Slashdot Mirror
Ask Slashdot: Where Can I Find "Nuts and Bolts" Info On Cookies & Tracking Mechanisms?
New submitter tanstaaf1 writes: I was thinking about the whole tracking and privacy train-wreck and I'm wondering why specific information on how it is done, and how it can be micromanaged or undone by a decent programmer (at least), isn't vastly more accessible? By searching, I can only find information on how to erase cookies using the browser. Browser level (black box) solutions aren't anywhere near good enough; if it were, the exploits would be few and far between instead everywhere everyday. Read below for the rest of tanstaaf1's question.
On Amazon, I haven't found a likely good book on the topic. There are books on protocols but I'm really only interested in how I can detect and track and block, and erase, and re-write and spoof all the tracking attempts on a case by case basis. Maybe a book on how to write my own tracker — or my own tracking blocker from scratch?
In theory it wouldn't seem to be that hard to uttlerly micromanage your own computer. Here's how I think it could be done:
(1) Have an explicit on/off switch, ideally OS based and trivial to control with a mouse-twitch, which turns internet access on and off as certainly as a mechanical light switch controls lights. Along with this, maybe the whole screen can change color, red-light green-light, to keep the user always aware of incoming or outgoing traffic. I should instant be able to get detailed information on any unexpected write or read request. Think unix "ps" or better. (Actually, a file system which allowed the owner to attached detailed memos and other information would be a nice touch...once litter builds up it quickly gets easy to hide real malware everywhere; that is a common technique used by embezzlers everywhere — create chaos and then hide your exploits within it).
(2) When the browser is started, make it start in a fresh virtual space / sand-box. Then copy into that space any "cookies" or other information I explicitly care to put into that space. I would, for example, put in site specific cookies to allow sites i whitelist to identify me. A good database of all the files in my virtual space, how they got there and what they are used for, would be really nice to see.
(3) As you browse you can block or not block ads and trackers; the add-ons already exist.
(4) When you decide to exit the browsing session, at least, the computer should save important cookies from sites you frequent for later restoration.
(5) The entire virtual space is then shredded and deleted.
This could all be done at a finer grain, I'm sure, but I wanted to lay out an overall strategy — and ask:
(1) What am I missing?
(2) Has this already been done and automated, say, under Linux? (I wouldn't expect Microsoft, Apple, or Google to facilitate this sort of security under their OS systems; foxes guarding the hen house and all that. However, even under Windows and OSX I can install virtualbox...)
(3) Why is it so hard to find the specifics of, step-by-step, how (not why or if) we are being conned and raped and what, specifically, can be done to stop it? Why are we screwing around with all these endless add-ons instead of striking at the root of the problem? Or have I not really identified the root?
I would appreciate any specific feedback on my scheme or, even better, a link or three.
In theory it wouldn't seem to be that hard to uttlerly micromanage your own computer. Here's how I think it could be done:
(1) Have an explicit on/off switch, ideally OS based and trivial to control with a mouse-twitch, which turns internet access on and off as certainly as a mechanical light switch controls lights. Along with this, maybe the whole screen can change color, red-light green-light, to keep the user always aware of incoming or outgoing traffic. I should instant be able to get detailed information on any unexpected write or read request. Think unix "ps" or better. (Actually, a file system which allowed the owner to attached detailed memos and other information would be a nice touch...once litter builds up it quickly gets easy to hide real malware everywhere; that is a common technique used by embezzlers everywhere — create chaos and then hide your exploits within it).
(2) When the browser is started, make it start in a fresh virtual space / sand-box. Then copy into that space any "cookies" or other information I explicitly care to put into that space. I would, for example, put in site specific cookies to allow sites i whitelist to identify me. A good database of all the files in my virtual space, how they got there and what they are used for, would be really nice to see.
(3) As you browse you can block or not block ads and trackers; the add-ons already exist.
(4) When you decide to exit the browsing session, at least, the computer should save important cookies from sites you frequent for later restoration.
(5) The entire virtual space is then shredded and deleted.
This could all be done at a finer grain, I'm sure, but I wanted to lay out an overall strategy — and ask:
(1) What am I missing?
(2) Has this already been done and automated, say, under Linux? (I wouldn't expect Microsoft, Apple, or Google to facilitate this sort of security under their OS systems; foxes guarding the hen house and all that. However, even under Windows and OSX I can install virtualbox...)
(3) Why is it so hard to find the specifics of, step-by-step, how (not why or if) we are being conned and raped and what, specifically, can be done to stop it? Why are we screwing around with all these endless add-ons instead of striking at the root of the problem? Or have I not really identified the root?
I would appreciate any specific feedback on my scheme or, even better, a link or three.
Just press ctrl-shift-K in your browser. That's a good first step.
Now that Verizon has hooked up with AOL to share cookie data and personal information, it sure would be nice if the Verizon stealth cookies could be deletable.
(1) What am I missing? ... nah, too easy.
how (not why or if) we are being conned and raped
Never mind. You're missing mental stability.
"Old man yells at systemd"
Now that Verizon has hooked up with AOL to share cookie data and personal information, it sure would be nice if the Verizon stealth cookies could be deletable.
Just a quick question, can the browser insert its own Verizon stealth cookie into the request URL?
And if that can be done, can it be used to poison the data, or even crash the Verizon tracking system?
all the specifics have already been arrested.
You should be able to find some pretty straightforward documentation on HTTP cookies, flash data storage, HTTP Local Storage, and browser fingerprinting (see https://panopticlick.eff.org/ ). The tracking services aren't doing anything fancy -- they're just sharing that identifier behind the scenes. When you visit website1 they assign an id to your browser (via a cookie, or whatever). When you visit website2, it loads a script from website1 that puts your id somewhere into the DOM that website2's scripts can read and website2 assigns that id to your browser as well. Website3 does the same, and so forth. Then, websites 1 through N share the browsing habits of your id amongst themselves and gain some insight into what your browser is doing.
Do you really need reason for beer? Wingman Brewers
Evercookie is how it is being done.
UBlock Origin is how to block a ton of stuff.
Both are open source so you can have a look at it.
But in case of Verizon, you're talking about tracking on a whole other level.
And since your MAC or IMEI device number are needed to allow you access on their network, there are no options to spoof that.
The best you can do is block what they throw at you as a result of that data.
Adding a VPN would make life for them pretty hard because no server side deep packet inspection can be applied.
You can be tracked and identified by a large number of ways. Its not just cookies, its anything you click on, its hidden variables, its the URL, applets, javascript, and even your IP address. Have you heard of a Firefox plugin called Ghostery? Look at all the things it blocks. That will give you more clues about how you are being tracked. Cookies are not in themselves bad. They were designed for developers to cache information so that they could remember what the user was doing when they clicked. Advertisers decided to use them for different purposes. Then agains, the web sites are partly to blame. They want to know what you were doing, what pages you liked, where you spend time. It lets them know what interests people. But the sites have found that by signing up for programs that track users across multiple sites, they can get a deeper understanding of their customer. So, they deploy tracking code/cookies/pictures so that the companies who track across multiple sites can get info to share with them. Its really complicated.
You know something about Linux, and something about virtualization. So you could move forward by setting up a slim VM running Firefox. Maybe one based on a LiveCD, which already controls writes.
Take a snapshot of that VM (or the LVM volume it resides on).
Boot the VM, browse a bit.
Shutdown the VM
mount the image and it's snapshot
diff -Bbdir the vm with it's snapshot
Take some notes.
Snapshot again, or reset.
Browse a bit , maybe taking notes this time.
Rinse and repeat - boot, browse, mount diff, unmount.
You've have an exact record of which web sites and doing what, to what files.
I mentioned Firefox specifically because I think it holds cookies in a plaintext file, has a reasonable plugin system, and it's fully open - you can dig as deep as you want to see exactly how it works. You can see how to add and remove cookies, etc from the diff.
Let us (or just me) know if you make some progress. This is conceptually similar to the hack-proof computer concept I designed. It resets most everything on boot, unless you boot into "configuration" mode. In regular run mode, 98% of the storage is read only, as if it were running from a CD-ROM.
A good Samaritan did the heaving lifting... https://gist.github.com/atcuno...
An organization can store information in your browser that can uniquely identify you. Usually this is a session code. It can share this information with whoever they want.
If you are concern with privacy never type any uniquely identifying information into your browser. Since you don't know what can potentially be uniquely identifying then you should never use cookies. Given that makes the internet practically unusable then use a whitelist. Given that a whitelist is a pain then forget about privacy. Everyone knows your porn habbits anyway.
If you are that preoccupied by evil cookies, use Linux Tails like Edward Snowden recommends.
But really, you overestimate your value for those who allegedly "rape and con" you with cookies. They care about trends and patterns, not about you as a person, so browsing the web in a virtual space that you "shred" afterwards is more of a hobby than a necessity. Modern browsers are well-equipped to provide a decent level of privacy, there's no need to go thinfoil hat over this.
lucm, indeed.
The reason is because what you're describing is an enormous amount of hassle and people just don't want to deal with that much complication, unless they're wearing a tinfoil hat. And if they are they probably have already set up a system that resets itself every time it's rebooted. Just learn to stop worrying and love the cookies.
You can easily add your own X-UIDH header. It is likely that Verizon's proxy wouldn't add another if one were already present. It's also possible that the request would be sent on with two (or more) X-UIDH headers. Most programming is sloppy programming, so they probably didn't account for this correctly. It's extremely likely that random strings in the X-UIDH header would confuse the system.
As I mentioned, most programming is sloppy programming. People keep making the same mistakes. One common mistake is, what if that string that's supposed to be about 16 characters is instead 500,000 characters (500KB)? Or 2MB? Things might break. What if it contains null characters (ascii value 0)? A lot of things break when strings have embedded nulls. Strings that are used to query a database to get a user's information often break when single quotes and semicolons are present.
That said, it's also likely they use popular off-the-shelf, premade software for the proxy, and it's protected against the most obvious attacks. Their database query routines are probably written by their own programmers, and those programmers probably aren't security experts.
Obviously, trying to harm their systems could very well be unlawful, even criminal. "I just sent web requests" might be about as convincing to a judge as "I just waved my arms around (while holding a knife)".
I hope the bad guys don't mess with them too much.
I'll bite and reply to the obviously crazy and just smart enough to be dangerous, but not smart enough to be good...
On AMZN, of course you haven't found a good book on it. You're in an evolving war with hundreds of developers being paid to research better, faster, more accurate ways to track traffic. I personally know at least three people with PhDs working for fortune 500's whose research will never be published, but is being used for demographics right now. If you think cookies are a problem, try imagining what we can track when we control an upstream nameserver and have dynamically generated javascript.
Rewrite, spoof tracking on a case by case? Look, you could edit or rewrite cookies, javascript urchins, 1x1 pixel trackers. But without solving the halting problem, you aren't going to replace every javascript dependent application in existence. So, you get to block all or nothing, or try for your "better than average"/90th percentile solution.
"In theory it wouldn't be utterly hard to utterly micromanage your own computer". I posit that you are either more brilliant and motivated than linus torvalds, or utterly inept. Since you don't understand how to erase cookies without using your browser to do it, you clearly aren't more brilliant. You can manage as much as you're willing to put the time and resources into -- while degrading every other experience associated with it. Your "filesystem with memos" is called a virus scanner. In your case, it sounds like you should buy mcafee or symantec -- which concerns me even more. "Embezzlers everywhere"... really? What doctor discharged you from the psych ward?
1) Detailed information on incoming unexpected read/write requests could be done from a hypervisor or VM with a wrapper around a device driver..but...yuck For write requests, a containerized system like docker could do some of it with a few modifications. Of course, this will be useless on a modern operating system until you condition it to bypass logs, databases, registries, tempfiles, swap, last accessed timestamps.... What you basically suggest is a continuous realtime forensic analysis. A type of activity that typically takes a professional two weeks to write up a report about a 30 second intrusion -- done for every page you visit.
2) Check out an OS called qubes. I'm not sure I'd recommend it, but it's pretty close to what you're talking about in some ways. By the way -- get back to me when you understand you can't tell the difference between good and bad cookies reliably. Good and bad files? Yeah, go buy your antivirus.
3) You can use a whitelist or blacklist, the same as you can with browser plugins. That the add-ons exist does not demonstrate they are correct. If you want to do this, you could look at well known tools such as "privoxy". Enjoy your web without flash, and potentially nearly random broken pages.
4) I'm not sure this merits a reply, but I'd like to suggest you begin by defining "visit" and consider "first vs third party" cookies.
5) Seriously, "shredded"? At that point you should have started running an encrypted VM with memory pinned anyway. But let me wildly speculate by starting with "fuck that stupid idea" -- run a browser inside a VM with a custom profile on a mountpoint shared with the host OS. Of course -- it's up to you to keep the cookies clean.
I'll assume you're prepared to lose most performance enhancing features that keep the internet fast. But what are you prepared to shred? Other cookies? Flash cookies? Browser history? Your IP address? The :visited property? ETag cookies? Are you willing to shred the very privacy enhancing characteristics that make your browser more unique and identifiable? https://panopticlick.eff.org/ ?
My summary: Give up and go back to the shrink.
http://spectrum.ieee.org/computing/software/browser-fingerprinting-and-the-onlinetracking-arms-race
http://spectrum.ieee.org/tech-talk/telecom/internet/top-websites-secretly-track-your-browser-fingerprint
Fingerprinting is harder to turn on and off...
http://spectrum.ieee.org/computing/software/browser-fingerprinting-and-the-onlinetracking-arms-race
http://spectrum.ieee.org/tech-talk/telecom/internet/top-websites-secretly-track-your-browser-fingerprint
links ; rmdir ~/.links/cookies
Re "erase cookies using the browser" .SOL shared cross-browser tracking, flash and other deeper tracking options. .
Thats really all that can be done to average users by most ad brands legally as the settings and use allow that short or long term access by default. Beyond that and it gets to be equipment interference.
Lots of apps on different OS will find the super cookies, Local SharedObject
"Has this already been done and automated" Different browsers have add ons that can do that based on some level of settings.
The other option was the ISP level deal with brands to alter the users internet experience. Very hard to escape that one as it flows with the basic network.
The final option is the security services or police passing code to detect a user when a visit a site has to resolve the original ip or to classical track a browser of interest for a while.
Classically the option was for ISP backed cookies that only an ad brand could read (2008).
Later users are starting to understand more about Unique Identifier Header (UIDH) and terms like perma-cookie.
A provider using JavaScript to inject packets to show an ad. ie the provider starts altering or initiating data packets for branding, ads.
Other network systems used personalized marketing ie search terms, websites visits, time spent ie all data that a provider can log.
Re "Has this already been done and automated, say, under Linux?"
Search the Firefox add ons some listed are options like: Better Privacy, Self destructing cookies, Cookie time.
Re " Why is it so hard to find the specifics of" Its now been done at the server, isp, web 2.0 provider, social media site level.
Ads have followed the security services thinking, why be in the users machine, just become the network used for all connections.
re "Or have I not really identified the root?"
An average user is now buying generations of hardware and OS software, OS updates from an ad brand... using their ad brand search engine on their OS..
The internet in some countries will be provided by in totally by a social media company or via ad brand hardware. Collect it all.
Every packet in and out is then up for logging, over any browser. ie the classic ISP becomes the advertizing brand not just selling logs to third parties
The only easy solution might be a new virtual machine with a modern browser and OS on fast dedicated hardware every browsing session. ie a laptop or desktop computer just for the new VM to surf the internat.
Domestic spying is now "Benign Information Gathering"
That will provide random context info such as screen res, viewport, OS, browser, platform, etc and just grab the page off the server and then let me view it normally? All of this garbage info would surely make it hard for them to categorize their info.
As mentioned by others, cookies are only one mechanism.
For instance, if you install any wierd fonts on your system - that along with your IP makes your are quite easy to identify. Browsers allow javascipt to query the fonts installed on a system (that feature is really a privacy intrusion bug, IMHO)
You mean that their monetization rights can be trumped by your desire to retain privacy? Oh, wait....
---- Teach Peace. It's Cheaper Than War.
Two words:
Verizon Supercookie
You COULD try attacking them (rather than not using their service) and then tell the judge that your attack was to protect your privacy. You could try that.
You could also try attacking them using a knife to their sysadmin and try telling the judge the same thing.
I wouldn't recommend either. I just use a different company.
This information can be found anywhere. Why is this an article??? REALLY????? WHY????
Cookies are an addition to the http web protocol that was originally supposed to help the web server keep track of which pages had been sent to a web client. The http protocol was stateless and cookies were a way to identify a distant client computer and store information about the client.
Cookies have been developed into an invasive and repetitive advertising device. Have you experienced yet how ads for movies, operas, motorcycle tires and whatever technical thing you searched for keep repeating and distracting your attention from what ever you are currently searching or studying?
I have a book Firefox Hacks by Nigel McFarlane copyright 2005 that might be a discussion of cookies and how to manage them that you will find useful. This book is old enough to be in your local library. Firefox hacks mentions a 20 cookie per client connection limit. That appears to be true today.
I recently tried following the Slashdot privacy or cookie preference pages. See "opt out choices" at the bottom of the slashdot pages. I have not yet managed to stop the stupid advertising cookie from following me around.
Here is a good starting question: What is going on that has caused advertisements to follow me around? And I presume the ads follow you too. It seems like the advertising following started 6 months ago.
Looking at my Fire fox browser's Tools->PageInfo->Cookies data, there is still a limit of 20 cookies per web address. Slashdot show 6 or 7 cookies and Cookies data for a youtube.com connection shows 20 cookies with the same name. Clearly some of the cookies are pointers to a data file.
If you want to write a tool to interfere with cookies, I suggest you research Perl and the Perl module libraries. I imagine your cookie tool will be a script that listens on port NNN and sends data to the Internet on the standard Internet port. Then you start your browser with it's outport switched to
send data out port NNN. The cookie chomper does it's job and you can switch to a text console to see what the chomper is doing.
Write back when you come up with some good solutions!
Ghostery is an excellent add-on for Firefox.
Firefox hacks mentions a 20 cookie per client connection limit. That appears to be true today.
It's not a limit, that was a recommendation from the original Netscape Cookie Specification. It's up to the individual browser implementors what limits they place on cookie size, cookies/domain, total cookie counts and even max cookie age. I have seen some web sites in the Top 1000 Alexa site list, for example, spu out over 60 Set-Cookie headers in response to a simple GET / HTTP/1.1 request - and that's just for the source page, not even any of the linked resources.
If you're still browsing mainly HTTP pages (not HTTPS) from a desktop-based computer I highly recommend getting hold of Privoxy and configuring it to eat the Set-Cookie headers for you. I'm sure there are other tools out there that achieve a similar result, but cookies are only a very small part of the identity tracking problem.
There are several problematic aspects. First, most people don't really care. Second, the people who do care give up when faced with the technical issues. Third, even if you're willing to study and deal with all those details, it's a moving target. There are web bugs, cookies, "supercookies", flash cookies, IP tracking... You need to block script and 3rd-party files to have even a modicum of privacy. How many people will put up with that? Even then, we don't know what we don't know. For example, did you know that Akamai hosts a great deal of the traffic online, and some years ago decided to start selling data? While you're looking for cameras along the road, it turns out the road itself is spying on you!
I don't mean to be defeatist. Personally I think any effort to thwart the outrageous normalization of corporate-sponsored surveillance society is worthwhile. But it does require work and study. And the majority of people wouldn't care about perfect privacy even if it meant all they had to do was to figure out how to install a Firefox extension. They won't care for the same reason that mousetraps work: We mostly just focus on what we want right now.
Layer 2 addresses don't pass routers, which operate at level 3, so your client media access control address is only visible if you don't have a router.
The outside global address of your modem is of course visible to your ISP. You could change that, but most cable ISPs either require that not change at all (without calling them ) or if it changes it takes an hour or two to reconnect. Since you even with a direct ethernet connection your MAC address is only visible to your ISP, the only reason to change it would be to hide your identity from your ISP. That's going to be a problem for billing. Your ISP knows who you are, there's basically no getting around that. So no point in messing with your ethernet address.
If you have PPoE service (such as some DSL), you could change your MAC, but since you're sending them a user name and password they still know who you are. So again, no point in that.
1) You have an on/off switch. Turn off your router or unplug the network cable. Most OSes have desktop widgets or easy accessable network controls. Mobile devices have airplane modes. You can't get detailed info on unexpected traffic because there's no way to specifiy what traffic is unexpected and what is not. You can waste all your time individually categorizing every packet a piece of software sends, but everyone has different expectations so what is unexpected by you might be expected by someone else. There is a thing called a firewall that prevents unallowed programs from sending/receiving data. However they're generally all or nothing aproaches, all the traffic for that program or none of it. They won't block that once in a year transmission of your private data (which someone else might not consider private). An intrustion detection software (IDS) like Snort could block that transmission, assuming somebody already knew it would happen. Snort is basically a packet level filter for your network connections, but you need to weave its filter. Wireshark can let you watch all the traffic, but there's far too much traffic for you to manually inspect it all. It'd be like trying to watch ever bit written to your hard drive. More and more of it is being encrypted too. Many file systems or file formates allow meta data and if the one you're using doesn't, just create another files with "-memo" or something appended to the end of the name.
2) Browsers already do that. Just create a new profile each time. Or write a script that creates a new profile and copies everything you want to keep from the previous profile. Or have the script delete everything you don't want to keep.
3) As you said, already exists.
4) Every browser does that. Most have whitelists and blacklists too (or extensions that provide it).
2,5) There are lots of software that already does this, both free and commercial. SandBoxie is a good example.
=== Second set ===
1) You don't know enough about computers. You don't know the terms to use to find the information you want. You think software development is easy. Everyting thinks software development is easy, even us software developers. And we're all wrong.
2) Yes, and under the other operating systems too. "If you immediately know the candlelight is fire, then the meal was cooked a long time ago" ~Stargate. You are assuming far too much. You're assuming the other OS copmanies are out to get you so you don't bother looking at their platforms at all. Windows has some of the best security software because corporations use it. They pay for it so the quality is far above most of the open source relativies. There are excellent security tools on Linux too, but they aren't as user friendly and you won't hear about them on random sites. They're designed for servers, normal users don't care or don't have the time.
3) Because you don't know where to look. Because the tools that can block things are designed for people who know what they're doing thus there's no simple step-by-step manual as everyone's needs are slightly different and they know that. Because if it's easy for you to find and understand then it's easy for the people 'raping' you to find and understand. Then they can modify their penetration to get around your block. It's an ever changing arms race. With software quality as poor as it is, there's always a way in. Finding a way in gets you big money, blocking that path doesn't, so there are far more finders than blockers. Everytime a new path is found people whine, complain, abd blame the blockers. It's a thankless job that pays nothing unless you're securing critical systems. Security bugs in a browser is just a number. When was the last time you paid for a browser? There are paid browsers out there...
'They' want your data for various reasons, you want to keep it from them for various reasons. The root of the problem at both ends is greedy people. Good luck with that.
Basically, everything you want already exists but it isn'
Many companies are tracking by MAC address. E.g., coffee shop Wi-Fi systems, retail analytics systems.
It is not surprising you didn't find any info on "nuts and bolts" cookies.
Because while nuts are popular ingredients for cookies, bolts are terrible.
So I suggest that you replace bolts with chocolate chips, these are much better and you are much more likely to find information about them.
You confuse cookies, tracking, malware, and exploits.
If you know so little about it why do you feel competent enough to call it a "the whole tracking and privacy train-wreck"? Is it because you _heard_ there was a 'tracking and privacy train-wreck"? What makes you think the people telling you this know anymore than you do? Or even worse what makes you think they have don't ulterior motives for telling you this - like wanting to increase government regulations like the completely useless and deleterious EU cookies regulations (to make jobs for themselves and increase their power)?
I know a vast amount about this but I do nothing to defend myself against cookies and tracking. Why? Because their ability to harm me is non-existent. I don't use my real name on the internet and I post anonymously or create throw away accounts - but that is another matter unrelated to cookies (that's about _people_ tracking you, not advertising algorithms tracking you).
But I will tell you what to do, no 'decent programmer' skills required: in Chrome go into Settings/advanced/Privacy/Content/Cookies and set it to "keep local data only until you quit your browser" - all the cookie-required site functionality with none of the persistent tracking.
What a shame the EU didn't go the route of requiring the _browser_ to ask the user if they want to store cookies for each site that tries to set them either indefinitely or only until the browser closes (and defaulting to 'only until the browser closes')... instead of massively hobbling their tech industry and making the EU internet experience hideous for users.
As for malware and exploits... Comodo Firewall does what you have in mind (it sounds like you are using Windows).
No referers. No script. Just plain doc data. Problem solved.
If you have client-side logic on by default, somene will use it to track you. It's that simple.
Another approach would be fresh private tabs for every session and perhaps spoofing of plattform data.
I use Gostery and don't care to much about super-cookies. I use multiple browsers for multiple personas and tasks, which mitigates the problem a little more.
I don't use facebook and stuff like that, but I'm pretty deep in Googles camp, with my Android devices and my various Google Accounts. ... It's a trade-off.
I might try to cut lose entirely sometime in the future.
No script, no referers. No google. Problem solved.
We suffer more in our imagination than in reality. - Seneca
You are making a mountain of assumptions with absolutely nothing but cheeky speculation
"When life gives you lemons, don't make lemonade. Make life take the lemons back!" -- Cave Johnson
Can ublock do 16 things hosts do for speed, security, & reliability:
1.) Protect vs. malicious sites (past ads)
2.) Protect vs. fastflux botnets + stop C&C communique
3.) Protect vs. dyndns botnets + stop C&C communique
4.) Protect vs. DGA botnets + stop C&C communique
5.) Protect vs. downed DNS (4 reliability)
6.) Protect vs. redirect poisoned dns
7.) Protect vs. trackers
8.) Protect vs. spam
9.) Protect vs. phishing
10.) Protect vs. caps
11.) Get you by dns blocking
12.) Keep you off dns request logs
13.) Speed up surfing by adblocks & hardcoded favs
14.) Work on anything webbound (ie email programs) multiplatform.
15.) Give you easily controlled data
16.) Do those & block ads better than addons more efficiently in cpu + memory use
* ANSWER ="NO" to each on UBlock doing it as well or @ all!
APK
P.S.=> UBlock does less than hosts & less efficiently - hosts do MORE w/ less + Hosts start w/ the IP stack before REDUNDANT inefficient addons BEGIN to operate (as 1st resolver queried):
Ublock's NOT as efficient:
Hosts @ 3mb-11mb w/ current data vs. threats + ads - test yourself using my program.
UBlock uses 63++ MB -> http://www.ghacks.net/2014/06/...
SCREENSHOT -> http://cdn.ghacks.net/wp-conte...
---
ClarityRay defeats it detecting it by dumping addons in use in a browser via native browser methods to do so!
---
UBlock adds complexity/room for breakdown/exploit + from a slower mode of operations (usermode = more messagepassing overheads vs. hosts in kernelmode).
---
What's better?
APK Hosts File Engine 9.0++ SR-2 32/64-bit -> http://start64.com/index.php?o...
MalwareBytes' hpHosts Admin (MalwareBytes employee) hosts & recommends it -> http://hosts-file.net/?s=Downl... & MalwareBytes = BEST antivirus http://www.av-test.org/en/news...
It's GUARANTEED safe & clean per it being checked by 57 antivirus programs recently in BOTH its 64-bit model https://www.virustotal.com/en/...
+
In its 32-bit model also https://www.virustotal.com/en/...
... apk
See subject: Globally setting NOT to take then & making some exception sites that need those things to work + hosts & firewalls, I get none of it-> APK Hosts File Engine 9.0++ SR-2 32/64-bit http://start64.com/index.php?o...
FREE & not 'souled-out' to advertisers, + adds speed, security, & reliability, doing FAR more w/ FAR less, more efficiently vs. redundant browser addons & locally installed DNS servers @ home + fixes DNS' many security issues!
It obtains its data vs. online threats & adbanner blocking from 10 reputable sites in the security community!
It SPEEDS YOU UP 2 ways (adblocking + locally cached in RAM favorites placed @ the TOP of hosts for fastest resolution speed), whereas by way of comparison, other "so-called security 'solutions'" SLOW YOU DOWN!
It does all that using something you already have vs. "bolting on browser addons 'MOAR'" in addons that's usermode slower & increases messagepassing, cpu + ram overuse overheads!
* :)
MalwareBytes' hpHosts Admin (MalwareBytes employee) hosts & recommends it -> http://hosts-file.net/?s=Downl... & MalwareBytes = BEST antivirus per this VERY recent testing of them all http://www.av-test.org/en/news...
&
It's safe per it being checked by 57 antivirus programs recently in BOTH its 64-bit model https://www.virustotal.com/en/...
+
In its 32-bit model also https://www.virustotal.com/en/...
---
"The premise is quite simple: Take something designed by nature & reprogram it to make it work for the body rather than against it..." - Dr. Alice Krippen: "I am legend".
APK
P.S.=> By "yours truly" - "The Lord of Hosts" so-to-speak:
PERTINENT QUOTE/EXCERPT:
"The image this title brings to mind is of a mighty military commander, one who can at a mere word summon rank upon rank of protective power" from https://answers.yahoo.com/ques... & THAT WORD = hosts!
(Accept NO substitutes!)
...apk
Not really. For example, I'm said their system will EITHER add an additional header or it won't. One or the other is true.
I suppose the "assumption" is that their code isn't fundamentally different from ALL of the tens of millions of lines of code I've reviewed over a decades-ling career. I "assume" that the programmers tried to get their job done. I've looked at the security posture of a LOT of software. In essentially all cases, no -application- code ever sufficiently anticipated all possible types of malformed input. Programmers (other than security analysts) try to write code that works. That's their job. It's what programmers do. They write a routine that takes certain input and produces certain output.
What programmers don't do is they don't write code that assumes everything is wrong, that inputs are completely fucked. They (rightfully?) say "garbage in, garbage out". That was fine in the pre-internet world, and it's fine if security isn't a concern. For internet-facing applications, if security is important, that has to change to "garbage in is the normal, expected thing. We plan for any and all types of garbage. Garbage in, nothing out because the software fails fast and fails hard." (In other words, raise an exception immediately, and do so by default, in any case other than getting precisely the input you want, all the input you want, and nothing else.) People just don't write software that way. They write software based on the input being what it's supposed to be.
They also write software in reasonable ways. For example, if there is a way that's quick, easy, and obvious, most programmers will do it that way. What that means is that programmers use the same patterns over and over, exposing the same types of vulnerabilities over and over. Very often, I can correctly list off security vulnerabilities without ever seeing the software, just based on the name. For example, any time I see something called download.php, I know they probably coded it the most clear and obvious way. The most clear and obvious way has three security issues. When I actually look at the source code for something called download.php, it almost always actually does have at least two of the three vulnerabilities that I would predict. Because the programmer is doing his job, writing a PHP script that causes a file to be downloaded. He's not doing my job - figuring out how such a script could be exploited.
That's true, for wifi, access points can see your MAC address. I was thinking of home / office internet, where your MAC is only visible to your ISP (who already knows who you are).
https://www.qubes-os.org/
What I have been waiting for quite a long time is the extension, or the iCab of sorts, that'll slightly upgrade most of the borwser fingerprint (screensize changed by some pixels, 1% of my fontlist hidden) every 1/4h or so. :(
I truly believe this is not so difficult to prepare, and once it'll be done most of this fingerprinting issue will be over.
The only trouble for the moment is, I'm not a programmer myself
Herve S.
all is in the title. Too bad I don't have points now...
Herve S.
Perhaps the internet world no longer uses RFCs for getting comments on how such things are done. You know the nuts and bolts, and other parts required to i don't know write web browsers, email clients, ftp clients, etc...
Can ghostery do 16 things hosts do for speed, security, & reliability:
1.) Protect vs. malicious sites (past ads)
2.) Protect vs. fastflux botnets + stop communique to C&C servers
3.) Protect vs. dynamic dns botnets + stop communique to C&C servers
4.) Protect vs. DGA botnets + stop communique to C&C servers
5.) Protect vs. downed DNS (reliability)
6.) Protect vs. DNS redirect poisoned dns
7.) Protect vs. trackers
8.) Protect vs. spam
9.) Protect vs. phishing
10.) Protect vs. bandwidth caps
11.) Get you by a dns blocking
12.) Keep you off dns request logs
13.) Speed up surfing by adblocks & hardcoded fav. sites
14.) Work on anything webbound (e.g. stand-alone email programs) multiplatform.
15.) Give you easily controlled data
16.) Block ads more efficiently in cpu + memory use vs. addons
* ANSWER ="NO" to each on Ghostery doing all that let alone as well as hosts do!
APK
P.S.=> Addons do FAR less than hosts do & FAR less efficiently - hosts by way of comparison, do MORE w/ less + Hosts start w/ the IP stack before REDUNDANT inefficient addons BEGIN to operate (as 1st resolver queried):
Ghostery (Advertiser owned) - "Fox guards henhouse" -> http://en.wikipedia.org/wiki/G...
---
Addons add complexity/room for breakdown/exploit + from a slower mode of operations (usermode = more messagepassing overheads vs. hosts in kernelmode).
---
ClarityRay DETECTS browser addons like Ghostery & blocks them (not hosts) via native browser methods.
---
What's better than ghostery by FAR?
APK Hosts File Engine 9.0++ SR-2 32/64-bit -> http://start64.com/index.php?o...
MalwareBytes' hpHosts Admin (MalwareBytes employee) hosts & recommends it -> http://hosts-file.net/?s=Downl... & MalwareBytes = BEST antivirus http://www.av-test.org/en/news...
&
It's GUARANTEED safe & clean per it being checked by 57 antivirus programs recently in BOTH its 64-bit model https://www.virustotal.com/en/...
+
In its 32-bit model also https://www.virustotal.com/en/...
... apk
It got picky. For one thing, you may need to restart the resolver daemon. Also, if you have IPv6 running, you may need to set an IPv6 address in /etc/hosts as well - even if you never use it.
As others mentioned in this thread, people are using it - it "works", it just got harder.