Slashdot Mirror
Beta Version of Nevercookie Released
wiredmikey writes "Anonymizer has released a beta version of Nevercookie, the recently announced Firefox plugin designed to protect against the Evercookie, a JavaScript API built and made available to prove that the more you store and the more places you store it, the harder it is for users to control a Web site's ability to uniquely identify their computer. Evercookie is a more persistent form of cookie that enables the storage of cookie data in a number of different locations, such as Flash cookies and various locations of HTML5 storage. This allows websites to track user behavior even when users have enabled private browsing. Because an Evercookie stores data in locations outside of where standard cookies are stored, an Evercookie can rebuild itself unless users go through a number of steps to completely clear and reset their local storage."
Or it will get integrated into Firefox's private browsing feature.
Browse the internet in a virtual machine and reset the changes to the virtual hard disk afterwards. I'd like to see them get around that!
I dream of a nation where a man is not judged by his skin color but by an number assigned by a credit rating agency.
It's going to be fun to watch the back and forth between evercookie and the anti-evercookie.
Four fifths of all our troubles in this life would disappear if we would just sit down and keep still. -C. Coolidge
Which would be a step in the right direction, but is also probably only used by a small subset of technologically inclined people.
Fact is, rightly or wrongly, most people just don't care that much. Much as I'd like to be browsing everything via SSL and stringently choosing when to release any trackable data, even I wonder whether it really matters.
The idea of government tracking chills me to the bone - they have a vested interest in suppressing certain ideas and the power to do so somewhat effectively - and it's absolutely true that corporations can be similarly dangerous if they grow out of control. When the only practical upshot I see, however, is that doing a search to check the dimensions of a shipping container has immediately convinced the ads on a multitude of sites that I want to buy one of the damn things, the worry eases a bit. Maybe I'm wrong, maybe we're heading towards some corporate dystopia complete with RFID implants (far trendier than those outdated barcode tattoos). Maybe people's natural greed & incompetence will bring it all crashing down and save us all. Maybe, by some miracle, it'll even be their general better nature that does it.
For the moment, though, I can see why people don't really care that they're being tracked.
This plugin is not yet compatible with SeaMonkey. Someone should fix that.
I have been using, for many years, a script that was originally intended to defeat Firefox's attempt to always run all browser windows under the same process. The method used is to create a fake home directory and populate it with some data that was derived from a "first run" of Firefox. The script applies a few tweaks to make the paths match the dynamically generated fake home directory. Firefox believes it is the home directory. It doesn't go so far to double check this in /etc/passwd or such ... why would Firefox want to be that pedantic. If I had to, I could go a step further and defeat even that.
The intent of that script was to keep Firefox from getting overly bloated by allowing me to full quit (exit the process) for each site visited, without killing the windows of other sites I am still currently visiting. In some cases, some sites have triggered bugs, or caused lockups. I can kill the browser for that site (if it didn't crash on its own), still keeping the windows of other sites. It might seem counter-intuitive to many, but this does work to keep the bloat level down. At least it does so with my style of browsing (I keep a number of individual sites up in a browser sometimes for weeks).
One effect I did notice early on is that tracking was not happening if I quit a browser for one site and later started a new one to return. All the old cookies disappeared when the reaper component of the script cleaned up the leftover fake home directories. Cross site tracking wasn't happening as long as I started a new browser for each site, which I usually did, except when following links (in which case, they can get a referrer URL which I have not yet bothered to suppress). Referrers are sometimes useful (like to get a special pass through a paywall when coming from a partner site).
If it turns out that Firefox is so leaky that cookies can be placed outside of the context of the fake home directory, then I'll just have to raise the stakes and use a chroot directory (definitely not secure once arbitrary code can be run), or go even further and use either BSD Jails or Linux Containers (LXC, based on kernel cgroups). That will just mean I have to hard link in some more libraries from a read-only bind mount or some such thing. Maybe I'd even have to make truly real home directories for user dynamically added to /etc/passwd or something. It might add several milliseconds to the Firefox start time. Hopefully, if that happens, the Firefox developers will realize they have holes and get them fixed.
In any event, there's plenty more room to raise even higher walls between instances, even concurrently, of Firefox. We'll go where we need to go. There's only so far that the scumbag versions of web developers can go with this.
now we need to go OSS in diesel cars
Nobody in their right mind who cares about privacy is going to run random javascript without having any clue what it does.
Not really true. Even people who run with JS disabled and only enable it for specific sites where they consider it useful or necessary mostly don't inspect that JS to see what it's doing. And, there are plenty of people who think they care about privacy who don't even know that JS is a threat. Many think "well, I cleared my cookies, that's good enough." These people are both in their right mind and care about privacy. They just don't, and shouldn't be expected, to know how to, and for every site they visit, decipher a dozen JavaScript files.
Are you suggesting that these people don't deserve privacy?
I've been using the extension "Better Privacy" to kill the so-called 'super cookie' since the beginning of August this summer, works great.
Note to mods- if you're going to accept a story about cookie killers, at least find one that lists more than one specific piece of software. These aren't the only two extensions out there either.
Yes, that is precisely what he is saying. There are people out there who think it should be perfectly acceptable to sniff wireless to collect data simply because it's out there or that the encryption wasn't strong enough.
The reality is that this sort of arms race can escalate indefinitely --> new techniques followed by new counter-measures followed by newer techniques and on and on. People who keep up will continue to diminish in numbers until "critical mass" has been achieved (which it already has I am sure). What does this "critical mass" mean? Simply put, it means enough of a majority is vulnerable that it no longer matters how well protected you are as an individual as your minority status makes you vulnerable in other ways.
Let's take, for example, an "anti-violence survivalist" I once had conversation with. She was all about raising one's own food and maintaining stockpiles of food and water. It's all a very good idea for many reasons, but she failed to follow through with her ideas. Her ideals do not permit her to defend herself or her resources. So, in the event of disaster, her unprotected resources will be snatched up by the first person to come along who has no issues with taking what they want... and there are LOTS of people like that.
What I am getting at is it is good only to a point to protect one's self individually. But if the whole community is not protecting themselves, then the whole community is vulnerable. We are communities as well as individuals and the more we fail to realize and appreciate that fact, the more vulnerable we all are.
NTP solves that issue. If you're extra paranoid, sync your clock more often. If you're extra extra paranoid disable your ntp daemon and put this in root's crontab instead:
SHELL=/bin/bash
*/15 * * * * sleep $(($RANDOM%900)) && ntpdate pool.ntp.org
This syncs your clock every fifteen minutes with a random delay of fifteen minutes. It is also overkill.
Also note that while tor continues to be slow as molasses, its latency may help defeat this kind of identification for any properly synched system clock.
Use my userscript to add story images to Slashdot. There's no going back.
The real problem is that your browser sucks! A decent browser would not allow a website(remote attacker) to execute malicious code(all remote code is malicious) or write data in unauthorized places. The browser should completely jail whatever happens within it. I realize that it's all about features but, the problem with features is flaws like this.
If the browser allows writing of data even via Java to the local drive, it should be jailed and in turn eliminated by Private Browsing mode. It should also be wiped by clearing the cache. Why must I still manually delete ~/.adobe and ~/.macromedia as well as all the other usual suspects?
Your browser sucks! Mine too!