Zombie Cookies Just Won't Die

GMGruman wrote in to say "Microsoft embarrassed itself last week when it got caught using 'zombie cookies' — a form of tracking cookies that users can't delete, as they come back to life after you've 'killed' them. Microsoft says it'll stop the 'aberrant' practice. But Woody Leonhard says you ain't seen nothing yet. It turns out HTML5 offers a technical mechanism to give zombie cookies a new lease on life — and the Web browsers' private-browsing features can't stop them."

"Caught with hand in the cookie jar" joke here

[elrous0]

Microsoft says it'll stop the abhorrent practice

Fixed that for them.

Actually, an even more accurate quote might be:

Microsoft "says" it'll stop the abhorrent practice

Re:"Caught with hand in the cookie jar" joke here

[ThisIsSaei]

Bravo, sir.

Re:"Caught with hand in the cookie jar" joke here

[gomiam]

If aberrant is abnormal, why should they use abhorrent instead? It actually can be both at the same time, IMO.

Re:"Caught with hand in the cookie jar" joke here

Abberant might imply that it was accidental or unintentional. It might be abberant, but it's definitely abhorrent.

Re:"Caught with hand in the cookie jar" joke here

[dkleinsc]

That's the whole point: GP is arguing that this sort of practice is in fact quite normal, and that Microsoft will probably not stop just because of the bad press.

Re:"Caught with hand in the cookie jar" joke here

Actually, the original quote is correct. Microsoft did, in fact, say it will stop the practice - whether it will follow through is another matter.

Using scare-quotes calls into questions whether Microsoft ever said they would stop, which is wrong. It does nothing to accentuate the point that Microsoft often says it will stop screwing its users when in fact it just keeps on screwing them.

Re:"Caught with hand in the cookie jar" joke here

[X0563511]

I think you meant they will "stop" the practice. And by stop, they really mean continue without remorse.

Re:"Caught with hand in the cookie jar" joke here

Hey... take it easy... Microsoft is not the enemy.
Windows is.

Re:"Caught with hand in the cookie jar" joke here

[LordLimecat]

Calling "placing cookies" abhorrent seems a bit over the top, no? Call me crazy, but I believe in perspective, and I would reserve "abhorrent" for such things as "mugging an old woman" or "racism".

Re:"Caught with hand in the cookie jar" joke here

He's saying it's an abomination, not an abnormality. How is that a grammar troll? It's classic FTFY.

Re:"Caught with hand in the cookie jar" joke here

Your morals really needs some work.

Re:"Caught with hand in the cookie jar" joke here

[elrous0]

Calling "placing cookies" abhorrent seems a bit over the top, no?

But these are SUPER-cookies.

Re:"Caught with hand in the cookie jar" joke here

[Abstrackt]

As someone who believes in perspective, you should agree that context is very important. According to Google abhorrent is defined as "Inspiring disgust and loathing" so as far as privacy practices go, it's entirely valid to say it's abhorrent.

Re:"Caught with hand in the cookie jar" joke here

[laurelraven]

I think it calls out the fact that while Microsoft can "say" whatever they want, the question is whether they will actually do what they say.

Re:"Caught with hand in the cookie jar" joke here

[laurelraven]

Add to that, it's not just the act of "placing cookies" that's at question here: it's placing tracking cookies specifically designed to not be removable. No web site has the right to put something on my system without my knowledge that I cannot remove; it's a form of violation.

Context is important, though. You can always make an argument that you're being whiny because someone else has it worse than you. I think there is a logical fallacy in there somewhere that I'm too lazy to look up right now.

Re:"Caught with hand in the cookie jar" joke here

[hesaigo999ca]

just because they say they will does not mean they will!

Keeps the "Re-install Windows" fix alive

[billrp]

which seems to be the most common solution that's offered on fix-your-own-windows-problems forums

Re:Keeps the "Re-install Windows" fix alive

That's what I do. Well, I run Firefox with noscript and useragent switcher in linux, but it pretends to be running under Windows.

And by running it under linux, what I mean to say is that I run it inside a virtual machine that uses linux, but never remembers anything from previous boots.

So every boot is like a fresh install for me, and no supercookies work. Before you say my browser is unique, no, it isn't. I would have to turn javascript on for it to become unique, and sites like msn do not get javascript.

Re:Keeps the "Re-install Windows" fix alive

[encrufted]

Paranoid much?

Re:Keeps the "Re-install Windows" fix alive

[wvmarle]

Some 9 years ago when I was working for an ISP telephone help desk, our strategy for not working dial-up was basically as follows:

1) reboot computer. Customer usually tried that already.

2) Delete and recreate dial-up connection. Fixed 70-80% of the cases.

3) remove and re-install related network components. Fixed again some 80% of the remaining cases.

4) tell them that the solution lies in re-installing Windows but that we're not allowed to advice that (first-line help desk) nor that we provide support for that.

Re:Keeps the "Re-install Windows" fix alive

[catman]

When security is involved, the question is "are you paranoid *enough*". BTDT.

Re:Keeps the "Re-install Windows" fix alive

[couchslug]

More pocket money (and supposedly obsolete PCs) for me!

Nuke-and-pave is fast, which is all that matters.

Fixing Windows installations is like picking shit out of toilet paper. Just because you can doesn't mean you should, and you aren't likely to remove the entire "problem".

atmostfear inc. enacts oxygen rationing mandate

just in time? by 2025 anyway. the system will be tested on the totally submerged population living down under southern hillary, in the 3X6 citizen bunkers. the oxygen supply will not be wasted on the southern hillarians, as they are used to a lot of hot air, & have consented to breath the untested synthetic oxygen, developed in an unproven manner, at a secret location. no problems are expected.

the hillarians still must (they have the new pay-per-flush toilets) believe that the crown royals will be victorious, & that they will be unsubmerged, to join us all, in the former state of utah, come hell or even higher water.

disarm. read the teepeeleaks etchings.

*nix fix

This is why it's nice to be able to rm -rf ~/.mozilla and rm -rf ~/.macromedia as a last-ditch effort.

Re:*nix fix

[camperdave]

True dat! I haven't seen a browser cookie survive a good re-partitioning and OS re-install.

Re:*nix fix

Sweet!

Let me reinstall my OS now to kill those damn buggers. :>

Re:*nix fix

[UnknowingFool]

Well nuking something from orbit is the only way to be sure.

Re:*nix fix

[SydShamino]

Just wait until they are storing browser cookies in your laptop's battery firmware...

Re:*nix fix

[ArcherB]

This is why it's nice to be able to rm -rf ~/.mozilla and rm -rf ~/.macromedia as a last-ditch effort.

Rather than nuking it, why not just restore it to a previous, known good state...

rm -rf ~/.mozilla && rm -rf ~/.macromedia && cp ~/.mozillaGoodCopyWithBookmarksAndStuff ~/.mozilla -R

Re:*nix fix

[Z00L00K]

Nuke the cookie servers then.

I just wonder what would happen if the cookie info returned was just some random garbage. Time to make a plugin to Firefox to handle that.

Re:*nix fix

[elashish14]

I just link ~/.macromedia and ~/.adobe to /tmp, which is mounted in a ramdisk on my machine. I reboot it fairly often enough that I feel reasonably safe from persistent tracking.

For ~/.mozilla, I have cookies saved only until reboot except for sites like /. which I use to save logins. Also, extremely judicious use of NoScript. Not sure if it's good enough, but I don't know of anything more that can be done that isn't too heavy-handed.

Re:*nix fix

[LordLimecat]

Next up, the MBR cookie-- survives repartitioning and OS reinstall. Now with more cookie!

Re:*nix fix

[Bucky24]

I think the whole point of a zombie cookie is that it can survive the "save until reboot" option, though someone please correct me if I'm wrong about that.

Re:*nix fix

[C0vardeAn0nim0]

easy to defeat on *NIX. set ownership of ~/.adobe and/or ~/.macromedia with permission 000. presto, no flash crap stored on your computer, unless you're stupid enough to browse the web as root.

also, Samy Kamkar's "super cookie" is easy to avoid/defeat with firefox. click on the icon to the left of the URL, click "more info" then go to permissions. on "set cookies", uncheck "use default", then block. do the same for "offline storage".

leave the site (close the tab to be sure), then clean everything from the last hour on "tools/clear recent history".

Re:*nix fix

[izomiac]

On Windows and NTFS I restrict the creation of new folders in the Macromedia directories. That way, my progress in flash games can be saved, but my browsing history/cookies aren't stored for other sites. Here's a quick way to set that:

icacls "%APPDATA%\Macromedia\Flash Player\#SharedObjects\*" /Deny Everyone:(NP)(AD)
icacls "%APPDATA%\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys" /Deny Everyone:(NP)(AD)

Afterwards, delete the folders for sites you don't care about. Technically, it looks like stuff is also stored in %APPDATA%\Adobe\...\AssetCache, but I'm not quite sure of what's there so I haven't played with it. Standard Unix Permissions let you accomplish much the same thing with other OSes, but it's not as granular.

Now, if browser makers would get on board with the concept of not saving data (e.g. cache, cookies) to disk except for whitelisted sites, then we wouldn't have so many privacy issues. This seems possible in Firefox, but less so in other browsers. IMHO it should be the default, as it improves security, privacy, consistency, reliability, and performance without sacrificing any significant functionality and only requires user intervention on a handful of commonly used sites.

Re:*nix fix

[Kral_Blbec]

It's okay. I'm secure. I don't use a Mac.

Re:*nix fix

[nahdude812]

There are several forms of 'meta cookie' which can be used to uniquely identify you, and which have nothing to do with either Flash or standard browser cookies. For example, check out Panopticlick. There are also older attacks such as history sniffing (defeated in modern browsers, but still available in the majority of active browsers). Plus there's permanently cached files (a JS file with an expiry set unreachably far in the future, with a server which responds that the file is always fresh, while the content of that file is uniquely identifiable information). DOM storage, HTML5 offline cache, and many other vectors are ways to stick information on your computer in ways you're probably not expecting.

Some sites have put together combinations of these approaches to make super cookies which are almost impossible to defeat without simultaneously erasing cache, cookies, flash cookies, all browsing history, and also making sure you're running a completely vanilla OS with a completely vanilla browser install (each addon or font, and many 3rd party programs can contribute to your fingerprint being more unique). If you have an unusual font or two installed, this all by itself can make you uniquely identifiable in a way that no level of browser scrubbing will protect you.

A "super" cookie is one where every means of uniquely identifying yourself has to be simultaneously scrubbed. If you miss even one, the rest are restored.

Re:*nix fix

[hawk]

There used to be cookie exchanges with junk buster--send your cookies in, and get a random assortment from others, instead.

Re:*nix fix

[tedrampart]

the point of linking to /tmp, means it will delete the contents during a boot.. doesnt matter wheat options are in the cookie, the os will whipe the folder clean unless you set permissions to have the file retained during a boot... unless I'm missing something?

Proof that cookie alternatives are needed

Cookies are a relic of the 90s. We need a new way of session-tracking that isn't so exploitable by advertisers. Oh wait, I've got it. Encryption. Your key is all you need.

Another reason for DIY Linux

I know it's not for everyone but I'm so tired of Windows dramma...
I'm going to stick to my Linux box as for the HTML5 "hickup" *hit happens.

Just Set Up VMWare

[Greyfox]

And run your browser in VMWare, and wipe the VM you run your browser in clean when you exit. Or just don't browse the web anymore, since these shady practices are devaluing the platform as a whole. Which actually might be exactly what Microsoft wants...

Re:Just Set Up VMWare

The shady practices are the value. Not the value for "we the users", but the value for the folks that need to pay to keep their server running, their code written, and their internet connection on. "we the users" either deal with advertisers love of our data or deal with some form of micro-payments so our services stay on. I'm all for that; get rid of the adverts and charge me some small fee. I'll bet that gets rid of most of the trolls anyway.

Re:Just Set Up VMWare

I can see where you're coming from on that one. :)

Not to be overzealous, but Microsoft is pretty much a Google equivalent when it comes to the "we'll do whatever we want when we want to and all of those little Humans will LIKE IT, damnit."

To extend what you're saying, I can definitely see a time not too far from now where every month (maybe every week?) will come a redesign of lifestyle based on the newest technology that requires less work, less thought, less fear, and less fear of "loss of valuable time" of the users.

Companies will just keep suing and patenting (followed by suing and patenting) to come up with the newest, most "necessary for survival" way of living that squeezes just another percentage of financial resources from individuals until..... One day, we may realize that the whole reasoning behind all of this was to "live an easy life where machines do the work for you" and the fight that ensued has lead to multiplication of profitability to achieve said life. Once said life has been obtained, where will the profit come from? We'll have to think of something else to work with instead of money.

Oh, wait, isn't that repetition? Humans are amazing. :>
 

Re:Just Set Up VMWare

[Eponymous+Coward]

Why do advertisers on the web need to know who they are advertising to? They put ads on billboards and on television and only get a very coarse idea of who is seeing them.

Re:Just Set Up VMWare

[0123456]

I'm all for that; get rid of the adverts and charge me some small fee. I'll bet that gets rid of most of the trolls anyway.

It will also get rid of most of the users as they move to free sites or just stop wasting time on the Internet in the first place.

Re:Just Set Up VMWare

[Bucky24]

They don't, but knowing makes it much easier for them to run targeted ads. It gives them an increased possibility of a sale.

Stop blaming the Sites

And start blaming your browser. If you enable "Private Browsing", and anything lives beyond that session, it can be nothing other than a browser bug.

Re:Stop blaming the Sites

[maxwell+demon]

Flash is an external process and thus bypasses browser settings. It even works cross-browser: A "Flash cookie" (LSO) can e.g. be set in Firefox and then read in Opera.

For HTML5 features however, I have to agree with you.

Re:Stop blaming the Sites

[Hatta]

Flash is an external process and thus bypasses browser settings

So disable it during private browsing. Better to have real security with some limited functionality than a false sense of security.

Re:Stop blaming the Sites

[Kunedog]

Flash is an external process and thus bypasses browser settings.

Flash is an external process and thus bypasses browser settings

So disable it during private browsing. Better to have real security with some limited functionality than a false sense of security.

Some limited functionality? Do you realize how many surprise-birthday-planning sites require Flash?

Re:Stop blaming the Sites

[poofmeisterp]

FlashBlock is your friend.

Unfortunately, it won't cover things in Internet Explorer (duh) or things that you actually DO want to view that use Flash.

I don't care about Microsoft doing it. If YouTube (read: Google) does it with blatant intent to steal every bit of information they can...... Oh wait, nothing will happen.

People are too addicted to the things they want and can complain until their blood vessels burst, but they'll continue to use said service.

I'm sort of wasting logical time posting this. I said what I needed to. :)

Re:Stop blaming the Sites

[BitZtream]

So the browser shouldn't load the flash plugin, problem fucking solved. Next.

Yes, it can simply refuse to load flash until a version that plays nicely is made, its not hard, in fact, its really fucking easy actually.

Re:Stop blaming the Sites

[ifrag]

So disable it during private browsing. Better to have real security with some limited functionality than a false sense of security.

Or how about run Flash in a temporary VM which can be immediately destroyed on exit? If there is a way to have security and functionality I'd prefer that.

Re:Stop blaming the Sites

[asdf7890]

Some limited functionality? Do you realize how many surprise-birthday-planning sites require Flash?

That is why people that know what they are doing get their content for surprise birthday planning via "trusted" private trackers not flash infected websites.

Re:Stop blaming the Sites

Kind of like Facebook.

I wish I could quite you... No, seriously, I would take a battle axe to your servers if I could.

Re:Stop blaming the Sites

but I needs the flash to view the pornz!

Re:Stop blaming the Sites

[John+Bresnahan]

Some limited functionality? Do you realize how many surprise-birthday-planning sites require Flash?

I'm willing to outlaw birthdays if that's what it takes to eliminate this problem!

Re:Stop blaming the Sites

[wvmarle]

Can't Mozilla "just" sandbox Flash?

Or have it run in a chroot jail or so?

Just thinking. To keep those pieces of thoroughly misbehaving but necessary evil in line.

Re:Stop blaming the Sites

[hedwards]

Flashblock doesn't work that way, what you need is noscript. The creators of Flashblock specifically state in their FAQ that they don't block LSOs, flash cookies or swf trackers.

Re:Stop blaming the Sites

It -will- sandbox Flash, in version .... never mind.

Re:Stop blaming the Sites

[poofmeisterp]

Thanks for the info; I'll take care of that right now. I stand corrected!

Re:Stop blaming the Sites

Protip for IE users:

Go to Tools, then "Manage Add-ons". On the list of Toolbars and Extensions, look for "Shockwave Flash Objecyt", by Adobe. Right click on it, then select "More Information" from the popup menu.

The window will then show some information, including "You have approved this add-on to run on the following website:". The box will probably show an asterix, which means All Sites. If you click on "Remove All Sites", it'll remove that, and have nothing in the list of sites. From there, ALL SITES will have the warning popup if they try to access/create the Flash object. You'll have to accept it if you want flash files originating from a specific domain to show; it gets added to the white-list and you won't get asked for that site again, but any external sites not in the white-list are still blocked.

Re:Stop blaming the Sites

[Unequivocal]

Private browsing isn't so private.. http://panopticlick.eff.org/

You can be pretty thoroughly tracked as an individual without cookies at all..

Re:Stop blaming the Sites

[vlueboy]

Disabling flash for everyone on your machine is easy. Arguing with someone who uses the same PC AND/OR re-enabling it for some emergency when time is important, is hard.

And you'd be surprised how many places require it. Streetview requires it, Yahoo mail has some hidden attachment functionality, and Youtube's HTML5 video fails, and sucks when it actually FINDS any video that is available in that format... iPhones load all flash-lacking youtube videos OK, but full-size PC implementations are utterly unusable when parsing the same data, for some reason.

So we're not quite there yet. The day HTML5 comes of age as a real Microsoft standard, you can fully expect your flash-less trip will not protect you that well, and you won't be finding HTML4-only browsers on that day. Apparently HTML5 features will not be GUI-configurable, other than the html5cookie^W "persistent" storage amounts.

Re:Stop blaming the Sites

Look up Betterprivacy for firefox

Customizable flash cookie tool. I have it set to delete it after every session.

Re:Stop blaming the Sites

[maxwell+demon]

Read the documentation of BetterPrivacy to see the limitations. Ideally, it would offer controls on par with Cookie Monster. However, that's simply not possible with Flash cookies.

Wrong Name

If they'd just called it a "Jesus Cookie" no one would be complaining.

Re:Wrong Name

[Opportunist]

Then it would at least stay dead for three days.

Re:Wrong Name

[Dracos]

No functional difference there.

Re:Wrong Name

Don't you get Jesus cookies at church? I think they call them wafers or something.

Re:Wrong Name

[AliasMarlowe]

If they'd just called it a "Jesus Cookie" no one would be complaining.

Then it would at least stay dead for three days.

And bugger off permanently after another 40 days or thereabouts.

Re:Wrong Name

[Opportunist]

Well, maybe so, but the idiots that clicked his link and got infected by his trojan will keep filling your firewall log.

A question

[jandersen]

Is there any good reason why one would want to use HTML5 at all? I mean, as a user? So far it all seems to be negative - a load of giving away user control and sovereignty over your own system, packaged as "Wow, cool new feature".

Re:A question

[maxwell+demon]

Is there any good reason why one would want to use HTML5 at all?

At least if it's in HTML, plugins can do something against it. For Flash, there's little plugins can do.

Re:A question

Is there any good reason why one would want to use HTML5 at all?

Because it mostly obsoletes Flash, thereby opening up lots of things to competition, and some of those competitors will be user-oriented rather than Adobe- and Adobe-customer oriented.

Once you stop using Flash it's easy to forget just how much of a scourge Flash was, but lots of people are still saddled with it and will remain so until they upgrade their tech.

Look at it this way: HTML5 has the capacity to be implemented in a way that it either good or evil, but Flash (and ActiveX) are only implemented once, which just happens to be evil. Anything that has only one implementation will always FUCK THE USER.

Re:A question

You could always, oh, I don't know... not install flash. Or use Flashblock if you actually want it on certain sites.

Re:A question

[The+Moof]

a load of giving away user control and sovereignty over your own system, packaged as "Wow, cool new feature".

When Slashdot ran the article about the JavaScript + HTML5 music player, that was my first impression. I remember back when scripts reading local files was regarded as a security hole in the browser, not a "cool new feature."

Re:A question

[tepples]

Is there any good reason why one would want to use HTML5 at all? I mean, as a user?

For one thing, the video, audio, and canvas elements mean not having to deal with Adobe's (historically?) inefficient and security-defective software. For another, CACHE MANIFEST and localStorage allow using a subset of a web application offline for a short period, such as on your laptop while riding the bus, while ceding less control over your system than you would if you were to install a native application.

Re:A question

[BitZtream]

Really? A plugin can't just go around watching the flash directory and wipe out files as they are created?

Its not really that hard. Its a hack, but its entirely doable.

I swear to god, people have no creatativity when it comes to solving problems on computers these days.

Re:A question

At least for the video and audio, both Flash and HTML5 are functionally inferior to just <a>'s to files. Windows Media Player can even stream such files without a problem. The only reason website developers want to use Flash is because it makes it hard (for the average user) to save the file locally, while in WMP that's just one click away.
Canvas as a replacement for Flash animation is not nearly fast enough yet; Brackenwood cannot, at least for the moment, be achieved with HTML5 canvas.

From the end-user's perspective, it would have been better if HTML5 had never been thought up, but it wasn't thought up for the end user. If browser vendors were serious about serving end users, they'd make all cookies opt-in by default, and similarly for HTML5 local storage and possibly even the browser cache (which is in essence a kind of local storage anyway).

Re:A question

[Anonymous+Brave+Guy]

Is there any good reason why one would want to use HTML5 at all? I mean, as a user?

That's a very fair question, but it's a slightly loaded one. As a user, there is little benefit to any particular web technology, whether it's HTML, CSS, JavaScript, Flash or anything else. As a user, what you care about is results. However, those results depend on what developers can build, typically within a certain amount of time and budget.

If you have new technologies that allow developers to do new things, and those things benefit the user, then the user wins. However, if you have new technologies that allow developers to do old things in newer, easier, faster ways, and those things benefit the user, then the user also wins, particularly if it becomes viable for developers to make something useful in a cost-effective way when they could have done it before but didn't because it was too expensive in some respect.

And from that point of view, HTML5 tools like canvas and media tags are a big step up for some jobs over using something like Flash or Java applets.

That said, I strongly agree that browsers shouldn't be ceding any sovereignty over their users' systems to remote code by default.

And that said, the most devious tracking mechanism I have yet encountered didn't rely on any sort of cookie/local storage technology. It was essentially based on how various web-related protocols handle caching, it's hard to defeat without getting rid of caching, and you really don't want to get rid of caching. It is possible for browsers to avoid falling into the trap, and now that the attack vector has been identified I expect they'll do something about it.

Then again, as you read this your browser is probably advertising an almost unique fingerprint that could track you anywhere on the Web without storing anything on your machine at all, every time it sends request headers, and despite this being a well-known problem for quite some time, the browser developers haven't done much about it yet. Until they do, fighting against tricky little local storage vectors is hitting the 1% problem, not the 99% problem...

Re:A question

[jonadab]

In a word, no.

The most common argument in favor that I've heard is "it's more open", which is of course nonsense. (XHTML is every bit as open as HTML5.)

The secondary argument is that it lets you do stupid junk like embed a video in a web page (instead of just linking to the video file and letting the user click it and open it in their preferred media player, like a sane person would prefer to do). This argument is at least coherent, in that HTML5 actually does provide said functionality; it just doesn't seem like a *positive* thing to me.

So, to me, HTML5 seems like a step in the wrong direction.

Re:A question

[tlhIngan]

Is there any good reason why one would want to use HTML5 at all? I mean, as a user? So far it all seems to be negative - a load of giving away user control and sovereignty over your own system, packaged as "Wow, cool new feature".

As opposed to now, where the user doesn't have control over Flash? Sure Adobe's FINALLY added the ability to clear Flash cookies - after how many years of every browser supporting it?

If you're a geek, HTML5 lets you have fine control over everything - if you don't want to run Javascript from a specific domain, you don't have to. If you want to block a site from leaving a cookie, you can (Flash is particularly bad here, as it's either "all cookies", "no cookies" or ask.).

WIth Flash, you're ceding control to a third party plugin which can do anything it wants - browser settings be damned. With HTML5, the browser is the ultimate authority of what can and cannot be done. If you're a control freak, it's a good option to have.

And heck, a browser can clear cookies and offline cached data after quitting. Can't really say the same for Flash (and I believe to clear cookies requires visiting Adobe's page for some reason).

Re:A question

[hedwards]

Better privacy does that, but anything that does this is going to be limited in scope. It gets really tricky to figure out which ones to allow during a session. Wiping them out when you close the browser does nothing for short term tracking while you serf, but it does limit the long term spying.

Better than nothing, but not good enough.

Re:A question

[Calos]

I agree.

I disable images in all of my browsers, and open them up in my image viewer of choice, like any sane person would prefer to do.

I also occasionally use a Python script to fetch webpages for me, pull out the body text and save it so that I can read it in my text editor of choice. Like any sane person would prefer to do.

Re:A question

[_0xd0ad]

I have BetterPrivacy configured to delete all flash cookies that haven't changed in the last 20 minutes. The only time I had a problem with it was in an online training app that used Flash and stored its progress in a flash cookie. I added an exclusion for it and had no further problems.

Re:A question

[Calos]

And just to clarify, that second one wasn't to address you point, but your manner of making it. Just because someone doesn't have the same preference as you, does not make them insane.

Re:A question

[Unequivocal]

Double plus on your last paragraph -- browser headers are really really unique at this point: http://panopticlick.eff.org/

Using cookies is just simpler for advertisers, but banning those on the client without enforcing some "do not track" at the supplier end won't solve the problem. They'll just move to browser headers..

Re:A question

[Opyros]

while you serf

Freudian slip?

Re:A question

It does offer a number of usability improvements for HTML forms that are inconsistently done with javascript kludges right now.

Re:A question

[jonadab]

That's nonsense. Images and text are two-dimensional content that you scroll through and read. They go together and (if the page is at all well designed) complement one another. The user scrolls through them together and views them together, at the user's pace. It actually works pretty well.

Video, on the other hand, has (one could even say it is dominated by) a time dimension that is at odds with the user's ability to read and scroll. This makes embedded video extremely inconvenient for the user, because the video is trapped in the context of a web page where it doesn't really fit -- it nearly ALWAYS takes a different amount of time to watch the video than it takes to view the surrounding page. Furthermore, videos don't need external captions and explanations like two-dimensional images so often do. Taking an image out of the context of the web page often makes it less interesting or harder to understand, but the same is not true of video. I have never seen an example of a video embedded in a web page where remaining in the context of the page added ANY value whatsoever to the video. Ever. In every single case I have ever seen, the video would have been just as informative and understandable and more convenient for the user if it were freed from the page and opened up in a video player app separate from the browser window.

(Yes, I realize this is not the most popular view. I also consider browser plugins like Java and Flash to be a fundamentally bad idea. I blame Netscape, although of course none of the major tech companies are entirely without fault when it comes to finding various ways to make the web harder to use. But Netscape also gave us window.open() and the blink tag, among other things, so their sins are particularly egregious.)

No problem

[maxwell+demon]

The "standard" Firefox plugins already take care of it.

No DOM storage without JavaScript, no Flash cookies without Flash -> NoScript
Most tracking cookies come from ad networks -> AdBlock Plus
Most tracking cookies come from third party domains -> RequestPolicy.
And if you get one anyway, you can also get rid of it -> BetterPrivacy.

Re:No problem

[geminidomino]

Add in PasswordMaker to that list and you've pretty much summed up why I can never leave Firefox, no matter how batshit-loco the design team gets. :(

Re:No problem

no matter how batshit-loco the design team gets. :(

Wait, the design team? What the fuck have they done? I can't keep up with all the nit-picky retarded stuff the Slashdot community is bitching about anymore. (Not that I particularly want to.)

Re:No problem

[ThatsNotPudding]

And how many of those will get perpetually broken by Mozilla adopting speed-of-light updates?

Re:No problem

[marcosdumay]

Konqueror + KDE wallet are missing "only" NoScript.

But the KDE combo has Kget, what, now that the Firefox is so braindead at downloading things, is quite usefull.

Re:No problem

[geminidomino]

Does KDE Wallet generate passwords programatically, without the user getting involved (other than asking it to. PasswordMaker is nice like that. Right-click->"Populate this field" and done).

Might be worth looking into, though I spend more time working on Windows lately...

Re:No problem

That's fine and dandy till Mozilla releases the next version of firefox 1 week later and breaks all your plugins.

Re:No problem

Okay, I just disable cookies completely in Firefox and explicitly allow the sites that need them for a purpose I agree with.

Re:No problem

[maxwell+demon]

Okay, I just disable cookies completely in Firefox and explicitly allow the sites that need them for a purpose I agree with.

The point of those supercookies is that this isn't sufficient.

Re:No problem

Good question, I have 6 extensions installed and haven't had a problem with my extensions with the Firefox 5 or 6 updates. I admit I don't upgrade straight away, but it hasn't been 2 weeks since Firefox 6 was released, and my upgrade yesterday was without issue.

It's nothing new

[badzilla]

HTML 5 local storage worries the hell out of me. It's nothing new though because Microsoft has had an almost identical "userdata persistence" feature since forever. Try this link in IE browser http://samples.msdn.microsoft.com/workshop/samples/author/persistence/userData_1.htm

Re:It's nothing new

[Dracos]

And when everybody freaks about LocalStorage and the browsers hamstring or disable it, the trackers will just fall back to using the HTML5 ping attribute which is near perfect for tracking people without cookies. It's one of the many reasons why HTML5 is broken and flawed, but nobody seems to care when there's video, audio, and canvas elements. The only inarguably good thing about HTML5 is the forms improvements.

Re:It's nothing new

[AliasMarlowe]

HTML 5 local storage worries the hell out of me. It's nothing new though because Microsoft has had an almost identical "userdata persistence" feature since forever. Try this link in IE browser http://samples.msdn.microsoft.com/workshop/samples/author/persistence/userData_1.htm

Yet another reason to avoid IE, even in its newer (differently-evil) incarnations.

Re:It's nothing new

[Voline]

HTML 5 local storage worries the hell out of me.

Me, too. Safari has an "Advanced Preference" for "Database Storage" to allow "none before asking". I always say "no". But so far only Twitter's website wants to store data on my machine.

Chrome and Firefox don't seem to have a similar preference. I see reference to cache but not local storage or database storage which I think are the relevant terms, here.

Re:It's nothing new

[vlueboy]

What I find completely wrong is that all these features are being added and almost NONE are being balanced by a nice control GUI. They just throw the storage into a random place, like the below commenter's persistence tab being under Advanced \ Networks in FF (3.6.10 here worked as well as his 6.x build, BTW)

Browsers do not have a standard set of things to block; blink tags were the first warning that very few users even in open-source browsers would probably benefit from a very fine-grained advanced section. I don't know what we're going to do when we get our wishes granted and Flash goes extinct; I can turn flash off, but see no efforts to selectively disable canvas, or even CSS attributes. Being forced to turn off stylesheets just to turn of a particular feature drives home the point that "full blast AND OFF" is a lazy programmer-thought solution to everything this day.

I'm just waiting for the day there's an HTML5 checklist where I can turn stuff off that I don't like. Opera has a very detailed but obscure page akin to FF's about page, with explanations and all. The downside is that you can't know whether features there are browser-specific or HTML5 specific, but I really liked long descriptive lines as opposed to FF's cryptic Registry-like entries. Any setting that is hidden until you create a new key is just asking for obscurity. I just hope FF can copy from Opera's book and provide some sort of in-line string for every option available by default instead of having me google the option and investigave what is relevant for MY particular release.

Huh?

[The+MAZZTer]

OK so the article cites localStorage as a problem, but Chrome at least treats it the same as cookies when clearing private data, and in incognito it shouldn't persist localStorage data across sessions (not sure about other browsers).

It also mentions that MS was sticking a JS file in the browser cache to recreate a cookie. This doesn't make sense since any file removed from the cache is just redownloaded, unless a custom version of the JS file is crafted for every client and is set to create a specific cookie value (but this isn't clarified in the article). But it sounds more like ETags are used, having nothing to do with the JS file being cached or not. I'm not sure how ETags work but I can't imagine they would be effective in incognito mode either since cache is never kept (and the article infers this is necessary).

Did I miss anything?

Re:Huh?

It sounds like they generate a new js file every time it is served, but tell the browser that it can be cached for a long time, while at the same time claiming that it hasn't been modified in years so a new one won't be requested (with a new unique value).

The main problem I see with this approach is that a squid proxy for a school or other large organization would cache this js file and then feed it to everyone in the organization. Now you might have hundreds or thousands of people with a single id. This would be counter productive for Microsoft, but maybe worth it on the whole.

Before you say there is some value in linking all of these people - they were probably already linked by using the same ip address to begin with (the same squid cache).

Re:Huh?

This doesn't make sense since any file removed from the cache is just redownloaded, unless a custom version of the JS file is crafted for every client and is set to create a specific cookie value (but this isn't clarified in the article)

It goes something like this-

You learn things by watching which specific files get re-downloaded, and which do not.

Lets all embrace LYNX

with vt100 flash like animations no one would notice the difference.

ZOMBIE BROWSERS

[roman_mir]

I am sorry, but just talking about cookies doesn't go far enough to describe what is happening here. It is about zombie browsers, that are just building in more and more functionality to turn your computer into a device that is not controlled by you, but is controlled by various special interests.

On the other hand you, as a user, are clearly not the customer of a browser developer company. The customers seem to be the advertisers, CAs, anybody that wants to control what you are doing. You, as a user, are a product. We used to say this about FB and such, but isn't this also true about browsers?

There needs to be a way for the user to control what is happening on his machine, otherwise it's not a general purpose computer, but some proprietary gadget that you have there. If this is not clear to the browser developers then there will be more forks built that will be Freer for the users, but there also maybe something else done, like a VM to control all of this run away software. Start it in a VM and when you are done, kill that VM and there is no cookie.

Re:ZOMBIE BROWSERS

[geekmux]

I am sorry, but just talking about cookies doesn't go far enough to describe what is happening here. It is about zombie browsers, that are just building in more and more functionality to turn your computer into a device that is not controlled by you, but is controlled by various special interests.

From tablets to cell phones, tell me something I don't know. A lack of control down into the lower levels of these types of devices has been lacking for some time now.

There needs to be a way for the user to control what is happening on his machine, otherwise it's not a general purpose computer, but some proprietary gadget that you have there...

Uhhh, yeah..which is exactly their intent with this design. In much the same way that human voice interaction is dying, so is the "personal" computer. What the hell do you need "flexibility" for when every device will be reduced to a pseudo-tablet in the near future, with everything moving to the "cloud"? Allow the functionality, introduce multiple attack vectors and nightmares for support. Lock it down, and you piss off the user community who gets pissed off every time they get a virus or malware infection. Of course, they got infected because they want flexibility.

Since we already know why you should draw a line, the question is where do you draw the line.

Re:ZOMBIE BROWSERS

On the other hand you, as a user, are clearly not the customer of a browser developer company. The customers seem to be the advertisers, CAs, anybody that wants to control what you are doing. You, as a user, are a product. We used to say this about FB and such, but isn't this also true about browsers?

We say that about Facebook, Google, newspapers and television because it's the plain truth: the money that these companies make comes from advertisers, and the advertisers give them this money in exchange for users' eyeballs. Users pay nothing, advertisers pay everything, therefore advertisers are the customers.

With browsers, it's more complicated.

Chrome, being from Google...probably true, in a convoluted way. Firefox, funded partially by donations but also by Google referrals...partly true. MSIE and Safari are funded (mostly) by the sale of software and hardware, respectively, so mostly false. Opera...heck, how does Opera make money these days?

Re:ZOMBIE BROWSERS

[poofmeisterp]

You're 100% correct.

enableHumor();

Let me ask the question that creates a loopback to itself over and over (especially in the USA): "Where do I $BUY$ the browser that doesn't allow any of this and enables me to view an ad-free Internetzzz?"

"Wait, you meant that only YOUR ads wouldn't show? But your advertisement said your browser blocked advertisement if I bought it! Weird wording sold your product, you crafty people, you. Okay, so how do I get a version that really blocks all ads? Oh, an add-on. Weird installing an 'add-on' to block 'ads', but okay... Wait, the add-on isn't compatible with the version I bought??? So what do I do now? I need help because I'm a stupid person that can't figure all of this stuff out. Oh, I $BUY$ your next version and that will let me add this add-on ad-blocking addition? What's that? Your new version is available TODAY? Sweet. I NEED it TODAY! I'll $BUY$ it now!!! Alright, I bought it. Now how to I add the add-on? You don't recommend it? Well, I'll add it on anyway. Okay, it's added on and the ads are blocked. WAIT, they're blocked to your competitors and a few other entities of your own choosing only? Why did I $BUY$ this? Oh, no! I'm so disappointed. I guess I'll just call my lawyer and see what they have to say about this because that's all I know how to do to make it in this world." :)

Re:ZOMBIE BROWSERS

There needs to be a way for the user to control what is happening on his machine, otherwise it's not a general purpose computer, but some proprietary gadget that you have there.

It's called open source.

Or run a live USB, and re-boot frequently

http://unetbootin.sourceforge.net/

why I use Linux

[JustNiz]

Microsoft disgust me. After decades of this sort of deceitful behaviour, it is evidently still too much to expect Microsoft to actually do the 'right thing' in the first place.

Even without any sort of ethics, they're also too stupid to actually learn their lesson that all these scams that Microsoft repeatedly perpetrate on their own customers always eventually get discovered and backfire with far more loss of face and therefore sales than presumably they gain from doing the thing in the first place.

Re:why I use Linux

You think this is because of Microsoft?

Hardly. The focus on Microsoft is...deceptive at best, as it ignores how the practice is done by hundreds of others, and they work on any number of other platforms.

You think using Linux makes you safe? Not unless you're taking considerably more steps to protect yourself. You probably aren't, because you'd rather just hate Microsoft.

Not that this is a scam, or perceived as a real problem outside of a small segment of hyper-paranoid nutbars, because sites like Facebook thrive on the whole issue of destroying privacy.

Re:why I use Linux

Isn't it ironic that I don't use Linux in part because many of its users are assholes like you? Grow up.

Re:why I use Linux

[d.the.duck]

That would make you an imbecile. There is a superior product but I refuse to use it because of the user base. I guess you aren't using any OS then.

Re:why I use Linux

[BitZtream]

That would make you an imbecile.

Not really, but your reply also makes you an asshole.

He never said it was a superior product.

It would be rather retarded for anyone to blindly state 'Linux is a superior product' without any sort of specifications, that makes you an asshole, and an ignorant one at that. For instance, your superior product is effected in the exact same way as EVERY OTHER FUCKING OS SINCE THE OS HAS NOTHING TO DO WITH IT in this cause. The problem discussed here works perfectly fine in Firefox on Linux, so your superior product ... isn't.

So now that you've just shown us how you're an asshole, and he's got a pretty valid point about avoid Linux cause it has a lot of douche bag asshole losers, why don't you just shut the fuck up and crawl back in your hole in the wall down in mommies basement.

Fucking ignorant newbies.

Re:why I use Linux

Mod up!

I agree and do the same. Integrity is important. If a company is pulling anti-customer tricks somewhere, you can't trust (or fund) them anywhere.

Re:why I use Linux

[d.the.duck]

Don't get your undies in a bundle Sally. I wasn't referring to this particular subject at all. The poster implied that the only reason he doesn't use Linux is because of people like the original poster (also somewhat implying that he accepts that Linux is superior). My example was that if there is a superior product, if you would choose not to use it because of the users of the product, that would make you an imbecile. My last comment was to point out that there are idiots among all operating systems therefore one should not judge the OS by it's user base. So, count to 10, take some Pamprin and have a little lie-down.

Re:why I use Linux

The focus on Microsoft is...deceptive at best, as it ignores how the practice is done by hundreds of others, and they work on any number of other platforms.

There are millions of thieves in the world. Is it ok to steal just because others do it?

You think using Linux makes you safe?

There is no such thing as an absolute safety unless you feel like writing all your software by yourself. And even, then you are still risking it by using hardware you didn't make by yourself. And you know what, maybe your electric installation at home is a highly sophisticated monitoring device installed by the government. Did you set it up yourself?
You have to trust someone at some point.

Not unless you're taking considerably more steps to protect yourself. You probably aren't, because you'd rather just hate Microsoft.

Personally, I'd rather trust the Debian developers who have a stellar 19 year history compared to Microsoft who always seem to find a new way to fuck with their customers every few months.

Not that this is a scam, or perceived as a real problem outside of a small segment of hyper-paranoid nutbars

Ad hominem is not an argument.

because sites like Facebook thrive on the whole issue of destroying privacy.

Using Facebook is a voluntary and you explicitly agree to their terms before you can start giving up your privacy. Microsoft never asked me if they can keep cookies on my computer in the first place, and when I try to get rid of them, they actually try to secretly retain them against my decision. And no, having a tiny grey link at the bottom that links to a 10km legal text does not give them the right either.

Re:why I use Linux

There are millions of thieves in the world. Is it ok to steal just because others do it?

It's not about whether or not it's ok to steal, it's about focusing on the one activity by one party to the exclusion of all others.

Thanks for not paying attention, it shows how much you care.

You have to trust someone at some point.

The biggest part of trust is a prudent realization of what's covered by the people you're trusting, and what is not.

Many Linux users are poor at that, because they don't realize how many many illicit activities are taking advantage of the users rather than weaknesses of the system. No OS in the world can keep you from being the kind of person who falls for a Nigerian royalty scam.

Personally, I'd rather trust the Debian developers who have a stellar 19 year history compared to Microsoft who always seem to find a new way to fuck with their customers every few months.

Personally, I'd rather not, because I know the Debian Developers aren't doing anything to run the thousands of websites people visit which are the source of these problems, rather than the OS or the programs.

There is no point in trusting them in that regard, because it's outside of their purview.

Ad hominem is not an argument.

Except you miss once again the purpose of the statement, which is that it's not a scam, nor perceived as a problem by most.

If anything, the last bit about hyper-paranoid nutbars was meant to ironic, but you missed it. I figured somebody would, which was why I was tempted to remove it, but I decided not to do so, since it made for a useful filter.

Using Facebook is a voluntary and you explicitly agree to their terms before you can start giving up your privacy. Microsoft never asked me if they can keep cookies on my computer in the first place, and when I try to get rid of them, they actually try to secretly retain them against my decision. And no, having a tiny grey link at the bottom that links to a 10km legal text does not give them the right either.

Visiting Microsoft's websites is voluntary, and if you don't agree to their terms, don't do it. Don't even get me started on how uninformed people are about Facebook's terms or activities, which include the exact same legal text you complain about.

Facebook also does the same thing with cookies. You can bet on it.

HTML5 FUD

That HTML5 fud is such rubbish. There's nothing about local storage that makes it immune to private browsing protection. When people start exploiting it, privacy protection will come. It's just data on the disk. Zombie cookies are something else entirely, based on server-side tracking data.

It's depressing how many people write about internet technology seemingly without knowing the difference between client and server.

Speking of abhorrent...

[kaizendojo]

Why is it that the only company mentioned here is Microsoft, when in fact the original research article shows this to be a lot more wide spread by some big names - none of which were mentioned here. From the Stanford article (http://cyberlaw.stanford.edu/node/6695): "We also examined a series of URL lists (spreadsheet) that contain 15,511 entries. The URLs and interest segments range greatly. Some URLs are for a landing page; others are for a specific page. Some interest segments are broad; others are fine-grained. A few example segments:


Segment 758: discount sites including Groupon and eBay Daily Deals Segment 876: sites about coffee, including Dunkin' Donuts, Folgers, and Starbucks Segments 984-989: home improvement sites including Home Depot and Grainger Segment 2701: pages about the Ford Fiesta Several interest segments are highly sensitive:

Segment 760: pages about getting pregnant and fertility, including at the Mayo Clinic Segment 2640: pages about menopause, including at the NIH and the University of Maryland Segment 2014: pages about repairing bad credit, including at the FTC Segment 2265: pages about debt relief, including at the FTC and the IRS"

Please folks - If you're going to bring this to our attention, how about leaving your obvious biases aside and tell the whole story so we can be truly informed? That we we can all be aware of just how widespread an issue this is instead of just another "Microsoft is Evil" piece.

Re:Speking of abhorrent...

[Tim+C]

Actually, nobody said anything about anything abhorrent, the word used was aberrant. Of course if they had done as you ask, that really would be aberrant behaviour round here...

Re:Speking of abhorrent...

oh simmer down with all your "rational" talk, you.

Re:Speking of abhorrent...

[poofmeisterp]

Please folks - If you're going to bring this to our attention, how about leaving your obvious biases aside and tell the whole story so we can be truly informed?

Indirect quote (*snort*):

*temper tantrum*
"Because there's no ca$h in that!!!! I want money and I'm gonna say what I want to get that from you, you person who is easily deceived by want, you. My daddy taught me that!" :)

private-browsing features can't stop them

[Ex+Machina]

Can't you setup browsers to prompt to create local storage?

Noobs

Yeah... cause it's so difficult to disable cookies, Flash, JavaScript and this newfangled HTML5 storage by default and only enable them on sites where they're needed, and use a good URL filter.

Hasn't anyone heard of AdBlock? Or better yet, Opera, which can do all of this without extensions.

Extreme measures?

[neokushan]

A lot of commenters here seem to be taking what I would consider as extreme measures in order to avoid these cookies. Running your browser in a VM which resets each time you close it? Installing numerous addons (I see someone listed 4 you need to install to cover yourself)? Does anyone else not think that perhaps instead of avoiding the issue, it should be tackled head on?

What I mean is - if this is such a serious issue, why are we standing by just letting it happen when we could be petitioning the various standards committees, plugin developers and browser manufacturers to do something about it? The so-called zombie cookie (or Supercookie) exists because we let it exist. It's clearly an exploit in the way various technologies work together and it should be treated as such, i.e. patched until it can't be done any more.

Furthermore, any company that uses this tactic should be taken to court since it's a clear and deliberate violation of privacy. I.e. if I decide to delete a cookie, I'm making it explicitly clear that I want it gone - I'm opting OUT, so keep it that way.

Re:Extreme measures?

Just because it is the right thing to do, does not mean that it is legally required for companies to do. Laws lag behind technology by a few decades.

Re:Extreme measures?

[PPH]

And not every web site is run by a law abiding or standards compliant entity (company or individual). Or an entity within our legal jurisdiction. I mean, look at the problems we had getting people to adopt the evil bit standard.

Re:Extreme measures?

Within the soul of the advertiser/marketer, the desire for a "Supercookie" will never die. For them, the concept is like a dream come true. Only through explicit legislation, as suggested, will humanity be spared the attempts to keep a permanent beacon alive on its machines.

It is shameful that our halls of parliament will have to be even partly devoted to such activity.

Re:Extreme measures?

[Tailhook]

why are we standing by

Self interest explains this. If cookies cease to `work' for the purposes of the ad networks then they'll make sites cease to work for those of us that thwart them. They're footing the bill for a lot of the `Internet', including the site you're reading now, so they call the shots. Since cookies still work for their purposes I get what I want with little bother, while everyone else has their every click correlated to their profile.

I don't want some grand solution that puts everyone at parity with me, because then I'll have to put up with what everyone puts up with. So stop talking about BetterPrivacy, NotScripts, etc. You're not helping.

Re:Extreme measures?

"why are we standing by just letting it happen when we could be petitioning the various standards committees, plugin developers and browser manufacturers to do something about it?"

Because Standards committees work for industry, not consumers, and if necessary can be stacked and controlled by industry.

Installing NoScript and AdBlock is not "extreme", it simply repairs a broken web browser - and makes it run a lot faster and more reliably. Sure, we shouldn't have to do that - but at least it's not as bad as trying to secure and accelerate, for instance, a Microsoft operating system.

Re:Extreme measures?

The web browser isn't broken. It the most of the web that is. But web browsers could surely do more to help with the issue especially when in "private browsing" mode.

what is this "users can't delete"?

It's a file on my damn disk. I somehow really doubt they have found a way to make it immune to "rm".

Why is technical illiteracy of even the most basic operations of computers so rampant these days?

Problems with HTML5

[Toonol]

I'm mostly glad to see the implementation of HTML5 everywhere, but it has some problems.

People thought that you could get rid of a lot of annoyances by increasing HTML5's capabilities to become more on par with Flash. Flash could be ditched. However, all it really means is that all the nuisances that were made in Flash (animated and noisy ads, commercials, persistent cookies, etc.) will now be made in HTML.

Flash wasn't really the problem... it was just one of the vectors FOR the problem. Now, HTML5+Javascript will take Flash's place in the eyes of marketers and spammers everywhere.

Re:Problems with HTML5

[BitZtream]

This has absolutely 0 to do with HTML5 and works in any browser since (and including) Netscape Navigator.

It does not however get around private browsing (at least not by itself, current flash implementations would allow it to do so however)

Re:Problems with HTML5

Flash wasn't really the problem... it was just one of the vectors FOR the problem.

But with HTML 5, web browsers can better filter the obnoxious behaviour. With Flash, you either allow a Flash movie or you don't.

Sandbox it!

It's easy to deal with these zombie cookies. All you need is to use a sandbox when you browse. Two products came to mind. I always use sandboxie when I browse or running untrusted program. I also use virtualbox.

zombie cookie = old-timey virus

What's the difference between a zombie cookie and an old-timey virus from back in the day? Why is it somehow okay for companies to infect user's computers with viruses but it's not okay for "bad guys" to do it?

Malware

I believe that these type of cookies (the one that stay on your system without your permission and are next to impossible to remove) should be classified as malware. I don't want it on my computer, they insist on putting it on my computer, and I can't get rid of it. If that isn't malware, then its the same garbage by another name.

Re:Malware

"next to impossible to remove"

Please don't spread FUD and technical illiteracy. They are no more difficult to remove than any other file. Anyone with even a halting familiarity with the operation of a computer should be able to do it.

Please stop with the glorification of stupidity.

"zombie cookies" means Flash cookies

[Sloppy]

Can't you setup browsers to prompt to create local storage?

The article does a major disservice to everyone (and I wish we could mod it down) by making up the term "zombie cookies." This new bullshit term hides what's going on and makes us all a little bit stupider. All I have to do to answer your question, is tell you what the article is really about. Instead of making up a bullshit term to confuse you, I'll use a descriptive term.

Ready?

Flash Cookies. The article is about websites caught using Flash cookies instead of browser cookies.

See, asshole-who-wrote-the-article, that wasn't hard. Flash cookies. Now instead of misleading people into thinking their browsers have a problem with cookies and other local storage, people see that the real problem they have with their browsers is plugins, which allows them to run native code that totally bypasses all the browsers' policies.

Flash cookies. Watch all the questions disappear .. but oops .. all the traffic to the fucking article disappears too, since people don't have to click through, read the first article that makes the weird reference to zombies, then click through to another article that explains WTF "zombie cookies" are about.

Slashdot should not have linked to this piece of shit.

Re:"zombie cookies" means Flash cookies

[macshit]

Flash Cookies. The article is about websites caught using Flash cookies instead of browser cookies.

See, asshole-who-wrote-the-article, that wasn't hard. Flash cookies.

Soooooo, can't you just delete the Flash cookie directory? That seems like it'd nuke 'em pretty good...

Re:"zombie cookies" means Flash cookies

[Inda]

TFA was also talking about HTML5 and its ability to perform local storage.

Was the article that shit? Have I really been duped? Twice?

Re:"zombie cookies" means Flash cookies

[BitZtream]

It actually wasn't about flash cookies.

It was about using browser cache as storage medium by doing some neat tricks on the server to get the browser to keep a javascript file in cache, which inturn functions as a cookie when used by various pages that reference it.

Page requests cookie.js, the server then serves cookie.js with a cache expiry of a hundred years into the future, and says it hasn't changed in a hundred years either.

Your browser caches it and then doesn't request a new copy for a 100years, why should it, it was told the file isn't going to change.

The data in the file now serves as a unique ID which can be used to associate your browsing habits.

THAT IS A ZOMBIE COOKIE. It has nothing to do with flash. This isn't new, a friend of mine and I discovered this years ago by accident due to a bug in a web app we were working on.

Re:"zombie cookies" means Flash cookies

[the_humeister]

Why not just clear the cache every one in a while then?

Re:"zombie cookies" means Flash cookies

[Pionar]

Can we mod this down, please? It's completely wrong, The Microsoft thing has nothing to do with Flash cookies.

Re:"zombie cookies" means Flash cookies

So if you delete this cookie.js, how will the server know you are you? How will it match the id?

If you clear the cache you'll get rid of this, right?

Re:"zombie cookies" means Flash cookies

[0123456]

I set my cache to /tmp/mozilla-cache, so it automatically gets deleted every time I reboot. Same for Flash crap.

Re:"zombie cookies" means Flash cookies

IMHO, "zombie" refers to the walking dead, i.e. you kill it, but it keeps coming back. A zombie cookie is a cookie that is restored from other persistence sources when you clear cookies, i.e. you use the cached javascript file, Flash cookies, ETAG, HTML5 local storage and whatever you can think of to recreate your HTTP cookie whenever it is deleted. The cookie that rises from the grave to haunt you.

Re:"zombie cookies" means Flash cookies

[the_humeister]

For Flash, I set my ~/.macromedia directory to /dev/null

Re:"zombie cookies" means Flash cookies

But I clear out my cache all the time...

Re:"zombie cookies" means Flash cookies

Simple solution, disable your browser's web-cache.

Re:"zombie cookies" means Flash cookies

Ok, thanks for the explanation. I guess NoScript will block this along with all the other crap it blocks, right?

Make your own supercookie

[watermark]

This reminded me of an old Slashdot article about Evercookie http://samy.pl/evercookie/

Diff?

[fuzzyfuzzyfungus]

Please correct me if I am wrong on this; but it would seem that, in principle, it would be quite tractable to generate a 'local persistence profile' tracing the activity generated by loading a URL as a series of addition, deletion, and modification operations to the state that existed before the URL was loaded(in the same way the various browsers' dev tools allow you to trace the network activity and script execution associated with loading a URL). With that, the user would have broad power(limited largely by their desire not to wade through a massively complex interface) to immediately roll back all changes made on exit, on leaving the site, or on some schedule. Wrapping that in an interface simple enough to be used and powerful enough to be useful would be a bit tricky; but you'd have an extremely granular revision-control style record to work with, which would make adding a few basic features comparatively simple(ie. "All changes that occur when running in Porn Mode are reverted on exit" or "all changes that occur when I load evil.com are reverted when I navigate away from evil.com".)

It would even be doable, probably through the use of site-specific addons developed by the knowledgable, to selectively roll back certain changes but not others(ie. if webmailfoo writes a cache of my last 30 days of email to a local store, I don't want to roll that back; but I do want to roll back the changes made by the fooad network...) or even to programmatically modify locally stored data(that aren't cryptographically signed, or otherwise protected from any tampering other than deletion...)

The local threat certainly isn't getting any easier or less complex; but it is, at least, a software problem. It's the remote threat that you really have to worry about. Covering your tracks against a reasonably smart remote agent turns out to be pretty difficult, and you can't(legally) just go and purge their systems.

Cool new feature vs. security hole

[tepples]

I remember back when scripts reading local files was regarded as a security hole in the browser, not a "cool new feature."

When the user explicitly consents to use of a specific local file or folder, it's a "cool new feature". When the user does not consent, it's a "security hole". Think of it as like a file upload control in an HTML form, but it works even when a web application is running offline from cache.

Re:Cool new feature vs. security hole

[The+Moof]

You need go back before Firefox (or Firebird, or Phoenix) existed, before the term "Web Applications" was coined, and AJAX was still a Microsoft proprietary technology in IE 4.0 called MSXML. Back then you couldn't touch the file input contents until it was posted back to the server since it was considered a security risk.

As for what I was referring to, it wasn't using an offline cache for its web application. The media player had a file input form element (what you called a 'file upload control') that read the file contents off your drive when you selected one from the file dialog. No posting back to the server or submitting the form was required, just simply picking a file.

Re:Cool new feature vs. security hole

[tepples]

before the term "Web Applications" was coined

Is there a date for that? eBay has always been a web application even before JavaScript postbacks were popular.

Back then you couldn't touch the file input contents until it was posted back to the server since it was considered a security risk.

The perceptions and uses of the web have changed so much over the past few years that I forget why they considered it such. But nowadays people rely on less jarring transitions between online use and offline use, especially on laptops and tablets, and JITs have made JavaScript at least speed-competitive with Java if not C++.

The media player had a file input form element [...] that read the file contents off your drive when you selected one from the file dialog. No posting back to the server or submitting the form was required, just simply picking a file.

And the key point is that the user explicitly consented to the use of the chosen file, therefore not a real security risk.

Re:Cool new feature vs. security hole

[thejynxed]

Unfortunately, with JavaScript and HTML5, it's trivial to do it WITHOUT the consent of the user.

That's the issue.

Re:Cool new feature vs. security hole

[tepples]

Unfortunately, with JavaScript and HTML5, it's trivial to do it WITHOUT the consent of the user.

Could you please explain further, or at least give me some web search keywords to go on?

Re:Cool new feature vs. security hole

[thejynxed]

JS injection to HTML, such as performed by many JavaScript Trojans such as JS.Gumblar. Where Gumblar was mainly restricted to redirects, downloading and execution of encrypted malicious executable files, etc, the ball changes with HTML5, which by design, gives unfettered access to certain storage areas, etc on your system via your browser. Modify, Delete, etc type of access.

Now we'll have something that can pull as well as push and execute, and won't require your permission to do so, especially since with HTML5, there are currently no plans to even allow end-users to customize any of the settings.

Imagine this: In Win7 for instance, by default most programs trigger UAC at some point if they want to change something. Read and Copy however, is not even questioned by default UAC settings. Some execute functionality is also not questioned.

Scripting something malicious to play a "video" or "mp3" in Windows Media Player (which by default after all of these years, still for some reason trusts unknown content to execute scripts, etc), is probably a trivial exercise. I also imagine something will be scripted to exploit installed plugins in conjunction with this, so if the computer say, has Flash Player, but not Windows Media Player, it will still have an avenue to do naughty things.

I can see privilege escalation exploits could also tie in heavily, to try and access say, System32 in Win7.

Don't know about HTML5, but...

[marian]

I just change the permissions on my cookies file to read only.

To manage localStorage in Firefox 6

[tepples]

To manage localStorage in Firefox 6, open the Options and go to Advanced > Network > Offline Storage.

Re:To manage localStorage in Firefox 6

[Voline]

Excellent. Thank you.

You gotta

Shoot them in the head and destroy the brain.

Fake Cookies

[retroworks]

Invisibility is futile. We need fake cookies, or randomly collected cookies, so that the advertising value of a cookie falls, i.e. "information inflation". Sure, Vehix knows now that I was car shopping, but what if EVERYONE had a copy of the Vehix search on their Html? What if in addition to the car I was really searching for, my browser held a record of every other car I wasn't interested in? Why can't we just run a random program, searching for random words, in the background, loading up on Zombie cookies from everywhere? "I'm Spartacus" http://retroworks.blogspot.com/2010/09/simpler-ideas-cookie-camouflage-digital.html

Re:Fake Cookies

[catmistake]

something like this?

if major browsers were forced to add this feature, the tiny background randomizing auto browser baking cookies at incomprehensible rates... I wonder what the demographics would be understood as by trendspotters... would anyone notice?

Re:Fake Cookies

I like how you think.

Re:Fake Cookies

[retroworks]

Wow. Yes, a lot like that. I'm not worthy.

Greasemonkey can do it

[WebManWalking]

Greasemonkey is a plug-in for Firefox that allows automatically executing your own scripts whenever you go to URLs that match a given pattern. You could easily write a script that looks at document.cookie and alters whatever cookies it sees. The only hard part would be deciding which cookies to overwrite, and how.

Use cases unhandled by <a> elements alone

[tepples]

At least for the video and audio, both Flash and HTML5 are functionally inferior to just <a>'s to files.

I see three advantages of Flash or HTML5 to providing links that an end user must play manually. How would you solve these use cases with just <a>'s?

• A web site can verify that the user agent has presented the entirety of one video before offering the link to another video. The advantage to the user is that the user can watch a message from a sponsor instead of providing payment details and paying for each view.
• A web site can add synchronized annotations made by other users.
• A web-based video game can play sound effects or music synchronized to events in the game.

bing toolbar virus

Just goes along with the "bing toolbar" virus that got installed as part of my IE8 automatic update just last week. IF I wanted the toolbar I would have ASKED for it specifically. U&*)(@#**( automatic "updates" that change my browser settings and install toolbars I don't want.

The problem isn't as complex as it sounds.

[idbeholda]

All we have to do is shoot the zombie cookies in the head. If we take out the brain, we take down the ghoul.

Re:Use cases unhandled by elements alone

[vlueboy]

I'll put on my user hat for a sec, so it will sound harsh, but Joe User doesn't care:

How would you solve these use cases with just <a>'s?
a) A web site can verify that the user agent has presented the entirety of one video before offering the link to another video.

Joe User: Not our problem. 10 years ago websites gave me all videos at and I could play and replay at my leisure. What's different now? [yeah, I know, bandwidth abuse, but still Joe User sees no benefit from the business implementation side of things and just clicking on the next link 100 times is still easier than paying a single dollar. Isn't that how Joe User leeches specific porn online?]

b) The advantage to the user is that the user can watch a message from a sponsor instead of providing payment details and paying for each view.

Joe User: I heard that the internet is supposed to be a place for sharing. Why do I need to "pay" anyone for goods I can find elsewhere for free? I can do just that to find ALL my music and videos for free, so I don't care about this one greedy "sponsor"

Re:Use cases unhandled by elements alone

[tepples]

What's different now?

A decade ago, ISP-provided web hosting and banner-supported web hosting came with 0.005 GB of space. A decade ago, we were in the dot-com crash. A decade ago, broadband was an experimental, expensive technology, and there weren't enough viewers of bootleg online videos to have a noticeable effect of the use upon the potential market for or value of the copyrighted work. The entertainment industry was still fighting things like Napster and WinMX, which were used more often for single songs rather than albums or movies.

Joe User sees no benefit from the business implementation side of things

Joe User sees that videos are available on the Internet as opposed to not available on the Internet.

Zombies!

Watch you Brains!

Hardware fingerprint tracking,

If they get enough hardware details they can track people across OS re-installs,
even OS changes.
Similar to what Panopticlick does.

o IP may stay the same
o Screen-resolution may stay same
o CPU details leaked from Firefox, navigator.oscpu and navigator.cpuClass
o Win64 reveals a 64bit CPU
o Timezone often remain
o Language often remain
o Going from Vista to XP follows many given changes
o Going from XP to Win7/8 follows many given changes
o Browser UserAgent often gives away OS details

Tor is great, but it gives away that it's a Tor browser.

Only way to privacy i can see is a browser that leaks out these details
in smart semi-random ways. This browser should also be good enough to
become 90% popular.
This way we wont need to hop IPs as much, and things becomes much faster.

The popular "Patagonia sweater vest

The popular "Patagonia sweater vest
Even north face sale fussiest Put THE NORTH "Nuptse" vest online and many retail outlets, including Saks, and provide THE same range from small-sized super size to all.The popular "Patagonia sweater vest
Even north face sale fussiest Put THE NORTH "Nuptse" vest online and many retail outlets, including Saks, and provide THE same range from small-sized super size to all.The popular "Patagonia sweater vest
Even north face sale fussiest Put THE NORTH "Nuptse" vest online and many retail outlets, including Saks, and provide THE same range from small-sized super size to all.The popular "Patagonia sweater vest
Even north face sale fussiest Put THE NORTH "Nuptse" vest online and many retail outlets, including Saks, and provide THE same range from small-sized super size to all.The popular "Patagonia sweater vest
Even north face sale fussiest Put THE NORTH "Nuptse" vest online and many retail outlets, including Saks, and provide THE same range from small-sized super size to all.

Preventing the content from persisting on disk

[forrie]

I would use DeepFreeze by Faronics which would ensure that a reboot would clean out any crap that may have been written to the disk. Simple. We use that were I work for student systems, Macs, PCs, and Linux. The downside is any persistent cookies you *do* need will be lost also. But if you're that concerned about being tracked, it's a fair trade off.

No invocations to these APIs occur silently

[tepples]

I read about Gumblar on Wikipedia. It appears to spread from an infected desktop PC to a web site by looking for saved FTP passwords and uploading itself. Ouch.

HTML5, which by design, gives unfettered access to certain storage areas, etc on your system via your browser.

Unfettered how? I thought access through <input type="file"> was limited to files that the user chose through an "Open" or "Save As" file chooser dialog presented by the system. From the File API spec: "The user is notified by UI anytime interaction with the file system takes place, giving the user full ability to cancel or abort the transaction. The user is notified of any file selections, and can cancel these. No invocations to these APIs occur silently without user intervention."