Google Accused of Bypassing Safari's Privacy Controls

DJRumpy points out an article (based on a possibly paywalled WSJ report) describing how Google and other ad networks wrote code that would bypass the privacy settings of Apple's Safari web browser. 'The default settings of Safari block cookies "from third parties and advertisers," a setting that is supposed to only allow sites that the user is directly interacting with to save a cookie (client side data that remote web servers can later access in subsequent visits). ... The report notes that "Google added coding to some of its ads that made Safari think that a person was submitting an invisible form to Google. Safari would then let Google install a cookie on the phone or computer.' Google says this mischaracterizes what the code does, claiming it simply enables 'features for signed-in Google users on Safari who had opted to see personalized ads and other content — such as the ability to “+1” things that interest them.' Google adds that the data transferred between Safari and Google's servers was anonymized. John Battelle writes that the WSJ's story is sensationalist, but that it raises good questions about the practices of ad networks as well as Apple's efforts to stymie industry-standard practices.

And people ask me why I don't use Chrome

[elrous0]

I trust Google with way too much as it is. And practices like this only make me even more determined to avoid them as much as reasonably possible. It's bad enough that pretty much every website out there now is feeding them tracking data (seriously, use Firefox with NoScript and just look at all the sites using Google-analytics, it's *everywhere*). I certainly am *not* about to let them takeover my entire browser too.

They'll have to content themselves with just reading my gmail.

Re:And people ask me why I don't use Chrome

If you're running DNSmasq just add this line:

address=/google-analytics.com/127.0.0.1

and it won't bother you again.

Re:And people ask me why I don't use Chrome

[NeutronCowboy]

And that's why noscript is so important. Yes, with time, everyone is going to consolidate their scripts under the main domain. But there will be ways to control that as well. And ultimately, that's why Firefox, despite all its problems, is a super-important part of the open web.

Re:And people ask me why I don't use Chrome

Ghostery is important. Turn it on, block *. You can still view ads, support sites, whatever, but at least its blocking the tracking pixels...

Re:And people ask me why I don't use Chrome

[Pieroxy]

Yes, with time, everyone is going to consolidate their scripts under the main domain.

And the situation will be fine. Because when people will consolidate their stuff on their own domain, they will be able to track you on their website (big deal, there's access_log anyways) but they won't be able to track you anywhere else.

Which is fine with me.

Re:And people ask me why I don't use Chrome

[MrKevvy]

I support a locked-down corporate image. I'm surprised at the number of people I support that I've found using Chrome.

Yesterday I talked to someone and asked how she got it and she said that a site prompted her to install it so she did. I just tried this and was able to install it on the locked-down image, including setting it as default, etc. It may have put its settings in the user-writable area of the registry but it's very sneaky to do so whereas other browsers will refuse to install without admin. privileges. Hey, whatever leads to higher market share, right?

Re:And people ask me why I don't use Chrome

[sakdoctor]

with time, everyone is going to consolidate their scripts under the main domain

No they won't. There simply isn't enough selection pressure to make that happen. noscript users are this tiny insignificant blip concealed in the statistical noise of web traffic.

Secondly, you're right. All the superficial problems (which I can almost never reproduce anyway) with firefox are nothing compared to having a browser I can trust, from an organization that I'm ideologically aligned with.
Google building a web browser is a conflict of interests; though I'm still glad they did for browser war / political reasons.

Re:And people ask me why I don't use Chrome

added google-analytics.com as a filter in ad-block plus. As well as facebook.com and twitter.com
No script, and ad-block plus are awesome in firefox.
Just from hitting 4 pages (my 4 home pages) I had 14 analytics blocks listed in ad-block.
I only allow cookies from about 8 sites.

Re:And people ask me why I don't use Chrome

[phrostie]

Try Ghostery

I first started using it because of facebook, but after using it and seeing all the stuff that everyone else is tracking, i'm hooked.

https://addons.mozilla.org/en-US/firefox/addon/ghostery/

Re:And people ask me why I don't use Chrome

[Oswald+McWeany]

I use Komodo Dragon which is a free Chromium variant with a higher focus on security and privacy.

I don't know if it really IS more secure and private- but Komodo claims it is; whether Google knows tricks to bypass Komodo's features I don't know.

Re:And people ask me why I don't use Chrome

[Xest]

I don't think Google have done anything wrong there, saving settings to a user section of the registry makes more sense than a browser needing me to give it admin priviliges to write wherever the fuck it wants. It's precisely that sort of behaviour that leads people to click okay each time windows notifies them a program wants admin rights without even stopping to consider why.

It sounds more like your problem is that your lockdown policy isn't configured as you'd like it to be, yet you blame the software for not obeying how you wanted things setup, rather than how things actually are setup, other than that it sounds like Chrome is following correct and best practice behaviour in this respect whereas how you'd have liked it to respond is bad practice and not preferable.

Re:And people ask me why I don't use Chrome

[phrostie]

another cool trick is to set up a host file.

http://winhelp2002.mvps.org/hosts.htm

Re:And people ask me why I don't use Chrome

Firefox installs just fine without admin privileges. Uh, not that I'd ever do such thing on a locked down image, mind you...

Re:And people ask me why I don't use Chrome

[jdgeorge]

Interesting point. I've been on the publishing and browsing sides of this.

As someone developing technical information, it's extremely valuable to know the information Google Analytics provides. It helps tell content creators how useful their content is to the intended audience, whether to invest in translation (and to which languages), and whether it's worth developing more information on a given subject.

As a browser, I generally don't allow Google Analytics and other tracking mechanisms in NoScript, because of general paranoia about being tracked.

For now, I have developed a two-browser web-use approach: I use Google Chrome (or Chromium, depending) for everything I do as a signed-in Google user. For general web-browsing, I use Firefox with NoScript.

I'm somewhat conflicted about the fact that I'm hypocritical in my desire for Google Analytics data while I refuse to provide that useful data to web sites.

Perhaps what I really should do it have a third browser (or configuration), so I have one where I'm promiscuous within Gmail, Google+, and Calendar, a second where I allow traffic analytics when I'm browsing work-related information, and a third, paranoid config for... um... recreational browsing.

Re:And people ask me why I don't use Chrome

[agentgonzo]

The installation of Chrome is one of the reasons that I hate it. You are given no choice as to where it installs. It doesn't install to a system-wide location, but installs (as you say) in user-writable profile space. That means that if you want to run chrome on your computer and you have many users, you need to install it for every user and it will be a separate place on the file-system with each separate installation. And separate settings in the user part of the registry. You *can't* do a system-wide installation (even if you want to!). It's just absolutely idiotic.

Re:And people ask me why I don't use Chrome

[smooth+wombat]

I've seen as well and when I realized that you don't need to be an admin to install Chrome, I was ticked off. To put it mildly.

That is a gigantic security hole just waiting to be exploited. Further, there's a reason corporate machines are locked down. We don't want people, especially IT people, installing every random piece of software that asks the user to install it.

Rule #3 of IT that should never be broken: Never, ever, ever, EVER give a regular user administrative rights on their machine. Ever. Chrome breaks this rule with a wrecking ball.

It's bad enough that as an admin I am constantly harassed by Windows 7, "Do you want to allow...?" Yes, I'm a fucking admin, just install the damn thing! Now we have to put up with companies making it so every user can install whatever they want and expect us to figure out what they did. Aside from their search engine, I will never use any product of Google, and this crap especially so.

Re:And people ask me why I don't use Chrome

[TheGratefulNet]

Google building a web browser is a conflict of interests

its like playing a game of baseball and having the opposing team provide the mitts, bats and balls.

Re:And people ask me why I don't use Chrome

You *can* do a system-wide installation, it's just not obvious.

Re:And people ask me why I don't use Chrome

Goddamn you. It is not acceptable to mention hosts files on slashdot. If you summon APK, I will find you, and there will be consequences, you bastard.

Re:And people ask me why I don't use Chrome

[BlackSnake112]

But on a locked down machine, nothing should be able to be installed without the admins knowing about it. Period. Google found a way around that. Also chrome has add ins that allow people around more things on a locked down machine. We had a professor that wanted google chrome for a classroom pc. This professor also hated not being an admin on the classroom machines, he complained every chance he got. After chrome was installed he stopped complaining. That machine started to have different settings. The background was changed, screen saver was changed. The registry was totally screwed up. The professor got added to the admin group. We re-imaged the machine. Everything was fine until that same professor went in that room. Then he was admin again. Again we imaged the machine. No chrome. No issues, well, besides his complaining. We now have a no chrome policy on the domain machines. Granted this professor has connections with google, so he may have more insight then other people. He cannot crack the machine without chrome. He tries. We watch him trying to boot the machines off of a USB or CD all the time. That is locked down to. He has said he is going to cut the lock keeping the machine case shut. He is determined, I'll give him that.

Re:And people ask me why I don't use Chrome

[GameboyRMH]

Chrome is probably one of the few Google products you shouldn't have any privacy worries about. It doesn't behave differently to any other browser. Chromium is open source if you want some extra assurance.

As for reducing your Google information footprint, do what I do::

http://slashdot.org/journal/277383/making-google-keep-to-itself-with-multifox

Re:And people ask me why I don't use Chrome

[geekoid]

"I dumb ass"? sigh.

Re:And people ask me why I don't use Chrome

[phrostie]

ROTFL

+1 funny

Re:And people ask me why I don't use Chrome

[GameboyRMH]

Yep I use Ghostery and block all the known tracking services. Using a whitelist system like RequestPolicy would be technically better but it would be a massive PITA to browse that way.

Re:And people ask me why I don't use Chrome

[geekoid]

A practice like what? Behaving as the user requested?

Take over your browser. Yeah, you just stick with browsers then need admin rights, and don't put information you request into a sandbox, that's much better.

Re:And people ask me why I don't use Chrome

[dougisfunny]

I think he's case sensitive.

Re:And people ask me why I don't use Chrome

[Xest]

"But on a locked down machine, nothing should be able to be installed without the admins knowing about it. Period. Google found a way around that."

No they didn't, that's precisely the point, the issue isn't that Google found some way around the lock down, it's that the system wasn't locked down properly to facilitate that goal.

Chrome is not some magical psychic piece of software that can tell what the system admin intended, it can only do what the OS allows it to do and is configured to allow it to do.

If Chrome is able to do things you did not intend on your systems then you have much more serious problems and your systems are incompetently configured and managed. You can guarantee if Chrome is obtaining admin privileges as a legitimate peice of software then a peice of malware would have a hell of a time enjoying your poorly configured systems. The first step to solving your problem is get rid of the geek squad level of staff, and start hiring some proper admins.

Re:And people ask me why I don't use Chrome

[P-niiice]

'l dumb ass.'

I swear to god there's a Will smith reference in there but I can think of an appropriate dumbass to fit in for the robots

Re:And people ask me why I don't use Chrome

http://www.youtube.com/watch?v=IPZQvQMAXvU

Re:And people ask me why I don't use Chrome

Wasn't "I Dumb Ass" the sequel to "I Robot"?

Re:And people ask me why I don't use Chrome

[GIL_Dude]

If you need to block Chrome installs in your locked down environment you can: http://support.google.com/installer/bin/answer.py?hl=en&answer=146164. At one point early in Chrome's life (before the policies existed) we had a desire to block Chrome as it was playing havoc with our authenticated proxy servers (it would just hammer them with failed authentication requests). It plays nice with proxies now, so we don't do anything to either enable or disable Chrome.

Re:And people ask me why I don't use Chrome

[Xest]

"That is a gigantic security hole just waiting to be exploited."

Right, so a browser that isolates itself to userspace is a gigantic security hole waiting to be exploited, yet a browser that requires admin privileges to install is not?

"Further, there's a reason corporate machines are locked down. We don't want people, especially IT people, installing every random piece of software that asks the user to install it."

So why are you letting people run arbitrary executables in the first place if you need that level of control of your systems?

"Rule #3 of IT that should never be broken: Never, ever, ever, EVER give a regular user administrative rights on their machine. Ever. Chrome breaks this rule with a wrecking ball."

Er no, that's exactly what it DOESN'T do.

"It's bad enough that as an admin I am constantly harassed by Windows 7, "Do you want to allow...?" Yes, I'm a fucking admin, just install the damn thing! Now we have to put up with companies making it so every user can install whatever they want and expect us to figure out what they did."

Well at least now we know you're really not qualified for your own profession. Really, you have a degree of IT security responsibility yet you complain when an OS alerts you to a request by an application for (or if you're a user, blocks you from providing) admin access, and say you just blindly accept, but then you complain when an application doesn't try and obtain admin access that you previously suggested should never be given to a user?

You haven't configured your network to limit what people can run and install, you've configured your network to only allow executables to work within the permissions defined for the currently active user account, Chrome is doing exactly that, thus the only problem is that how you've configured your network, isn't how you seem to beleive your network should be configured.

Re:And people ask me why I don't use Chrome

[EasyTarget]

Well said; just what I was thinking but more coherent :-)

A security policy that still allows users to install software in the userland is not 'locked down'.

Re:And people ask me why I don't use Chrome

And maybe, just maybe, Sergei and Larry eat babies for breakfast that Eric procures for them.

Or may be, just may be, GGP is incompetent as a sysadmin.

Re:And people ask me why I don't use Chrome

[icebraining]

If it was properly locked down, the Chrome installer wouldn't be able to run at all. And if it able to run, then it doesn't need an exploit.

Re:And people ask me why I don't use Chrome

Whether or not anyone uses Chrome, Google still wins. The purpose of chrome was not to necessarily get users -- it was to inject competition into a somewhat stagnant market. If the other browsers had stayed slow, Google wins because everyone uses Chrome. Since they caught up, Google wins because everyone can look at ads faster now.

Re:And people ask me why I don't use Chrome

Frankly I'd do the same things if you pulled that on me. And if you did manage to prevent me from making my computer actually useful to me, I'd probably try to set you up so you got fired.

Re:And people ask me why I don't use Chrome

[icebraining]

But on a locked down machine, nothing should be able to be installed without the admins knowing about it.

No. "Installed" is just a detail and means nothing. On a locked down machine, nothing should be to run from user-writable directories. Clearly your machine was locked down by incompetents; you can be sure that in my university, Chrome wouldn't be able to "install" itself, since no code at all would be allowed to run.

Re:And people ask me why I don't use Chrome

Maybe they do -- if so, all your "standard Windows corporate lockdown setup" PCs are WIDE FUCKING OPEN to anyone who downloads chrome, reverse-engineers it, and implements the same exploit in their malware. Which means YOU have a problem, and would have a problem (but not realize it) even if Chrome didn't exist.

(Silly question, but I'm no Windows admin -- isn't there an equivalent of the "noexec" mount option, to prevent any binaries within certain subtree of the filesystem from being executed?)

Re:And people ask me why I don't use Chrome

[Xest]

What Google is doing in TFA is not an exploit, just because Apple didn't want people to write Javascript in that way, doesn't mean there's anything wrong with it per-se. This isn't to defend it as it's obviously not a particularly respectful thing to do, but it's not illegal, nor does it breach any standards, in contrast, abusing an operating system level exploit potentially falls foul of both these things and opens Google up to a lawsuit. Perhaps you or the GP could consider taking it to court and challenge it there if you genuinely believe it's the case? You'd be able to get a pretty hefty payout or settlement if true.

Don't come crying when you actually get laughed out of court though because it turns out you just didn't know how to configure a network properly.

Re:And people ask me why I don't use Chrome

Pretend it was a trojan or a virus instead of Chrome. Are you going to pretend to blame the virus writer? No: the image was insufficiently locked down. This is indicated by the image's ability to run arbitrary code outside of a sandbox.

Re:And people ask me why I don't use Chrome

[forkfail]

Try Lynx.

Re:And people ask me why I don't use Chrome

[icebraining]

If you're ticked off against Chrome, then I hope you don't find out about PortableApps. Oh, oops.

Rule #3 of IT that should never be broken: Never, ever, ever, EVER give a regular user administrative rights on their machine. Ever. Chrome breaks this rule with a wrecking ball.

Chrome isn't able to give anyone any rights. It uses the rights the user already has. Maybe you should look at the people you configured that machine (maybe a mirror would be helpful?).

It's bad enough that as an admin I am constantly harassed by Windows 7, "Do you want to allow...?" Yes, I'm a fucking admin, just install the damn thing!

If you can't find out how to disable the UAC, you're in the wrong job.

Re:And people ask me why I don't use Chrome

[korean.ian]

Thanks, was unaware of ghostery until now.

Re:And people ask me why I don't use Chrome

[Baloroth]

If Chrome is able to do things you did not intend on your systems then you have much more serious problems and your systems are incompetently configured and managed.

Just keep drinking the Koolaid...

It's amazing to me that - even despite the story we're responding to - it doesn't even enter your mind that maybe, just maybe, Google knows about a nice little unpublicized exploit that lets them work around the standard Windows corporate lockdown setup.

You know, I was about to point out that the idea of a major company using an exploit to install software was ridiculous. Then I remembered Sony-BMG. I still think the idea of Google using an exploit to install Chrome (knowing it is an exploit and not reporting it) is ridiculous, but I can't really make fun of you for thinking it is possible.

Re:And people ask me why I don't use Chrome

Google building a web browser is a conflict of interests

its like playing a game of baseball and having the opposing team provide the mitts, bats and balls.

Bzzt!

It *is* like going to arbitration and letting the arbitrator be selected by the one party who is a regular arbitration customer.

Re:And people ask me why I don't use Chrome

[Xest]

It makes me despair as it's been some years since I left IT support behind, and I noticed at the time the profession was becoming more and more filled with people who simply have no idea what the fuck they're doing but coast by nonetheless, calling in consultants for a fortune when they don't know how to do something that any half competent IT support person should be able to do, or blaming the software, going off sick, hiding at a different office or whatever else when inevitably things go wrong and they'd otherwise have to face up to their responsibilities.

It seems now that these numpties have found their way to Slashdot, extolling their blame on software to the world at large, rather than facing up to the fact that they just don't know what in the flying fuck they are actually doing.

Of course, the worst part is, they then moan when their job gets outsourced to India - is it any fucking wonder why when they show such ineptitude? It's no wonder Chinese hackers are supposedly pillaging Western firms dry of IP when IT security means "blame the software when your incorrectly configured security policy lets the user do something they weren't meant to be able to do".

This is why IT support has rapidly started to gain the same sort of disrespect as a profession that many manual trades like bricklaying long have, and why support has seen a deterioration in wages to boot - because there's so many IT staff out there who really can't be trusted to show a bit of intelligence and do a good job nowadays, and they drag it down for those who know what they're doing.

I'm just glad I got the hell out of there seeing as it's only continued to deteriorate as a profession!

Re:And people ask me why I don't use Chrome

[noh8rz2]

is ghostery sufficient to block trackers and problems like the article says? I use it, and am always surprised by how many tracking pixels it finds on the web. speaking of which, now slashdot has trackers from twitter, facebook, and google+? that's a pain.

Re:And people ask me why I don't use Chrome

[icebraining]

(Silly question, but I'm no Windows admin -- isn't there an equivalent of the "noexec" mount option, to prevent any binaries within certain subtree of the filesystem from being executed?)

Yes. I don't know exactly how it's done, but I know it can be done, since the public computers on my university prevent it.

Google tells me it's called a Software Restriction Policy.

Re:And people ask me why I don't use Chrome

[GameboyRMH]

Yeah, the only weakness Ghostery has is that it relies on an updated blacklist. With a whitelist policy you can be 100% sure all trackers will be blocked, but it would break half the websites out there that get their images from CDNs etc.

Re:And people ask me why I don't use Chrome

[Jeremiah+Cornelius]

I use Ghostery. Have for years.

It's beginning to worry me. Who's all the captital behind this effort? I mean, Better Privacy and AdBlock are pretty grass-roots, got a bee-in-a-bonnet based efforts.

But Ghostery is a small part of a well-funded startup - with well-paid developers. And graphic designers!
http://www.ghostery.com/

"© 2011 Ghostery, a service of Evidon, Inc. All rights reserved."

http://www.evidon.com/faq

7. Explain your relationship with Ghostery.

Ghostery is the same service it used to be, only better, because now it has the resources of a substantial company to develop even better capabilities for helping consumers discover and control the entities that track them across the web. Moreover, Evidon is not an advertising company; we're an assurance company built to facilitate compliance with OBA regulations. Ghostery's founder, David Cancel, is a shareholder in, and advisor to, Evidon.

Re:And people ask me why I don't use Chrome

[MachineShedFred]

This is why you shouldn't just rely on a "locked down" image. You should also have some asset inventory and / or application metering running if you want to keep it locked down.

If a report runs, and all of a sudden you see chrome.exe showing up, you can have a chat with that user, and it doesn't come as a surprise when a bunch of people are using it.

Re:And people ask me why I don't use Chrome

There's no need to "reverse-engineer" what Chrome is doing, it's all documented at MSDN.

Re:And people ask me why I don't use Chrome

Chrome checks to see if it can install to %PROGRAMFILES% (or %PROGRAMFILES(X86)%). If it can't, it installs to %APPDATA%, thereby filling up the storage you have set up for profiles :)

Re:And people ask me why I don't use Chrome

[TheRaven64]

Well, unless they choose to share that data, of course. Google can easily give you some server-side code that just forwards requests made by gStalker.js to their servers, rather than processing it locally. There's also nothing stopping Google from making Google Ads and Analytics users set a subdomain for these to come from.

Re:And people ask me why I don't use Chrome

Absolutely. With Google, YOU are the product.

If you want a free and open world then please don't use Android.

Re:And people ask me why I don't use Chrome

I've seen as well and when I realized that you don't need to be an admin to install Chrome, I was ticked off. To put it mildly.
That is a gigantic security hole just waiting to be exploited.

It's such a gigantic security hole that Microsoft document how to write an installer that does it on their own website here.

Oh, and if you were actually qualified to do the job, you'd have disabled this in your group policies. Which again, MS tell you how to do here.

Re:And people ask me why I don't use Chrome

[TheRaven64]

Your 'standard Windows corporate lockdown setup' allows end users to run untrusted code that they downloaded from the Internet. I can think of many reasons for calling Google evil, but in this case they are simply doing something that, since Vista, has been a requirement for the 'Designed for MS Windows' logo and part of the recommended practices: allowing non-admin user to install for their own user. It's only 'a nice little unpublicized exploit' if you don't count the articles on MSDN telling you 'this is what you must do in a UAC world'.

It's not Google's fault that you think removing write access to C:\Program Files is the same as preventing users from running their code. Windows has fine-grained ACLs. Learn how to use them. Remove the user's ability to run programs that are installed in any location that they have write access to.

And now I've defended Windows, I need to go and have a shower...

Re:And people ask me why I don't use Chrome

[aztracker1]

Chrome runs with user-level privileges, no administration escalation needed. It even installs in user space, not in common Program Files. Though this is slightly annoying when you *want* chrome to be the default for all users though, it is actually plenty secure. If you don't want users to be able to execute code, you should lock things down better... There are NTFS privileges specifically geared towards being able to run executables in a directory, you should look into it. See: advanced settings. In windows chrome will use whatever system settings are in place for firewall/proxy use as well... so it's not like they're really bypassing anything.

Re:And people ask me why I don't use Chrome

I support a locked-down corporate image. I'm surprised at the number of people I support that I've found using Chrome.

Yesterday I talked to someone and asked how she got it and she said that a site prompted her to install it so she did. I just tried this and was able to install it on the locked-down image, including setting it as default, etc. It may have put its settings in the user-writable area of the registry but it's very sneaky to do so whereas other browsers will refuse to install without admin. privileges. Hey, whatever leads to higher market share, right?

Wait, let me get this straight, you're complaining because an app in Windows land actually understands userspace and uses it properly? I don't think "locked down" means what you think it means, or at least it's not achievable by "der, no Admin privs for you!" Separating user space from more priveledged portions of the OS is to protect important parts of the machine from the less trusted parts. Users have always been able to run stuff in user space, that's the OS' job. If you really have a reason to prevent users from running any executable in their little, user sandbox (aka user space) then you need to do something to prevent it. Bitching that the OS does what it's designed to do when someone properly writes an installer that installs in user space is about the dumbest shit I've heard this week.

Just because Chrome choose to use an installer (something that's an expectation among most Windows users) doesn't mean it's playing fast and loose with the rules. They could easily ship a self expanding archive or a standalone executable and you'd still have the same "problem" you're bitching about here. If MS is providing a userspace portion of their registry for userspace programs to write to it's because that's the Windows way (just like the *nix way is to write config files to ~/.).

If I've been harsh, here's why: I don't mind that a user doesn't understand this stuff, but you're in charge of admining this stuff for someone, somewhere and you should understand it better than this. You're screwing up your job and generally making software a worse place than it has to be for the rest of the world by being obstinate and complaining that stuff doesn't work like you expected it to work. You don't get that priviledge, your end users do, but you don't.

Re:And people ask me why I don't use Chrome

[hobarrera]

While part of this is true, INSTALLING an application, in a locked-down enviroment should require root priviledges.

Re:And people ask me why I don't use Chrome

[aztracker1]

It's funny, but on my personal machines, that's pretty much one of the first things I do... (dissabling UAC)... install all the software I want on the machine... then re-enable it. It's annoying installing a dozen or so pieces of software with UAC enabled.

Re:And people ask me why I don't use Chrome

[hobarrera]

Want sort of lock-down keeps changes after a reboot?
Use a user profile in-memory, or something like deep-freeze, etc.
Machines in a shared lab need to be in the same state every time they reboot, not locking them down using windows' "security features". (I smiled writing the last two words)

Re:And people ask me why I don't use Chrome

It's only a step away from having thin clients remoting to fresh copies of a VM on each boot up. Just add network storage for user documents, and you're done.

Re:And people ask me why I don't use Chrome

[Sancho]

Why should a browser need admin privileges? It's just code that executes.

You might find that your "locked-down corporate image" can run any number of applications that don't require admin access, including apps at http://portableapps.com/

You have to get into SRP if you want to prevent users from running executables you don't know about. If you don't want to get into SRP (I wouldn't blame you--it's messy) then if they can write to a directory and execute from that directory, they can install software.

It is not the software's responsibility to ask for permission from the corporation in order to execute. It is your responsibility to ensure that only the software you approve executes.

Re:And people ask me why I don't use Chrome

[SSpade]

You do know who pays for Firefox development, right?

Re:And people ask me why I don't use Chrome

[sakdoctor]

Can someone explain why this is funny?
I can see how it could be funny in a different context, but here it's like the punchline for the wrong joke.

Re:And people ask me why I don't use Chrome

[sakdoctor]

The majority of the Mozilla foundation's funding comes from a search royalties contract, currently with Google.
Problem?

Re:And people ask me why I don't use Chrome

[Anomalyst]

Try ghostery to diddle the site reporting.
http://www.ghostery.com/download

Re:And people ask me why I don't use Chrome

I'm just glad I got the hell out of there seeing as it's only continued to deteriorate as a profession!

What did you end up doing instead? I'm assuming you're not somehow independently wealthy.

Re:And people ask me why I don't use Chrome

[Solandri]

No they won't. There simply isn't enough selection pressure to make that happen. noscript users are this tiny insignificant blip concealed in the statistical noise of web traffic.

I've been running across more and more sites which won't display their content until I allow Noscript to run all scripts on the page (including advertisers'), turn off Adblock, and disable Ghostery. I've been forced to set up a virtual machine with a clean snapshot of a browser without any extensions to view those sites. But recently the sites of one of the banks and one credit card I use started doing this.

Re:And people ask me why I don't use Chrome

[painandgreed]

I have not used Lynx in many years but have tried to use later browsers such as IE4 (as default install with old an OS) and simply put, most webpages were not readable. If I went to something that was pure basic html (and old website of mine), it was fine, but most web pages were broken to the point of not even displaying anything. I can imagine that this would be even worse with Lynx. You'd go to a web page and probably just not see anything as scripting, flash, etc has become so common that the web is near non-funcitonal without it.

Re:And people ask me why I don't use Chrome

While part of this is true, INSTALLING an application, in a locked-down enviroment should require root priviledges.

Dammit, NO IT SHOULD NOT. A program requiring root privileges to install or run should require root privs. That you said the above says you do not understand how this stuff works. Stop, right now, and learn. If the app does not need root privs it should never request them, under any circumstances. Just because there's a bunch of incompetent Windows sysadmins out there doesn't mean Google or any other software provider should start doing stupid things.

Re:And people ask me why I don't use Chrome

[elrous0]

This is /. so I'm going to need a car analogy.

Re:And people ask me why I don't use Chrome

[notjustanotherhacker]

Google Chrome installs the data *AND* executables under the user directory. That's one of my top three complaints against Chrome.

Re:And people ask me why I don't use Chrome

[sexconker]

I think he's case sensitive.

No, you just have to stand in front of a RAID 1 mirror and say:
hosts file apk.
hosts file apk.
HOSTS FILE APK!

Re:And people ask me why I don't use Chrome

[NotBorg]

Don't buy a car from Exxon Mobil and expect it to be fuel efficient.

Re:And people ask me why I don't use Chrome

Care to provide some examples? I'm really curious about this.

Re:And people ask me why I don't use Chrome

[glennpratt]

It is unbelievable how completely backwards you and others get this situation.

Chrome for Windows actually follows the correct model, you just aren't used to it because so many Windows applications are completely backwards in requiring admin privileges for no good reason.

Windows allows users to execute arbitrary applications and install them as a regular user in isolated directories and registry space, that's a choice Microsoft made (and has frequently encouraged developers to support). If that's too open for you, you need to look to lock down software or get crafty with your Group Policy It's NOT Microsoft's or Google's fault, you just don't understand it.

Re:And people ask me why I don't use Chrome

[datsa]

https://danieltsadok.wordpress.com/2010/05/07/google-analytics-is-even-more-dangerous/

Re:And people ask me why I don't use Chrome

[datsa]

I wrote the White House asking them to take off Google Analytics. They didn't respond.

Re:And people ask me why I don't use Chrome

[OS24Ever]

Posted to a website where Ghostery tells me that Facebook, Google +1, Google Analytics, and the twitter button links are being blocked.

Re:And people ask me why I don't use Chrome

Much like programmers who write shitty code that Helpdesk staff have to try and support. Go beat your fucking drum elsewhere you moron. The IT world is probably better off without you. I figure you know so much about hiding when things go wrong, that you must have been the first one to run. What else are you fucking up now

Re:And people ask me why I don't use Chrome

+1, You won the internet today.

Re:And people ask me why I don't use Chrome

[Vegemeister]

You must work in my University's IT department. The idiots can't even figure out how to put home directories on the CIFS share, but they managed to 'disable' (by hiding) notepad and paint, and prohibit users from right clicking on the taskbar.

Protip: 'Install' means nothing. Unless you only allow users to run cryptographically signed binaries, they can use whatever the hell web browser they want. And frankly, which web browsers people use is none of your business.

Re:And people ask me why I don't use Chrome

I already had it blocked out in my custom HOSTS file (along with 1,656,592++ other KNOWN bad sites/servers/hosts-domains that serve up malicious scripts &/or malware etc.- et al).

That's the security-side of it... the other side's FASTER online websurfing (blocking adbanners & resolving hosts-domains to IP addresses of 250 of my fav. sites in it as well, which results in FAR faster resolves than calling out to a remote DNS server (which may even be compromised via redirect DNS poisoning that's been going on the past few years now)).

Between a custom HOSTS file, & using "filtering" DNS servers (that specialize in blocking out malicious script & malware serving domains + phishing/spamming ones)? I am safer, by far, than most folks are online, & FASTER too!

---

Options for "DNSBL filtered 'secured'" DNS servers:

A.) Norton DNS (198.153.192.50 and 198.153.194.50/198.153.192.40 and 198.153.194.40/198.153.192.60 and 198.153.194.60) -> http://nortondns.com/ [nortondns.com] & you can even see how it updates every few minutes vs. known malicious sites-servers, here -> http://safeweb.norton.com/buzz [norton.com] as well as get a GOOD read on how/why it works, etc.- et al, here https://dns.norton.com/dnsweb/faq.do [norton.com]

It filters vs. MANY threats online & IS UP TO DATE as is possible I'd imaging (see those links, you'll understand WHY I state that). It's part of WHY I use it as my PRIMARY DNS here...

---

B.) ScrubIT DNS (67.138.54.100 and 207.225.209.66 ) -> http://www.scrubit.com/ [scrubit.com] & here is a good read on how/why it works via its FAQ's as well -> http://www.scrubit.com/index.cfm?page=faq [scrubit.com]

---

& of course

C.) Open DNS (208.67.222.222 or 208.67.220.220) -> https://store.opendns.com/get/home-free [opendns.com]

---

EACH IS FREE, & WORKS vs. threats online of MANY kinds, doubtless via a form of DNSBL they use for filtering those threats out!

(E.G.-> Phishing/Spamming, Malware hosting sites/servers, Maliciously scripted hosts-domains etc./et al & more...)

* I use ALL 3 of them (mostly as "failovers" for one another, in case my primary can't resolve a host/domain name to an IP address, & w/ Norton DNS as primary)!

(I do so, in a "layered triumvirate formation" in BOTH my IP stack DNS settings in Windows (software-side), as well as in my LinkSys/CISCO router here (hardware-side))...

APK

P.S.=> Simplest principle there is, of "I can't get burned when I can't go into the malware fire", so-to-speak (and IF I were to somehow be infected? The custom HOSTS file acts as a "1 way valve" in yet ANOTHER way - the malware/exploit cannot "talk back to mama" (it's C&C server if any) either - BONUS!)...

LASTLY, & to "security-harden" my system even further, I do what's noted in these links (utilizing the principles of "layered-security"/"defense-in-depth"):

http://www.bing.com/search?q=%22HOW+TO+SECURE+Windows+2000%2FXP%22&go=&qs=ns&form=QBLH [bing.com] ... apk

Re:And people ask me why I don't use Chrome

[Ectospheno]

I'll ask you the same question I ask everyone else who seems to be highly concerned about companies knowing things about them. Why does it bother you?

I use Google for pretty much everything. I'm a Google Apps for Business customer and have been very pleased with the services they provide. Their products work well and the uptime/cost ratio is excellent. I'm assuming their ads are still nonintrusive but honestly I wouldn't know as I use adblockers with rather strict rulesets so I never see any of them.

Do they know a metric crapton about who I am and what I do? Sure. Why should I care about this? How does Google knowing what videos games I play or what books I read matter to me in my day to day activities? So they know I played Skyrim a lot and which bands I listen to. Who cares? Everyone who matters in my life already knows all of that anyway. Why panic because Google knows it too?

Re:And people ask me why I don't use Chrome

[petsounds]

It's a good point to bring up. I too have used Ghostery for a long time and put some amount of blind trust in what they're doing. But looking Evidon's site, I see that the main thrust of their revenue seems to be in selling compliance products to governments and corps. This app which manages browser trackers for compliance is likely based on the Ghostery codebase and likely why they scooped it up.

And I see on Ghostery's blog that they blacked out their site during the SOPA Blackout day. So it's always good to question who's pulling the strings behind the curtain, but in this case I think both the company and the users of Ghostery win.

Re:And people ask me why I don't use Chrome

[Jeremiah+Cornelius]

"I just wasn't made for these times..."

Re:And people ask me why I don't use Chrome

[Pieroxy]

But the cookies are domain dependent. They may share all the data in the world, they won't know how to match it with the other domain data. Google cannot do its job with analytics even if I forward all the requests server side to them. The cookie they dropped on xyz.com won't show up on my browsing data. They won't be able to correlate.

Third party cookies: It should be only the cookies from the page you see the URL in the browser address bar that are allowed. None other.

Re:And people ask me why I don't use Chrome

[shutdown+-p+now]

Rule #3 of IT that should never be broken [earthlink.net]: Never, ever, ever, EVER give a regular user administrative rights on their machine. Ever. Chrome breaks this rule with a wrecking ball.

Chrome doesn't break this rule, since it doesn't give users administrative rights. It can install and run quite fine without them, that's the whole point.

That you somehow think that users with admin rights can't install or run software on Windows just shows how badly you misunderstand the Windows security model. Guess what? It's not just Chrome they can run, it's also any app repackaged as "portable", so long as they extract it to %USERPROFILE% and run it from there. That means Firefox and many other things, too.

Re:And people ask me why I don't use Chrome

[DMFNR]

Sure you don't see images, Flash, and most scripts don't work (although I find most web forms are still functional). If most of your Internet use is based around the consumption of text something like Lynx is a good way to remove all of the other distractions. I like using a modern browser and enjoy a rich multimedia experience online but for someone who just wants raw information on a subject and couldn't care less about the other stuff Lynx is a great tool. I even use a console based browser from time to time when I'm working in text mode and I need to reasearch something I need info on. I'm willing to be Lynx works far better on the modern Internet than something like IE 4 would simply because it doesn't even try to render all the multimedia crap, it just ignores it.

Re:And people ask me why I don't use Chrome

I can't provide examples, as those sites are few and far between for me, but I normally just close the site window. If they're going to demand that, they've lost a pair of eyes.

Re:And people ask me why I don't use Chrome

[lister+king+of+smeg]

all he would have to do is run it off of the portable apps platform. then he could have his browser, i know that is what we do in my webscripting class. the first week of class we installed firefox filezilla and notepad++ on usb drives. we had to do that because the computers have deep freeze installed and a new user account is generated on loggin and the old one deleted on logout unfortunately it occasionally flips the directory bit when ftping files to the web server thus breaking the uploads

Re:And people ask me why I don't use Chrome

[lister+king+of+smeg]

deep freeze is evil.

Re:And people ask me why I don't use Chrome

[lister+king+of+smeg]

i do not entirely agree while you have the right what every you want on your computer you do not have the right to run what ever you want on mine which you are barowing.

Re:And people ask me why I don't use Chrome

What Google is doing in TFA is not an exploit, just because Apple didn't want people to write Javascript in that way, doesn't mean there's anything wrong with it per-se.

So if many browsers had a setting that disallowed actions unless you click on a link, would it be okay for companies to disguise links as say, scroll bars in order to install ads? Would it be okay to post an advisory on the Web page saying if you're using a particular browser clicking on those scroll bars won't install advertising cookies when it in fact does just that?

Sorry, Google does a lot of cool stuff. I have good friends that work there. They also do the occasional slimy thing, and this is right in there. They're hiding invisible dummy forms on their sites specifically to try to bypass privacy controls the user has chosen. That's little league evil right there.

Re:And people ask me why I don't use Chrome

The installation of Chrome is one of the reasons that I hate it. You are given no choice as to where it installs.

I am given a choice. I can drag it into the /Applications directory or the ~/Applications Directory or heck, ~/Pictures if I feel like it. The "registry" is for outdated OS's with lousy application packaging strategies.

Re:And people ask me why I don't use Chrome

[csirac]

But the cookies are domain dependent.

True, but...

They may share all the data in the world, they won't know how to match it with the other domain data. Google cannot do its job with analytics even if I forward all the requests server side to them. The cookie they dropped on xyz.com won't show up on my browsing data. They won't be able to correlate.

False, I'm afraid

Third party cookies: It should be only the cookies from the page you see the URL in the browser address bar that are allowed. None other.

Some-origin policy applies to the URL of the script js, not the document using that script.

Re:And people ask me why I don't use Chrome

[Pieroxy]

They may share all the data in the world, they won't know how to match it with the other domain data. Google cannot do its job with analytics even if I forward all the requests server side to them. The cookie they dropped on xyz.com won't show up on my browsing data. They won't be able to correlate.

False, I'm afraid

Since you're obviously smarter than me, can you explain how a cookie dropped on my browser by abc.com will be used to correlate my browsing on the site xyz.com? Of course, they have only scripts and resources originating from their own domain, which is the assumption in this thread.

Your turn.

Re:And people ask me why I don't use Chrome

[zakkie]

I went completely the other way and removed AdSense & Analytics from my site. If Google are that desperate to fuck with privacy and shit, they will have no help from me.

Re:And people ask me why I don't use Chrome

What happens if they want to write a little program/script to help them work more efficiently?

Man, you IT overloards just take away all the benefits of having a computer, don't you?

Re:And people ask me why I don't use Chrome

[Vegemeister]

I'm not talking about rights. I'm talking about what is reasonable. Preventing users from opening notepad and paint; forcing users to browse the web with Internet Explorer, ads and all; disabling Aero so that graph lines produce godawful beat frequency tearing patterns when scrolled; disabling task manager. These are obstacles to productivity which do not provide sufficient security benefit to offset the inconvenience.

Re:And people ask me why I don't use Chrome

[thejynxed]

Because it never just stops at what games you play or what music you listen to, and by that point, it's already too late. Your information has already been sold to whomever shows up with the appropriate amount of money.

Re:And people ask me why I don't use Chrome

LOL why the anger?

sounds like he's busted your ruse, go back to mcdonalds or whatever

Re:And people ask me why I don't use Chrome

[TheRaven64]

Does the script run in a sandboxed environment or an already-installed program (e.g. mathematica, MS Office, cmd.exe)? If so, fine. If not, justify it to your boss. If it's really that useful, then maybe it should be part of the default image...

Re:And people ask me why I don't use Chrome

[mrmtampa]

But you trust Apple!!

Apple doesn't need cookies to track your web behavior, they have access to the iOS logging facility. What they've done is to prevent their competitors; Google, Amazon, Microsoft and others from obtaining the same data. Google found a way around this tactic. It's called competition.

However it looks like Google, after opening the door, left it open for everyone else to follow them in. They say they've closed the door but is it closed for all, or just everyone else?

Re:And people ask me why I don't use Chrome

[metaforest]

I do not use Chrome because it has onerous terms in the EULA. Namely, that I must accept all updates to the application and I cannot block their attempts to update it.

If you have made the mistake of installing a Google App on your system.... you are leaking a lot of info that you might not want them to have...

Pretty much all Google apps create a giant sucking sound on your private data.

Re:And people ask me why I don't use Chrome

Sandboxed, no.
Does "python" count as a already-installed program? bash?

How can I justify it, I'm just writing it. And no, not in the default image. This is just a little tool to automate my work. It's not a general purpose tool for the company.

Not all software is meant to be engineered for long-term/wide use.

Re:And people ask me why I don't use Chrome

[csirac]

Since you're obviously smarter than me,

I'm sorry if I sounded like a jerk, that wasn't my intention.

can you explain how a cookie dropped on my browser by abc.com will be used to correlate my browsing on the site xyz.com? Of course, they have only scripts and resources originating from their own domain, which is the assumption in this thread.

The HTML rendered by xyz.com includes a script tag resulting in a fetch of abc.com/foo.js. That HTTP request to abc.com/foo.js comes not only with the cookie which was set last time you fetched any other site using abc.com's foo.js, identifying who you are, but also an HTTP Referer header indicating which HTML document it's being loaded from, indentifying what you're looking at.

Re:And people ask me why I don't use Chrome

[Pieroxy]

Then you just don't know how to read. What is uncler in the sentence "scripts and resources originating from their own domain" ?

Please reread all the history. It looks as if you jumped in not knowing what we were talking about.

Where's the money from?

[Sez+Zero]

the practices of ad networks as well as Apple's efforts to stymie industry-standard practices.

If I were a company that made my money on hardware and my main competitor was a company that made their money on ads, I'd most definitely be trying to tweak my software to stymie "industry-standard" practices.

Re:Where's the money from?

[oh_my_080980980]

By allowing users to block cookies. Yeah real violation......since blocking cookies is an industry standard.

Re:Where's the money from?

[inpher]

Apparently this is how Apple "stymie industry-standard practices":

Now, from what I can tell, the first part of that story is true – Google and many others have figured out ways to get around Apple’s default settings on Safari in iOS – the only browser that comes with iOS, a browser that, in my experience, has never asked me what kind of privacy settings I wanted, nor did it ask if I wanted to share my data with anyone else (I do, it turns out, for any number of perfectly good reasons). Apple assumes that I agree with Apple’s point of view on “privacy,” which, I must say, is ridiculous on its face, because the idea of a large corporation (Apple is the largest, in fact) determining in advance what I might want to do with my data is pretty much the opposite of “privacy.”

Then again, Apple decided I hated Flash, too, so I shouldn’t be that surprised, right?

[...]

I don’t know, but when I bought an iPhone, I didn’t think I was singing up as an active recruit in Apple’s war on the open web. I just thought I was getting “the Internet in my pocket” – which was Apple’s initial marketing pitch for the device. What I didn’t realize was that it was “the Internet, as Apple wishes to understand it, in my pocket.”

Does not make any sense to me. First the author claim that Apple should have actively asked him do define the security settings and because it did not Apple is somehow evil. No operating system ever can actively ask their users to set up everything to a microscopic level, there has to be a default somewhere. It would take days to get through all the settings on my computer. I would say "fuck this" after fifteen minutes of configuring panels where I left almost everything set to the default anyway.

How could Apple agree with your stance on privacy unless you tell Apple your privacy wishes? The author seems to be well versed in computers and smartphones, I am sure he could figure out how to tell Apple how his privacy should be managed.

Then he somehow thinks Flash is an industry standard. This is what Apple allows to run in mobile Safari and disallowing non-standard (arguably proprietary) third party extensions is not really how you stymie industry-standard practices.

Re:Where's the money from?

John Battelle is a pro-Google hack. The dude makes his living writing about google and using google to serve ads. Don't be surprised.

Re:Where's the money from?

[Mister+Whirly]

Yeah, but when everyone else doing developing is ignoring the standards, what happens to the ones that stick with them?

Re:Where's the money from?

John Battelle has finally lost what was left of his journalistic integrity. He defends Google doing something obviously dishonest, because he's made his millions from running an ad network of his own on the back of Google's DoubleClick.

Oh I guess he's got street cred since he's "down" with those hypocrites over at BoingBoing.

Re:Where's the money from?

Industry Standard and / or proprietary can also be 3rd party extensions and vice versa.

Flash is one of them. 90%+ of the devices connected to the web has has a Flash Player (be it full or mobile). A huge number of multimedia rich websites are Flash based. Facebook uses Flash for its video. A year ago, all major sites use Flash one way or another (be it ads or content).

Flash *IS* an Industry Standard. Every normal user and their mother, and every web designer and their mothers have been using it for the past 10 years.

Is it an multiple vendor agreed upon standard? no.

If you argue Flash isn't Industry Standard, you must also argue that the old VGA port was never industry standard either despite having a 99% penetration rate. IBM threw together some wires and called it a day. A day that everyone used for a few decades up until DVI/HDMI started cropping up.

Re:Where's the money from?

[inpher]

Industry Standard and / or proprietary can also be 3rd party extensions and vice versa.

Flash is one of them. 90%+ of the devices connected to the web has has a Flash Player (be it full or mobile). A huge number of multimedia rich websites are Flash based. Facebook uses Flash for its video. A year ago, all major sites use Flash one way or another (be it ads or content).

Flash *IS* an Industry Standard. Every normal user and their mother, and every web designer and their mothers have been using it for the past 10 years.

Is it an multiple vendor agreed upon standard? no.

If you argue Flash isn't Industry Standard, you must also argue that the old VGA port was never industry standard either despite having a 99% penetration rate. IBM threw together some wires and called it a day. A day that everyone used for a few decades up until DVI/HDMI started cropping up.

You are confused about the meaning of Industry Standard. An industry standard is not "something very common", an industry standard is something adhering to a very specific set of rules as specified by a Standards Body such as W3C, VESA, CEN or WSC. While Flash is not an industry standard.

google does a lot more than that

[alen]

i have a few browsers on my iphone including a private browser. i've had it for years since before apple put the functionality into iOS. All it does is ride on top of stock safari on the iphone but creates a private browsing session.

i've noticed that some searches i did in the private browser come up as past searches in stock safari and on my laptop. which means that google is probably reading the UIDID or whatever it's called and using it to correlate users across devices even if they don't log into google

Re:google does a lot more than that

You can also turn on private browsing on the default safari browser on iphones by going to settings>safari and moving the slider

Re:google does a lot more than that

[alen]

yes in iOS 5. but i've been using this for 3 years now and it does some things that stock safari doesn't. and i still keep my history in safari so i have to type 2 seconds less

Re:google does a lot more than that

[JeremyBanks]

iOS Safari has a built-in private browsing setting now. Have you given it a try?

Re:google does a lot more than that

[moderatorrater]

Do you still use non-privacy browsing? Because if they're able to take your private session and correlate it with a non-private one (for instance, by ip address) then they will almost certainly do so. I'd be surprised if apple allowed people to get the UDID in the browser.

Re:google does a lot more than that

[Sancho]

Yeah, but it's pretty annoying having to go outside of the app just to change a simple setting.

I trust google as much as microsoft

[FudRucker]

i rather use Linux

http://duckduckgo.com/

Re:I trust google as much as microsoft

[hobarrera]

As much as I prefer to avoid using google, regretably, the results on duckduckgo.com aren't comparable, by far. I hope they are some day, since it's a pretty good initiative.

Re:I trust google as much as microsoft

[thetoadwarrior]

It's not too bad and sometimes it's better than Google but when DDG gets it wrong it's really wrong.

Re:I trust google as much as microsoft

[shutdown+-p+now]

DuckDuckGo uses Bing among other sources. So, apparently, you trust Google less than you trust MS.

Re:I trust google as much as microsoft

[arose]

DuckDuckGo uses Bing, not their users. Unless of course they have started passing through user data in violation of their policies or somesuch problem that any external service is vulnerable to.

Invisible forms all over the place

Surely the 'invisible form' is not in itself new? I have always had the firefox/mozilla/etc 'security.warn_submit_insecure' set to 'true' and the warning pops up in all manner of places where you have done nothing but viewed a page.
I always hit 'cancel' as a matter of principle since when it first appeared for no apparent reason I took it to be someone's way of getting my browser to do something which I would either probably not want it to do or that they did not want me to know about.

On the other hand, it is a technique used by at least one or two types of forum software to update DST settings, so it's not always nefarious.

Advertisers of the world unite

[jameslore]

John Battelle's main thrust seems to be that Apple shouldn't be blocking advertisers from tracking users. Further, that he angry that Apple opted him out by default, rather than forcing him to opt-in to privacy.

Regardless of your views on the evil of (Apple|Google|whoever) this seems an odd argument. Unless you're an advertiser, of course.

Re:Advertisers of the world unite

[Nerdfest]

It's not that strange a view. If I'm going to see ads, I'd like to see target ads. Apple doesn't seem to give you the choice (or at least, the default is to block ... I don't know if you can change it later).

Re:Advertisers of the world unite

John Battelle's main thrust seems to be that Apple shouldn't be blocking advertisers from tracking users

No surprise, this is a guy who has earned the bulk of his fortune running an ad network/agency that uses Google to deliver ad content. The rest of his money comes from lip-service hackneyed books about Google.

Re:Advertisers of the world unite

[jameslore]

You can indeed. It's on the Privacy tab in Safari preferences on the Mac, and the Privacy section of Safari preferences on iOS.

Personally, I've no objection as long as I'm *asked* to opt-in. If I'm not, the default should be opt-out.

Re:Advertisers of the world unite

[dzfoo]

The setting in question is, from within the "Privacy" tab in the Safari Preferences window:

Block cookies:

• From third parties and advertisers
• Always
• Never

By default, the first one is selected. What it does is make Safari reject any cookie not originating from the domain of the currently opened page URL. This includes requests from iframes, images, and any other resource requested from an external domain.

That's it. By design, this should prevent, say, a cookie from "webtrendslive.com" or from "googleanalytics.com" unless the user is at a site hosted by those domains.

This is a good default, for this would be what most users would be expecting. The assumption is that any resource hosted on an external URI is most likely for advertising and tracking purposes (which, as it turns out, is true).

It would be understandable if the work-around was applied to a web site that depended on third-party resources which required the setting of cookies from said party in order to function--admittedly a rare edge case.

However, it's the advertisers themselves that are working around this feature; and this shows their intent on ignoring user preferences.

The user can always change it to "Never" and receive cookies from any, all, and sundry.

        -dZ.

sounds familiar

the cookies that facebook uses so facebook can track you on all the sites that have "you like this button"

Right or wrong...

[sootman]

... it's really a clever hack. ("Hack" as in "clever workaround", not "ZOMGbreaking and entering!!!11") RTFA (not paywalled at the moment) and click on the infographic to see what they did.

Re:Right or wrong...

[sunderland56]

The headline of the article should really be "Safari's privacy controls are weak and ineffective".

If someone leaves your front door wide open, and a skunk wanders in, do you blame the skunk, or do you blame whoever left the door open?

Re:Right or wrong...

[fl!ptop]

click on the infographic to see what they did

Of course, you have to disable NoScript to click the infographic.

We found your privacy feature inconvenient.

[VGPowerlord]

Google says this mischaracterizes what the code does, claiming it simply enables 'features for signed-in Google users on Safari who had opted to see personalized ads and other content â" such as the ability to âoe+1â things that interest them.'

In other words: "We found the wall inconvenient, so we simply tunneled under it."

Yes, Google, which part of "bypass" do you not understand?

What you're doing now is going to result in an arms race between you and several of the major web browser authors, including, perhaps, your own Chromium project.

What's next in this arms race, the inability for iframes to have forms? The inability for JavaScript to submit forms? The inability for JavaScript to run in iframes?

Re:We found your privacy feature inconvenient.

[geekoid]

"In other words: "We found the wall inconvenient, so we simply tunneled under it.""
no.
In other words " We are giving the user what they asks us to give them, that can turn it off."
This isn't an arms race, it isn't a war, it isn't..well anything of note.

If you replaced Apple with MS, the story would be about how poor MS security is..and I would still be saying the same thing: NTSH

Re:We found your privacy feature inconvenient.

Alternate headline: Safari browser contains bugs that are exploitable by 3rd parties.

Re:We found your privacy feature inconvenient.

[Improv]

The user's browser settings should take precedence over some web service.

Re:We found your privacy feature inconvenient.

[Mistlefoot]

Read your quote. "opted to see".

Why is a wall blocking someones ability to opt in to a service? If I opt in for any service I would not normally expect a piece of software to use a different technique to add additional walls. Since Safari is the only browser that does that it's pretty obvious were the fault lies.

Re:We found your privacy feature inconvenient.

[VortexCortex]

The retarded part of this whole thing is that Apple's Safari was allowing 3rd party cookies AT ALL when 3rd party cookies are disabled. Remember, Apple sells ads on its platforms too. Now, it's QUITE simple to detect if any action actually came from a user initiated event. This is how most pop-up blockers have worked since 2000, including the ones built into our browsers. The JS that creates a new window/tab is blocked unless the JavaScript is executed as the result of actual user interaction... Point being: Apple knows how to detect if its a user action or not.

Additionally, when I was testing Safari a few years ago, any cookie that was already set would keep being sent to the server even after you disabled all cookies -- That option just disabled "new" cookies from being created. The old ones were still sent, not sure if this is still the behaviour because I stopped using their systems when their systems lied to -- or, at best, misled -- their users. Their settings have always been specious. Apple doesn't have a good track record when it comes to cookies.

The fact that Safari assumed that form submittal was a user initiated event is a big problem here too. This "invisible form" submission is how we did "Ajax" like Web2.0 features before XML HTTP Request objects were around. JS populates a form in a hidden iframe, submits, then the JS on the page, or in the iframe from the server, changes the main page without reloading it. If Safari is confusing this with a user action, I'd be calling Apple programmers on the carpet, "Did you do this?!? BAD CodeMonkey! BAD! No Banana, or APPL!" (it's actually difficult for me to believe this isn't Apple's intended design)

Don't get me wrong, I hate tracking more than the next guy, and instead prefer content based relevancy, but many users have Opted In to the Google Ad network. It's getting harder to opt out of parts of it w/ their new privacy policy. I keep separate accounts for G+, Gmail & Youtube because I don't want an action on one to ban me from the other. Point being, if you're logged in, you've logged in, and you agreed that it's fine for Google to target ads at you. They can't very well give you targeted ads in exchange for your privacy if they can't see if you're logged in or not via cookie...

I don't blame just Google for finding a way to get opted-in Safari users the content they opted-in to, even if it's ads. I also blame Apple for saying "3rd party cookies are disabled", when in reality, 3rd party cookies ARE SLIGHTLY DISABLED, unless you interact with the Ad, or we think you might have done so... You know, because We (Apple) also want to use those 3rd party cookies.

Here's an idea: SAFARI SHOULD BLOCK ALL 3RD PARTY COOKIES [PERIOD]! Otherwise, the "Block 3rd party Cookies" option actually doesn't.

Cookies are the easy-mode tracking channel. Many other methods exist. Hell, Mozilla removed the UI for 3rd party cookie disabling since it was so damn easy to work around. Had to use about:config for a while there, but now Firefox has the 3rd party cookies UI again. At the very base layer your IP address and time stamps are all the ad networks need. Blacklist the sites. Some Ad-block extensions actually make a request before not displaying the content -- Mission Failed.

Posted to remove a bad mod... figured I'd contribute in the process.

Re:We found your privacy feature inconvenient.

[VGPowerlord]

In other words " We are giving the user what they asks us to give them, that can turn it off."
This isn't an arms race, it isn't a war, it isn't..well anything of note.

Except Google isn't giving the user what they ask for, they're attempting to make it so every site you visit transmits at least some data to Google for the sake of "convenience," which incidentally is something Facebook, another site well known for its "privacy" does.

Having said that, assuming Safari for iOS has the same settings as Safari for Mac does, you can turn on third-party cookies on in the Safari Preferences under Security. I believe the setting is to set Cookies to "Always" instead of "Only from sites I visit."

However, Google decided that wasn't good enough and wanted it to work despite the browser being set to disable cookies from sites other than the one you're visiting. Which, btw, is a hole in the Same Origin Policy that browsers are enforcing, but apparently not on form submissions.

Re:We found your privacy feature inconvenient.

You are a moron.
    There is a setting in the browser "Accept 3rd party cookies" with a toggle on/off. It exists on Safari and Firefox.
(not sure about Chrome) The only difference is the default setting - the user has control to opt-in or opt-out on both.
It's just that since safari default it to no, more people don't accept cookies, so google and other advertisers put the
clever hack to go against the users setting. And until this article (and the WSJ contacting google about it) Google's
  own "opt out" page says that safari already blocks this so you don't have to do anything.

    If you opt in for a tracking service - it should NOT hack around privacy settings - it should alert you that
you need to change your privacy settings. Because the hack was affecting every user, not just those that opted in.

Re:We found your privacy feature inconvenient.

Never underestimate Google's hypocrisy. Have you realized that never, not a single time, has Google admitted to have made a mistake? They are always misunderstood, or misquoted, or they did it for the users (Real Names fiasco).

Re:We found your privacy feature inconvenient.

[DJRumpy]

This deserves re-posting. Not sure why it was posted anonymously as it is very relevant:

There is a setting in the browser "Accept 3rd party cookies" with a toggle on/off. It exists on Safari and Firefox.
(not sure about Chrome) The only difference is the default setting - the user has control to opt-in or opt-out on both.
It's just that since safari default it to no, more people don't accept cookies, so google and other advertisers put the
clever hack to go against the users setting. And until this article (and the WSJ contacting google about it) Google's
    own "opt out" page says that safari already blocks this so you don't have to do anything.

        If you opt in for a tracking service - it should NOT hack around privacy settings - it should alert you that
you need to change your privacy settings. Because the hack was affecting every user, not just those that opted in.

It should be noted that once Google was caught doing this, they quickly removed the information on their own site regarding this setting in Safari.

Safari has a long history of cookie problems

[MrLint]

IIRC the first 3 major versions of Safari on OS X totally ignored the setting for 'don't allow 3rd party cookies'. I had to file a bug that apple.com was setting these cookies w/ safari.

These assertions are really empty for me personally, since apple's site has partners that set these cookies, and apple's devs couldn't bother to implement this feature right.

And yes, my bitterness permeates everything:)

Re:Safari has a long history of cookie problems

[MrLint]

Actually I want to clarify. I recall better now that at least the first version of Safari did not have this feature. Later versions did, but it did not work.

Re:Safari has a long history of cookie problems

Except for ability to turn off the plug-in entirely, it also fails to deal with those unnoticed JAVA droppings written regardless of mode.

But they're "Industry-standard practices!!!"

He really rips Apple a new one for its "efforts to stymie industry-standard practices."

His basic thrust is, big companies are evil, therefore bigger companies are more evil than smaller companies, Apple is a bigger company than Google, therefore what Apple wants is more evil than what Google wants. Apple wants to hide your personal information from Google by default, Google wants your personal information by default, therefore you should give your personal information to Google by default.

Which is, of course, absolutely not what I want.

AppleGoogleFacebook

The spying is out of hand. I am a man, not a cookie tracked USERID !!!

On the other hand .... if google can break Apple's "walled garden" (some might call it prison), then I'm sort of okay with it.

not an exploit?

If it can be done without using exploiting a bug it's not so much cheating (I may even say it's not evil-evil) as just using tricks. If you ever done something for the web you know that tricks are commonplace. Now things are a bit better, but during the time of IE5 and 6 tricks were bread and butter, you couldn't do anything without them.

Sounds to me...

[goathumper]

This sounds to me more like a defect in Safari's cookie handling than a problem on Google's part. Sure it's a dicey practice anyway to overtly try to circumvent those security and privacy features, but if the browser in question had implemented them properly in the first place this would be a non-issue.

Re:Sounds to me...

[crmarvin42]

Why can't it be both?

Apple has a responsibility to their customers (me) that the software works as described. Blocking cookies "always" should always block cookies. OTOH, Google as a service provider should accede to the wishes of their users or simply deny them services. What they did was say "ok, we'll do what you want" and then ignore that implied promise. Both sides here are covered in feathers.

As a result I'm now looking for added layers to prevent Google from working around Apple, and to ensure that what Apples software is supposed to be doing is in fact being done in the form of a Cookie manager.

Re:Sounds to me...

Apple has a 'privacy' feature that is implemented in a way it is trivial to bypass. Google and other advertisers want this functionality, and see the work around, and implement it. Google is at fault. Folks, we've been doing this in web development since day one, its hacks and kludges that got us much of the functionality we enjoy. People looking at a problem and finding a way to implement it that may not be ideal, but works. You may not like this particular feature, but it's not nefarious for a developer to step a bit outside the spec.

Maybe apple fixes it's implementation or decides to remove the 'feature' since it doesn't work? What were they thinking? "Well, there's no way really to do that without breaking other shit, so we'll just put a checkbox here that says you can. That should do it." Good job Apple, this is what we expect from you, shiny on the outside, but filled with shit.

Re:Sounds to me...

It sounds to me like Google is just doing what it normally does and Safari's blocking is simply not working as advertised. It is in no way Google's responsibility to know the inner workings of every browser. It does not sound in any way like Google decided to manufacture a back door into Safari.

Re:Sounds to me...

[larry+bagina]

You couldn't be more wrong if you tried. Google detects and serves up different ads for Safari users, adding a hidden form in an iframe that auto-submits to make themselves a first-party. They don't do that on other browsers (which default to accepting third party cookies)

If that's not knowing the inner workings and manufacturing a back door, what is?

The also are doing redirect links now

A few days ago I also noticed they started doing redirect links for search results. They used to do this for ads, but not it includes the links you are really looking for. The real link is still in the URL which I have started extracting by hand, but it makes google a lot more painful to use.

not new really...

[Narcocide]

This is hardly the first time this has happened. Its been pretty much common practice since day one in the web advertising industry to pretty much assualt every single client-level security barrier as far as trackability and domain encapsulation in any browser with the full force of their research budgets. What is surprising to me is that in all these years this is the first time anyone else has figured it out apparently.

haha

[geekoid]

Man. if this is the stretch people have to go through to blame Google for something, Google must be doing pretty damn good.

Seriously, this is, yet again, another NTSH article about Google. They are doing what the user opted in for them to do.

Re:haha

It's funny, city of portland IT drone Garrett Moffitt, you are so pro google in any article you can be. One might accuse you of bias... It's all perspective. In this case, Google was treading a slippery slope. Hopefully they'll get a bit of bad PR and change this. No big deal.

Stick to updating your cat's blog.

Re:haha

[crmarvin42]

How so?

My cookie settings were as described "only accept from sites I visit". Google tricks my browser into thinking I've visited a site I did not, in fact, visit. They do this by submitting a form and intentionally making in invisible to me. At what point did I "Opt in" to this behavior??

I'm not excusing Apple's complete security failure here, but how exactly is Google not also culpable for this violation of my trust?

Re:haha

[cheaphomemadeacid]

Yeah google, shame on you for writing that buggy piece of software that can't adhere to its own settings correctly. oh wait...

Re:haha

[thomst]

geekoid commented:

Man. if this is the stretch people have to go through to blame Google for something, Google must be doing pretty damn good.

Seriously, this is, yet again, another NTSH article about Google. They are doing what the user opted in for them to do.

I think it's worth noting that, although I allow scripts and cookies directly from Google, I disallow them from google-analytics.com (via Cookiesafe and NoScript), and that choice does NOT appear to disable ANY Google function that I can determine.

As evil behavior goes, I'm with geekoid: this is pretty weak beer.

Re:haha

:blink: You realize that WebKit is (at least originally) Apple's project, not Google's, right? And it was KDE's before that.

well

[x0d]

"When I was back there in seminary school, there was a person there who put forth the proposition of 'Don't be evil'..."

Re:I trust Google

[Tharsman]

But I was taught in school that sharing my private stuff openly can result in STDs... Now I must pick between AIDS or Cancer? ACK!!!

another thing is:

[larry+bagina]

Google claims you can use the Ads Preferences Manager to disable this "feature". But wait! They previously claimed that it wasn't necessary to disable that feature because Safari defaulted to no 3rd party cookies.

Fuck me with a greased up Yoda doll, if they're going to blatently lie, why would they respect your desire to pot out of it?

Assuming they're not evil, they want to fill the web with their +1 buttons so they needed to turn on 3rd party cookies which unintentionally (not that they mind) enabled all their ad tracking.

Which is to say Google isn't evil but Google+ is.

And Chrome users trust Google?

[assertation]

Articles like this make me think using Chrome is only moderately safer than using a web browser made by Facebook, if they made one.

Uncool

[dittbub]

Man, google used to be so cool. What happened?

What I hear:

Apple: WAH. WAH. WAH. We're not making enough money. WAH.

I don't know who to trust less, Google or Apple.

[mmell]

Oh, wait . . .

Google brings me porn, warez and pirate music/video. All Apple's ever done is prove themselves one of the biggest patent whores on the planet.

Damn! That doesn't settle a thing. Guess I won't trust either of 'em.

Blogging while drunk

[Animats]

In the Battelle article, he admits he was blogging after drinking. Don't expect much.

Steve Job's revenant...

[forkfail]

... stalks the corridors of Apple headquarters, inflicting great harm on anyone who quavers in their resolve to destroy Google.

Might come under the Computer Fraud and Abuse Act

[Animats]

This might violate the Computer Fraud and Abuse Act. The threshold phrase there is "exceeds authorized access". Explicitly bypassing a security measure is usually considered to satisfy that definition of criminal conduct.

Attempts to use the Computer Fraud and Abuse act have failed with regard to "Flash cookies", because the plaintiff was unable to show $5000 in damages, even across a large number of users. But since then,. Google has offered a deal where users give up their privacy for $25 in gift cards. Google has now put a price tag on privacy, which can be used as evidence against them in valuing future intrusions.

A site prompted her to install it so she did ...

[perpenso]

... Yesterday I talked to someone and asked how she got it and she said that a site prompted her to install it so she did ...

This scenario needs to be a job interview question.

Duh, what's a cookie?

You know, I was nearly going to chide slashdot for explaining what a cookie is ("client side data that remote web servers can later access in subsequent visits"), but really it was a quote from TFA.

"Whoever wins,

[circletimessquare]

we lose"

Warning

One thing this brings up, is that while Google has shown that it is POSSIBLE to do this, and their motives are "borderline evil", couldn't the REALLY BAD GUYS use this for some truly nefarious purposes?

This highlights a glaring hole in Apple's security model! That's the real story here!

So, Google is now saying

"Don't be evil" motto no longer contains "Don't".

Whore Street Journal

[ThatsNotPudding]

Quite the set of prostitutes for Apple, Inc. - with Kara Swisher and Walt Mossberg being the Co-Madams of this particular whorehouse.

Third party... or first?

I fail to see where the issue is here... you're seeing a Google ad, and Google puts a cookie down. When did the site you're visiting suddenly become "third-party"?

This is a Safari issue, not a Google issue.

[BitterOak]

Every now and then, a story pops up on Slashdot describing how one company or other is getting around browser security features to invade people's privacy. A while back the story was about "supercookies" that couldn't be deleted but would let some companies know whether you have visited their website before, etc. The blame is always directed squarely at the company doing the "exploiting".

I think the more important issue is the security problems in the browser itself, which enable these tactics to be employed. If large companies like Google are exploiting these vulnerabilities, then we can only assume that smaller scale but potentially much more malicious hackers are employing similar tricks. Companies like Google, when they do such things are pointing out serious vulnerabilities that need to be addressed. The problem won't go away just because big companies like Google voluntarily decide to stop exploiting browser vulnerabilities. The problem will only go away when the browsers (and possibly plugins) are fixed and patched so the exploits are impossible.

Firefox private browsing too?

[IwantToKeepAnon]

I have a profile that I keep for private browsing only. I only login to facebook and other nefarious sites in this profile and always in private mode. My search bar is set to either scroogle or (b/c google is blocking them) duckduckgo. Yet somehow I find google cookies "leaking" out of private mode. Upon launch but b/f going private I periodically check the cookie list and I find google there. :((

Re:Firefox private browsing too?

[thejynxed]

If you're using Chrome as your browser, Google won't block it's own scripts or cookies, no matter what settings you put, so they'll show up, Private Browsing or not.

Re:Firefox private browsing too?

[IwantToKeepAnon]

See subject line ... "Firefox private browsing too?"

Fight back with surrogates

[Giorgio+Maone]

sites which won't display their content until I allow Noscript to run all scripts on the page (including advertisers'), turn off Adblock, and disable Ghostery

Surrogate Scripts are meant to deal with this kind of crap.

Could you please show me some URLs to check?

Re:Fight back with surrogates

[ynp7]

I don't think he wants to provide examples. It's probably all porn sites.

If Google could do it...

[__aaqvdr516]

If Google could write the code to bypass the security restriction, then so could someone with more nefarious purposes.

Thank them, then fix your flaw.

How to Opt out

Go to http://www.networkadvertising.org/managing/opt_out.asp to opt out of behavioral advertising. Includes Google ads and 100+ of other ad networks.

Here is how to Opt out

[comparebest]

You can easily opt out from behavioral advertising of google ads and 100+ other add networks by simply going to http://www.networkadvertising.org/managing/opt_out.asp . This site is a tool provided by those advertisers, its just not too many ppl know about it.

Google gets scarier every day.

[RocketRabbit]

I'm not sure how much longer I will keep using Google.