or it will get integrated into Firefox's private browsing feature.

Re:Excellent..

[MoonBuggy]

Which would be a step in the right direction, but is also probably only used by a small subset of technologically inclined people.

Fact is, rightly or wrongly, most people just don't care that much. Much as I'd like to be browsing everything via SSL and stringently choosing when to release any trackable data, even I wonder whether it really matters.

The idea of government tracking chills me to the bone - they have a vested interest in suppressing certain ideas and the power to do so somewhat effectively - and it's absolutely true that corporations can be similarly dangerous if they grow out of control. When the only practical upshot I see, however, is that doing a search to check the dimensions of a shipping container has immediately convinced the ads on a multitude of sites that I want to buy one of the damn things, the worry eases a bit. Maybe I'm wrong, maybe we're heading towards some corporate dystopia complete with RFID implants (far trendier than those outdated barcode tattoos). Maybe people's natural greed & incompetence will bring it all crashing down and save us all. Maybe, by some miracle, it'll even be their general better nature that does it.

For the moment, though, I can see why people don't really care that they're being tracked.

Re:Excellent..

[wiredmikey]

Thats what I'm thinking....Just integrate more advanced controls and "cleaning" options built into the browser core itself...

Re:Excellent..

[asa]

It's worth remembering that everything a corporation tracks and stores is subject to subpoena or outright theft by the US Government. Tracking isn't ephemeral. There are increasingly large "profiles" of you being stored in databases of some very large corporations and if you really believe that those are safe and secure from prying eyes, whether it's employees of those companies, insurance companies that want nothing more than can charge you more or drop your policy, or government agencies who are convinced you're a threat to national security, you're sadly mistaken.

Re:Excellent..

Or it will get integrated into Firefox's private browsing feature.

...which might be complicating things. External anonymity (web sites can't track me) from internal deniability (browsing history not retained for later inspection by police/employer/spouse) need to be treated separately.

Re:Excellent..

Or it will get integrated into Firefox's private browsing feature.

Are you saying it is so licensed that would be possible? Otherwise another implementation is needed.

Cat and mouse

How long till EverEverCookie?

But kudos to the developers and ff (I am sure other browsers are not too far).

Re:Cat and mouse

That's what NeverEverNeverEverCookie is for.

Re:Cat and mouse

[Dogun]

Trace busta-busta-busta!

Re:Cat and mouse

Nice

Re:Cat and mouse

[qubezz]

yo, that's why I gots this trace-busta busta!

First Posting as Anonymous Coward

Not that it matters...

Re:First Posting as Anonymous Coward

[93+Escort+Wagon]

Wrong! Hi John - how's that infected toe doing?

Re:First Posting as Anonymous Coward

Ugh, the worst thing happened. The infection has spread to my scrotum. I knew I should've never demonstrated how I can scratch with my..... wait a minute.

unique?

How is this extension different from similar privacy enforcing extensions?

If you don't want to be tracked

[igreaterthanu]

Browse the internet in a virtual machine and reset the changes to the virtual hard disk afterwards. I'd like to see them get around that!

Re:If you don't want to be tracked

[blahplusplus]

Problem is if you have a relatively fixed IP (and many do) they can track you via IP and domain name, cookies aren't the only way to track you.

Re:If you don't want to be tracked

[Dogun]

EFF's Panopticlick demonstrates that IP mobility is only a start, too.

The right way to be free is either to be an evil haxxor criminal who steals machine time

or

To have very stock machines and VMs dedicated to individual privacy-intensive applications, and never cross the streams.

Ignoring extremely determined opponents, though, finding effective ways to defeat advances in craplets and cookies is a very good start, though.

Re:If you don't want to be tracked

[BradleyUffner]

http://linuxers.org/article/browser-fingerprinting-technique-identify-users-without-using-cookies

Re:If you don't want to be tracked

[asa]

They can fingerprint you based on your OS, system fonts, plug-ins, IP address, screen resolution and other exposed hardware capabilities, time zone, etc. Then they can surveil you as you move around the Web and increase the strength of that fingerprint based on the sites you visit that are in their "network" (think about how many properties Google owns from search to gmail to docs to youtube to blogger but then remember also that they can see you at non-googel sites because of adsense and google analytics and youtube embeds and feedburner and sites with re-captcha or google checkout or maps mash-ups or google's site-specific searches.

You are not anonymous, even if you rebuild your VM every day. You'd have to randomize all the features of your OS and your browser and then you'd have to reboot between pretty much every website you visit.

Re:If you don't want to be tracked

[Frankie70]

Browse the internet in a virtual machine and reset the changes to the virtual hard disk afterwards. I'd like to see them get around that!

No need to have a virtual machine for this. You can browse in the 'InPrivate Browsing" mode in IE8 which does the same thing.

Re:If you don't want to be tracked

theoretically someone could also write a plugin or addon that would modify the guest additions on your VM guest to phone back to the host and store shit, so a wiped machine might not do it.

Re:If you don't want to be tracked

[I'll+never+remember]

EverCookies don't care about "InPrivate Browsing" - that is the point of them.

Re:If you don't want to be tracked

[Anachragnome]

"You'd have to randomize all the features of your OS and your browser and then you'd have to reboot between pretty much every website you visit."

Precisely why I simply sneak into my neighbors' houses and use their devices to do my nefarious deeds on the Internet.

Of course my plan will be foiled when an anomalous trend of interest in infectious diseases, video games and free thumbnail porn presents itself in geographic disproportion and is noticed by a Google algorithm specifically designed to search out such anomalies and exploit them for data-mining purposes.
>
>
>
>>>>>Posted on my neighbors iPhone!

Re:If you don't want to be tracked

[gabbott]

I also wrote a prototype http header manipulation program a while back and want to expand it to full fingerprint manipulation. One of the thoughts I have been tossing around is setting the fingerprint to look like a system that has pretty much no configuration options (like an ipod), then adjust the web content client side. There are many devices out there that in terms of configuration and system fonts pretty much all look the same. Of course it will always be an ongoing battle.

Re:If you don't want to be tracked

[shnull]

I was just wondering if you can somehow 'spoof' a different kind of hardware setup from within a virtual machine, your project sounds like a very interesting tool, sir.

A useful virus

[girlintraining]

For just once, can someone design a trojan/worm that updates browsers to include useful addons like this instead of trying to steal banking information? Just sayin'.

Re:A useful virus

[L4t3r4lu5]

Yeah. That kind of thinking worked well for the Welchia worm

Nostrodamus eat your heart out

[goldaryn]

I could say what I always say about Privoxy. But it never sinks in, so instead here's an amusing link

How did we get into this mess?

You could always disable cookies. Then the website requires cookies, and if you really want to use it, you accept cookies. The browsers could have had a setting that said, "delete cookies when navigating away from a domain in this list", but they didn't do that. So. I guess that's how we got into this mess.

As for browsers allowing a cookie to set stuff in obscure locations all over the system; that sounds like a bug that should have been fixed a long time ago. As for allowing 3rd parties to access cookies, that also seems like a bug--unless you also controlled that with another list. Yes. It should be a PiTA for users to have to modify a list in order to make your site work. That way, maybe you'll stop being a douche. Maybe.

Pass the popcorn

[stand]

It's going to be fun to watch the back and forth between evercookie and the anti-evercookie.

Re:Pass the popcorn

Well, if you are dumb enough to install the anti-evercookie plugin, you deserve what you get.

Re:Pass the popcorn

That doesn't make any sense.

Keep your hands to yourself.

[westlake]

For just once, can someone design a trojan/worm that updates browsers to include useful addons like this instead of trying to steal banking information? Just sayin'.

Tell me how you quarantee an innocent and useful payload.

Tell me why geek the who unleashes a trojan has won the right to decide how users should manage their systems.

Re:Keep your hands to yourself.

[girlintraining]

Tell me why geek the who unleashes a trojan has won the right to decide how users should manage their systems.

You would rather have a 500 page government mandate, oversight committee, legion of overpriced crappy software products designed to cure said artificial problem, and large numbers of cheap knock-offs stuffed with malware and advertisements to do it instead?

Re:Keep your hands to yourself.

[The+Mighty+Buzzard]

Of course. Someone has to keep local computer repair shops in business. Call it a cluelessness tax if you like.

Re:Keep your hands to yourself.

Presumably the hacker producing this virus/trojan is competent enough to verify what it does. Of course they don't actually have the right to do this, but if a user leaves their computer vulnerable to attack, then a benevolent virus/trojan that secures the computer from malcious attacks and protects them from unwanted surveilance isn't really a bad thing, if the user cares they should keep their computer secure.

blargh

[gabbott]

Yeah, for the full privacy package you should combine this extension with an anonymizing proxy that you trust. As far as the panopticlick browser fingerprinting issue, I hope to integrate browser fingerprint manipulation into later versions of Nevercookie. This project is my 20 at work, we get 20% of our time for side projects. And yes, I expect Samy to counter with additional features to Evercookie, I'd be sad if he didn't :P.

SeaMonkey

[Meneth]

This plugin is not yet compatible with SeaMonkey. Someone should fix that.

Delete all the cookies you want

[mysidia]

Your system's clock skew fingerprint will give you away, with a tiny bit of Javascript. Who needs cookies, when your computer has intrinsic characteristics / artifacts from manufacturing that uniquely identify it?

Re:Delete all the cookies you want

"with a tiny bit of Javascript"

There's your problem!

Nobody in their right mind who cares about privacy is going to run random javascript without having any clue what it does.

Re:Delete all the cookies you want

luckily 99% of the internet could give a crap about privacy.

Re:Delete all the cookies you want

[asa]

Nobody in their right mind who cares about privacy is going to run random javascript without having any clue what it does.

Not really true. Even people who run with JS disabled and only enable it for specific sites where they consider it useful or necessary mostly don't inspect that JS to see what it's doing. And, there are plenty of people who think they care about privacy who don't even know that JS is a threat. Many think "well, I cleared my cookies, that's good enough." These people are both in their right mind and care about privacy. They just don't, and shouldn't be expected, to know how to, and for every site they visit, decipher a dozen JavaScript files.

Are you suggesting that these people don't deserve privacy?

Re:Delete all the cookies you want

[Charliemopps]

http://blog.haite.ch/2009/06/16/1245172320000.html

Re:Delete all the cookies you want

[Dogun]

This is like the billionth time I've posted it but...

JAVASCRIPT IS THE DEATH OF THE WEB

Re:Delete all the cookies you want

[mysidia]

Disabling TCP timestamps doesn't remove the underlying problem, or prevent a Javascript from discovering the local system clock's fingerprint.

You would need to modify the Javascript interpreter for that and somehow introduce unpredictable amounts of 'error' in timing operations.

And modifying the Flash interpreter would be nigh impossible, since only Adobe has the source code

Re:Delete all the cookies you want

"Are you suggesting that these people don't deserve privacy?"

Whether they deserve it or not, they're not going to get it as long as they act in a manner inconsistent with that goal.

Re:Delete all the cookies you want

[Jah-Wren+Ryel]

Or modify the OS clock functions. Few people need that level of precision and a smart modification could average out to zero deviation over the long term. One could even an add an interface to remove skew randomization for specific processes that way the user who cares about such things could "fix" it on a case by case basis.

Re:Delete all the cookies you want

[erroneus]

Yes, that is precisely what he is saying. There are people out there who think it should be perfectly acceptable to sniff wireless to collect data simply because it's out there or that the encryption wasn't strong enough.

The reality is that this sort of arms race can escalate indefinitely --> new techniques followed by new counter-measures followed by newer techniques and on and on. People who keep up will continue to diminish in numbers until "critical mass" has been achieved (which it already has I am sure). What does this "critical mass" mean? Simply put, it means enough of a majority is vulnerable that it no longer matters how well protected you are as an individual as your minority status makes you vulnerable in other ways.

Let's take, for example, an "anti-violence survivalist" I once had conversation with. She was all about raising one's own food and maintaining stockpiles of food and water. It's all a very good idea for many reasons, but she failed to follow through with her ideas. Her ideals do not permit her to defend herself or her resources. So, in the event of disaster, her unprotected resources will be snatched up by the first person to come along who has no issues with taking what they want... and there are LOTS of people like that.

What I am getting at is it is good only to a point to protect one's self individually. But if the whole community is not protecting themselves, then the whole community is vulnerable. We are communities as well as individuals and the more we fail to realize and appreciate that fact, the more vulnerable we all are.

Re:Delete all the cookies you want

[Khopesh]

NTP solves that issue. If you're extra paranoid, sync your clock more often. If you're extra extra paranoid disable your ntp daemon and put this in root's crontab instead:

SHELL=/bin/bash
*/15 * * * * sleep $(($RANDOM%900)) && ntpdate pool.ntp.org

This syncs your clock every fifteen minutes with a random delay of fifteen minutes. It is also overkill.

Also note that while tor continues to be slow as molasses, its latency may help defeat this kind of identification for any properly synched system clock.

Re:Delete all the cookies you want

[mysidia]

Periodically stepping your clock is pretty bad, will break a number of applications, especially when NTP steps your clock backwards, it does not erase fingerprints. And 'ntpdate' is only really meant to set your clock initially when it is still too far off to sync, once your clock is accurate, you should start the NTP daemon.

Anyways, NTP and ntpdate will not be able to hide the signature. There are sub-second timing methods available to Javascript that do not rely on the time reflected by the system clock.

Stepping the clock directly may even reduce the noise, making the fingerprint clearer after it has been stepped. Note the Javascript Date objects have millisecond resolution, and some sites and javascript pages, particularly games, rely on fairly precise timekeeping.

Note the abstract linked stated "Further, one can apply our passive and semi-passive techniques when the fingerprinted device is behind a NAT or firewall, and also when the device’s system time is maintained via NTP or SNTP” "

Re:Delete all the cookies you want

[Khopesh]

hm, that's a really old story (I had assumed it was new because I saw I somewhere else today as well) dating back to 2005. Here's the full abstract with links to the full paper in PDF: http://www.cs.washington.edu/homes/yoshi/papers/PDF/

I see no sample code, and the paper was too verbose for me to quickly skim to find how it does its measurements, but the conclusion sticks out a bit:

Although the techniques we described will likely remain applicable to current generation systems, we suspect that future generation security systems might offer countermeasures to resist some of the finger-printing techniques that we uncover.

I think five years counts as more than fair with respect to a 'future generation' or two. Even if the paper was being overly optimistic about its own impact (which was probably the case...), system bus speeds have radically improved since the Pentium 4's quad-pumped 100MHz and the CPU die size shrank from 90nm to 45nm and are about to hit 32nm; it remains unclear whether or not those and similar improvements have increased the clock precision to a level that is surpassed by noise that might render this fingerprinting method ineffective.

Isolated browsing

[Skapare]

I have been using, for many years, a script that was originally intended to defeat Firefox's attempt to always run all browser windows under the same process. The method used is to create a fake home directory and populate it with some data that was derived from a "first run" of Firefox. The script applies a few tweaks to make the paths match the dynamically generated fake home directory. Firefox believes it is the home directory. It doesn't go so far to double check this in /etc/passwd or such ... why would Firefox want to be that pedantic. If I had to, I could go a step further and defeat even that.

The intent of that script was to keep Firefox from getting overly bloated by allowing me to full quit (exit the process) for each site visited, without killing the windows of other sites I am still currently visiting. In some cases, some sites have triggered bugs, or caused lockups. I can kill the browser for that site (if it didn't crash on its own), still keeping the windows of other sites. It might seem counter-intuitive to many, but this does work to keep the bloat level down. At least it does so with my style of browsing (I keep a number of individual sites up in a browser sometimes for weeks).

One effect I did notice early on is that tracking was not happening if I quit a browser for one site and later started a new one to return. All the old cookies disappeared when the reaper component of the script cleaned up the leftover fake home directories. Cross site tracking wasn't happening as long as I started a new browser for each site, which I usually did, except when following links (in which case, they can get a referrer URL which I have not yet bothered to suppress). Referrers are sometimes useful (like to get a special pass through a paywall when coming from a partner site).

If it turns out that Firefox is so leaky that cookies can be placed outside of the context of the fake home directory, then I'll just have to raise the stakes and use a chroot directory (definitely not secure once arbitrary code can be run), or go even further and use either BSD Jails or Linux Containers (LXC, based on kernel cgroups). That will just mean I have to hard link in some more libraries from a read-only bind mount or some such thing. Maybe I'd even have to make truly real home directories for user dynamically added to /etc/passwd or something. It might add several milliseconds to the Firefox start time. Hopefully, if that happens, the Firefox developers will realize they have holes and get them fixed.

In any event, there's plenty more room to raise even higher walls between instances, even concurrently, of Firefox. We'll go where we need to go. There's only so far that the scumbag versions of web developers can go with this.

Re:Isolated browsing

Actually, I am one of those 'scum bag developers' that uses tracking technology to prevent cheating on an HTTP browser based mmorpg.

What you describe is not enough. You need to consider fingerprinting (use any extensions? you're probably easy to identify! Keep a website history at all? More info if you run javascript!) And, of course, there is the IP problem, but I'm sure you've considered something that basic.

Needless to say, the only way to cheat on this mmorpg is to forge headers... and good luck having any fun with that one!

Re:Isolated browsing

Needless to say, the only way to cheat on this mmorpg is to forge headers... and good luck having any fun with that one!

Yeah, because nobody here knows how to install a virtual machine, and we're all too cheap to buy a second gaming computer.

Keep on telling yourself that your job is worthwhile, and the cheaters will keep on cheating your game in ways you cannot detect.

p.s. As one MMOG dev to another, here's a free tip: cheating happens. Period. You're better off fixing the game's reward system to make it not worthwhile to cheat.

Re:Isolated browsing

I find it hard to imagine a reward system where cheating is not worthwhile... at least not without changing the type of game that it is. Anything with any competition (ranked) or interaction (as long as there is a communication channel) or accumulation of stats/objects (collecting) there will be motive to cheat.

Re:Isolated browsing

[Jah-Wren+Ryel]

If it turns out that Firefox is so leaky that cookies can be placed outside of the context of the fake home directory, then I'll just have to raise the stakes and use a chroot directory (definitely not secure once arbitrary code can be run),

(A) Flash cookies go in ~/.macromedia - I haven't played with changing $HOME yet to see if that is sufficient to make flash use different .macromedia directories, instead I use the BetterPrivacy plugin set to wipe flash cookies older than 5 minutes.

(B) Why do you think chroot is vulnerable to arbitrary code? AFAIK only root can break out of a chroot.

(C) Much, if not all, of what you describe can be done with firefox profiles. I run firefox with the "-no-remote -ProfileManager" arguments to get different config and storage (cache/cookies/plugins/etc) options.

Re:Isolated browsing

[Skapare]

Basic tracking within the site is not my real concern. If you have users login, you can also track them quite well by that means. Isn't that good enough?

I am concerned about cross-site tracking. I'm concerned about a lot of other things like browsers getting too obese because they let their memory get and stay fragmented. A lot of the solutions are the same. And a lot of the solutions can impact things like tracking within the site.

Where intra-site tracking can be a problem is methods you develop that can be used cross-site as well. That pretty much assures that solutions against cross-site will impact intra-site.

As for headers, some proxies do have some limited means to change them. Further, once a proxy is used, all the surfing is going over a single connection that means it easier to inject a filter along the way.

Online games are not my concern. I don't play them. I can understand the problems you do have. My suggestions are few, but they do include the big one of "get away from HTTP". Maybe try VNC?

Re:Isolated browsing

[Skapare]

And once you are running arbitrary code, finding ways to be root are within possibility. Not every program around is bug free.

BTW, I did use Firefox profiles, and it didn't work for what I was trying to do (which was NOT to block tracking). My solution did work. It just happened to have the side effect of disrupting tracking outside of the scope of how long one instance of the browser was allowed to run. Sure, my 40 days old browser process I access Slashdot with can let Slashdot track me around. But then, I'm also logged in to Slashdot, too. But at least I can stay logged in quite a while here and don't have to get bumped off because some other web site decides to trigger a bunch of browser bugs or fill the DOM up with a bazillion objects.

I do suspect containers and virtual machines to isolate browsing is a real possibility, soon.

Re:Isolated browsing

The proof SENMACE are in control of the governments around the world is contained in the fact [s illustrated in this article and its comments] that spying by the use of invasive tracking technology remains both legal and not actionable for tort damages is found in the lack of any congressional action to terminate these practices and to make the use of data obtained by invasion or digital premisese punishable by both a jail term and a fine equal to the net worth of the company or person who use its.

Profile Proliferation

Started using it and had 2 new profiles each time I used private browsing mode. They weren't deleted. As someone who uses multiple profiles regularly, this is a dealbreaker. Nice idea, needs some work.

Not compatible with FF 4.0 (beta 6)

[penguin_dance]

Not sure about earlier versions of 4.0, but it comes up as not compatible with Beta 6.

Re:Not compatible with FF 4.0 (beta 6)

[gabbott]

Not sure about earlier versions of 4.0, but it comes up as not compatible with Beta 6.

Yes, it's not compatible with FF 4. I did this because I haven't had time to test it with that version. This is simply a limitation I put into the install.rdf file. If you want to give it a try on FF 4 you can download the extension, rename it to .zip and open it up. Edit the install.rdf file and change this line: 3.9.* to something like 9.9.* or whatever you like. Zip the contents back up (do not zip the parent directory, you want to be zipping up content, locale, etc into one archive). If you zip it in a parent directory it won't work. Then just rename the extension to .xpi again and try to install it. It's entirely possible it will work, but I just haven't gotten around to testing it with 4 and I know there are a bunch of changes. Let me know how it goes ;)

Re:Not compatible with FF 4.0 (beta 6)

[gabbott]

It didn't like some of the xul I put in there.. where it says this line: it should have a xml like tag called maxVersion.

Why doesn't Firefox just block evercookies?

Unless I'm reading this the wrong way, evercookies can exist because of flaws in HTML processing. So, why not do something to fill that hole instead of sticking a band-aid on it in the form of Nevercookie?

Re:Why doesn't Firefox just block evercookies?

[geminidomino]

So, why not do something to fill that hole instead of sticking a band-aid on it in the form of Nevercookie?

<mode type='cynical'>
Because that would endanger their Google funding?
</mode>

Re:Why doesn't Firefox just block evercookies?

[Khopesh]

Unless I'm reading this the wrong way, evercookies can exist because of flaws in HTML processing. So, why not do something to fill that hole instead of sticking a band-aid on it in the form of Nevercookie?

Flash isn't Mozilla's fault, so Firefox can't "fix" its persistent cookies (though you can nuke Flash cookies with cron).

As to the HTML5 pieces ... it's typical that an add-on implements something before Mozilla proper. This serves as a proof-of-concept and side-steps the pains of the Mozilla Foundation's development cycle. It also serves as a way to prove desirability. There's nothing preventing this from getting pushed into the Mozilla core later on. I hope it does.

Re:Why doesn't Firefox just block evercookies?

I think Evercookie actually utilises Javascript and various HTML features (and Flash and Silverlight if available). I don't think the Firefox devs could stop it without breaking compatibility with sites that use those features. That is why it is better done as an extension.

Simple solution unwanted by some

They can fingerprint you based on your OS, system fonts, plug-ins, IP address, screen resolution and other exposed hardware capabilities, time zone, etc.

Yes, nothing new in any of them, and of course it would be trivial to block all of them in the browser at a user's option (this misfeature of web standards be damned). So when is Mozilla going to provide a blocker option for users who want to close off all of those information leaking holes in the browser? Ah, I forgot Mozilla is completely corrupted by Google's sponsorship of Mozilla, they love information leaking channels like these, so they will not bite the hand that feeds (and we'll hear more of the usual vaguely plausible excuses as to why they can't and shouldn't). Hah!

BetterPrivacy

I've been using the extension "Better Privacy" to kill the so-called 'super cookie' since the beginning of August this summer, works great.

Note to mods- if you're going to accept a story about cookie killers, at least find one that lists more than one specific piece of software. These aren't the only two extensions out there either.

Novell Moonlight plugin

Why does this site prompt to install Novell Moonlight plugin from the mono-project.com site, on Mozilla Firefox 3.6.

Response paper: Skewmask

[Khopesh]

Here's a paper from 2007 (two years after the one we're discussing) demonstrating how to mask your skew: Skewmask: Frustrating Clock Skew Fingerprinting Attempts

Your Browser Sucks!

The real problem is that your browser sucks! A decent browser would not allow a website(remote attacker) to execute malicious code(all remote code is malicious) or write data in unauthorized places. The browser should completely jail whatever happens within it. I realize that it's all about features but, the problem with features is flaws like this.

If the browser allows writing of data even via Java to the local drive, it should be jailed and in turn eliminated by Private Browsing mode. It should also be wiped by clearing the cache. Why must I still manually delete ~/.adobe and ~/.macromedia as well as all the other usual suspects?

Your browser sucks! Mine too!

How to win the privacy war...

[hallux.sinister]

Use a read-only drive for your OS, such as booting from a live Linux distro, then websurf from there. When you're done, turn off the computer. Poof. Histroy, cookies, flashcookies, 'nillacookies, all gone. :)