Novell CEO Attacked by Cookie Monster

CitizenC sent us a funny as hell article where Novell CEO Eric Schmidt talks about having his credit card stolen. The funny part is that he blames cookies. Cookies are certainly flawed, but he goes as far as to call them one of the biggest disasters in computers and tell us that they are stored in the wrong place (what, we're gonna keep them on floppy disks?). Finally he (surprise!) plugs Novell's own digital authentication mechanism (aha! The truth comes out). Hit the link to read a little more ranting by me on the subject.

It is a given that cookies are flawed:

• Most systems store them in a readable format on your harddrive. Yeah, that kinda sucks. But if your machine isn't secure, then you've got bigger problems then just your cookies file.
• They are sent in plaintext over the internet. But thats why we have SSL when you need security. Someday all net transmissions will be encrypted anyway. (assuming nobody else from the IETF gets bothered by the FBI)
• Cookies used to be pretty well forced on netscape users, but now most browsers give you an option. And there's always junkbusters for the more paranoid.

It is given that I need state over httpd. I want shopping carts. I want net commerce. I want user preferences on websites I frequent. Maybe you don't want these things, but I do, and I don't think I'm alone on this one. There are a few ways besides cookies to do this.

• Intel would love to use a CPU ID to help us. This has so many problems that I'm just not going to go into it. But it would work.
• Webmasters could create a session and pass it in a URL with each page. This suffers from all of the same problems as cookies, except that the session ID isn't stored on your hardrive. Unless you bookmark it. Ooops. It also has the added benefit of making URLs messy, and being a huge pain in the ass for a webmaster.
• Some sort of third party big brother handling authentication. I'd much rather just have a cookie that I can turn on or off than have a third party take care of it for me. I trust me more than them.

I really thought that the 'Cookies are Evil' was dying down as people realized that while they aren't the best solution, they are as good as we're gonna get any time soon. Then to see someone who ought to know better get out and throw fire ants into the mix to plug his software, well thats just really rubs me the wrong way.

It's like telling people that the water that comes through your pipes has floride in it, so you ought to buy their brand of bottled water instead. You ever see a communist drink water, Mandrake?

Security and Privacy

[Belgand]

One of the greatest problems in this whole arena is that anytime someone stores any bit of information for whatever reason people will get unnecessarily angry. It's a fact of life, albiet a sad one, that many people have become so astoundingly paranoid. If we had slightly more trust then maybe things could start to work, but not until then.

Re:Security and Privacy

[finkployd]

In a perfect world, trust would be nice.
However, we are bombarded by examples of companies and government taking advantage of us every which way. Including ways we didn't even know were possible. I think it's sad people aren't MORE paranoid, given the track record.

Finkployd

Re:Security and Privacy

Actually, I feel that the developer should not make any assumptions about what is OK to store and what is not. I enjoy my privacy... or at least I would enjoy privacy if I had any! The idea of a developer writing code to store inof about my actions so that they can market their wares to me or sell my info to someone else really irkes me. There is really no legitimate reason to have cookies in the first place - unless, of course, you are an unscrupulous fiend who wants to get the most out of those that visit your web page. Cookies = SPAM = BAD!

Re:Security and Privacy

>If we had slightly more trust then maybe things could start to work, but not until then.

If some of these entities gave even the slightest indication that they could be trusted, we would not be having this discussion

Re:Security and Privacy

[Fastolfe]

There is really no legitimate reason to have cookies in the first place

Are you just totally ignoring what everyone's been saying? Cookies are quite necessary to preserve state information between web site requests and visits.

I personally love the fact that I can re-visit outpost.com and not have to enter my address in every time I want to order something. I like being able to pick out a book or two from Amazon, set them aside, and come back in a week to complete the order. It's all about convenience, and I'm sorry, but outpost.com doesn't spam me, so I don't really see where you get off labelling all cookie users as evil conspirators that want to spam you.

There are quite legitimate uses, and the only real way I can see them being abused has been discussed on Slashdot ad nauseum in that they could possibly be exploited to track your movements between cooperating sites. The only marketing-related way they're being used today is to try and "target" those banner ads that you see to your tastes. The banner ads are still there, mind you, but now they're advertising stuff you're interested in.

Re:Security and Privacy

Cookies are not needed to preserve state. Amazon operates quite nicely without cookies, thank you. I know it's not using cookies because I wrote my browser myself. Cookies make state preservation easier, and more amenable to proxy cacheing, but there's lamentably little concern for the cache network anyway.

You like your cookiejar? It's an irony that Netscape's own original spec for cookies (RFC2109) virtually forbade cookiejars - ie, cookies are not supposed to persist between sessions. (That's the big danger with using Internet caf&eacute computers.)

And as was explained on ./ yesterday, since cookies are only to be returned to the original server, they are useless for interserver tracking. The far more venerable and widespread URL and Referer header are better adapted to that purpose.

Of course this CEO says cookies are evil. Didn't you notice he's promoting his own competing technology? He's leveraging the general ignorance and fear of cookies to his advantage.

Re:Security and Privacy

[whome]

Most of the posts here apparently take the webmaster's perspective. From a user's perspective things look somewhat different. As anyone who has surfed with the *warn before accepting cookie* option enabled knows, cookies are extremely voluminous and only a tiny proportion add any functionality that benefits the user. Most sites that use cookies act the same way whether the cookies are sent back or not. While I have no doubt that the use of cookies makes the job of operating a website easier, from the user's perspective they add little or nothing. I generally browse with cookies off (turning them on only for sites that require them... inevitably with a few choice words for the site designer) and I find sites of all kind (including many e-commerce sites) manage to do without them. The problem with cookies is not that they make credit card numbers insecure, but that put the user out of the loop in the interaction between his/her own computer and the website. While Novell's proprietary solution probably isn't the answer, one can easily imagine a better setup than one has today. An electronic wallet, preferably with an open spec, would allow a user to easily manage what information he/she wanted to go to each site, and to send such information only when it added desired functionality to the site. This would encourage sites to use cookies only when they can come up with a good explanation of why they need to make or alter a listing in the wallet. Of course that would make some site administration tasks, such as gathering info on how the site is being used, more difficult. This shouldn't be of too much concern to the users, though. Many excellent sites do just fine without cookie.

Re:Security and Privacy

David, David, David... You still buy from Amazon.com? I've long since boycotted their site due to my disagreement with their obvious abuse of both our patent office and our judicial system. renst

Cookies ==> Fraud

Er, just how do cookie details lead to fraud? Is he saying that some malicious website lifted his cookie file, looked at where the cookie came from, and then tried to log in themself as him? If so, they will have left an audit trail...

Just confirms my suspicions that CEOs ain't CTOs for a reason...

Re:Cookies ==> Fraud

Actually, the Novell concept is pretty cool. They want to create a way for users to store their info in an encrypted way (that even the administrators can't get at), and manage digital "identities" -- all of which are controlled by the end user. What info is there, who can see it, etc. If you actually talk to the folks working on their "DigitalMe" stuff, you find that they want individuals to be able to manage and control their own information, and that design assumption was there from the beginning.

Re:Cookies ==> Fraud

He USED to be the CTO...

Of Sun.

Re:Cookies ==> Fraud

Just confirms my suspicions that CEOs ain't CTOs for a reason...

Like maybe because CEOs make lots more money and have lots more power?

Anyway, Schmidt was formerly the CTO at Sun - not a bad technology company.

Schmidt's technical saavy is one of the main reasons Novell has returned to profitability and growth.

Re:Cookies ==> Fraud

In response to your "CEOs ain't CTOs for a reason" remark, this is from Novell's web site: (all emphasis mine)

Dr. Schmidt came to Novell from Sun Microsystems, Inc., where he was chief technology officer and corporate executive officer. In his 14 years at Sun, Dr. Schmidt held a range of progressively more responsible executive positions, where he earned international recognition as an Internet pioneer. He was also instrumental in the widespread acceptance of Java, Sun's platform- independent programming language.

Prior to joining Sun, Dr. Schmidt was a member of the research staff at the Computer Science Lab at Xerox Palo Alto Research Center (PARC). He also held positions at Bell Laboratories and Zilog.

Dr. Schmidt has a bachelor's degree in electrical engineering from Princeton University, a master's degree in electrical engineering, and a Ph.D. in computer science from the University of California at Berkeley

No offense, but I bet he's a bit more technical than you.

Re:Cookies ==> Fraud

[Trailer+Trash]

No offense, but I bet he's a bit more technical than you.

Sorry, somebody who has his credit card number stolen and blames it on cookies is in the peewee leagues.

It's a shame, he's backed himself into a corner here. One of two realities exists. In the first, he doesn't know much about cookies, and made a public statement about something of which he knew very little. In the second, he's being dishonest about cookies just to plug his company's product. He's either 1) dumb or 2) a liar. Neither label is particularly appealing.

You can spout drivel about degrees and corporate positions until the cows come home; the bottom line is he made a gaffe here and needs to be called on it.

I know some guys at Novell who have been in meetings with Eric and have attested to his intelligence. Unfortunately, he needs to guard it a bit closer.

Trust

[JamesKPolk]

Trust isn't something that should be granted by default, only to be taken when something goes wrong.

Unless id Software, Real Networks, Novell, Netscape/AOL, or anyone else proves to me that they NEED a certain bit of information, in order to serve ME better, I'm not giving them the first initial of my first name.

They already get enough for system administration purposes: HTTP referrer, IP address, even browser type (although Konqueror allows you to change that).

Re:Trust

[randombit]

They already get enough for system... even browser type (although Konqueror allows you to change that).

As does lynx, the one true browser. :)

Re:Trust

[Fastolfe]

even browser type (although Konqueror allows you to change that).

Umm.. heh. Can someone please explain to me what you gain out of changing this information? I can't see any possible gain, but there are tons of drawbacks. Specifically, web pages that dynamically generate content based on the browser string will be generating content that either doesn't work in your browser, or is meant for sub-standard browsers (hence you'll be missing out on features or content that might necessarily be limited to more capable browsers).

So what's the rush to change this text?

Re:Trust

[Hallow]

There's at least one really good reason for being able to change the browser version string whenever you like - firewall proxies. Where I work, you can only get out through the proxy if you're using the right web browser. Using too new a version? Nope, you can't get out. Using a non-standard operating system? Again, nope you can't get out.

I've requested this feature myself in several cddb readers (since they use http now), but only one has come through for me.

Re:Trust

[noc]

It's true that people may make pages that use this information well, but there's benefit in defeating brain-damaged uses of this info. For example, a recent post to the lynx-dev mailing list said that the Wells-Fargo web page was giving pages stating that you needed to use Netscape >= 3.x or IE >= 3.x to use the secure pages. Of course, lynx can do https, so this was not a reasonable or useful message. By using the command-line option, he changed his apparent browser type to Mozilla and solved the whole problem.

Re:Trust

[Fastolfe]

A pretty brain-dead way to run a web site if you ask me, but I see your point.

Re:Trust

[Fastolfe]

Where I work, you can only get out through the proxy if you're using the right web browser.

Why do they do this? Just to discourage the use of non-company-standard browsers?

Re:Trust

[jaed]

Can someone please explain to me what you gain out of changing this information?

A few years back, there was a fashion among pointy-haired web designers to use something like

if browser is Netscape
display site
else display message "Netscape NOW!!!!, loser!"

(Later the if statement changed to "if browser is Netscape or MSIE", not what I'd call an improvement.) Changing your ID string to Netscape's ID let you access such sites. It's why most browsers' ID strings have "Mozilla (compatible)" in them somewhere, because of this history of testing for capabilities by checking for browser brand. Doing so also helps you get around the occasional site blockage (e.g. there's a cartoon site that blocks UNIX browsers, for no apparent good reason; MS has been known to block browsers identifying themselves as Netscape).

Re:Trust

[Hallow]

Overly paranoid network security. Only the version they allow out has been audited. Even then they found problems with it, but allow it out anyway. *SIGH*.

The president of the organization asked for realplayer stuff to be allowed through the proxy over a year and a half ago. They won't do it, nor will they install a realplayer proxy.

Read the "Talkbalk"

[legoboy]

I saw this a few hours ago. I was thinking, "Good god, not the cookies are evil thing again." But no, it turns out that the article is nothing but a shameless plug for a product that this fellow is trying to shill.

The most telling part of the whole tale though, is the ZDNet TalkBalk. When "Larry, Internet Web Designer" can identify it as a joke, you know that even the lowest common denominator can see right through this guy.

I can't help but wonder why even ZDNet would lower their quality control to this level.

------

Re:Read the "Talkbalk"

[Anonymous+Commando]

I can't help but wonder why even ZDNet would lower their quality control to this level.

ZDNet has quality control? Oh, maybe that's Jesse Berst's job...
________________________

Re:Read the "Talkbalk"

Point taken.

-- legoboy, anon since I've posted too many comments today.

Re:Read the "Talkbalk"

What possible use can a cookie provide except for exploitation of those that visit your site? For any example you provide I can provide an alternative method for saving info on the web host's drive (secured and with the client's permission of course) that would accomplish the same task.

Re:Read the "Talkbalk"

ZDNet has been on a perpetual downward spiral in the "quality" of items they print. It's hard to accept anything they print as anything but corporate press release propoganda or complete sensationalistic horseshit. To the first point my guess is the Cookie article was probably initiated by the Novell marketing pinheads. As to the second point, I can only recommend reading this pantload of an article. -grund

Re:Read the "Talkbalk"

[Zagadka]

What possible use can a cookie provide except for exploitation of those that visit your site? For any example you provide I can provide an alternative method for saving info on the web host's drive (secured and with the client's permission of course) that would accomplish the same task.

And then every time people visit your site they have to log in with a userid and password, or a special PIN. What about moving from one page to the next (ie: for a shopping cart)? You could store the state in the URL I suppose. But none of those really buy you any extra security. Infact, they might buy you less. I've seen systems where the userid and password were stored as clear-text in the URL's.

The thing to remember with cookies is that the information comes from the server. In other words, it's information they already have. All cookies give web designers is persistent state. For most sites that persistence only lasts for the current session as well. Cookies are only a problem for the ultra-paranoid.

Floride in the Water is a communist plot!!

[JungleBoy]

I know of at least one place in the USA that won't allow floride in the water becasue they know it's part of a communist plot to take of the USA. Anyone been to Santa Cruz.

JungleBoy.

Re:Floride in the Water is a communist plot!!

> FlUoride, as in flUorine not florida

Jesus Christ, man! Now you're telling the guy F U??? He just made a little mistake! He's not bad.

CC# stolen, or guessed?

[Masem]

There's not enough details in this article to say whether the CC# was stolen, or was guessed at by a random # generator. I know that about a year ago, I was victim to the random # generator fraud that charged $19.95 to my card, enough to rake in money, but not enough to tip ppl off that aren't careful with their statements. Fortunatley, I caught it, called my CC bank, and got the money removed.

The thing with the latter is due to the fact that most CC # checkers check the numbers, and not the expiration date. Thus, pass 10^16 numbers to one of the sites, and you're bound to get some cash. Once they have a number that works, then they're set.

Therefore, he might have been hit with this instead of true CC# stealing (It's really hard to get at cookies although there are some bugs, but require a lot of assumptions on the end user's actions). This only suggests to me that we need to make sure that CC# verification systems are more secure, and ask for the experiation date in addition to all other info. Or even better, add a PGP-like key to CC# info to make it more secure.

Re:CC# stolen, or guessed?

[Thrakkerzog]

Don't be such a pessimist! ;-) The person who entered it could have entered his credit card number incorrectly, and the resulting number just happened to be the Novell CC#. Also, it could have been a mix-up on the back-end.

Re:CC# stolen, or guessed?

Isn't the actual # of CC numbers for one type (i.e. Citibank Visa) more like 10^8? I thought that the first 8 are routing/identification numbers for the bank the CC is associated with?

Re:CC# stolen, or guessed?

[AJWM]

Thus, pass 10^16 numbers to one of the sites,

Not even that many. 10^14, tops. The first digit identifies the type of card (Visa, Amex, MC, etc) and the last digit is a checkdigit. (I used to know the formula for the checkdigit, since I coded software to check it, but that was years ago).

And I believe the next few digits after the first identify the issuing bank, so one could probably make educated guesses about that.

Not that there aren't a zillion other ways to just go ahead and steal real CC numbers, if one is so inclined.

Re:CC# stolen, or guessed?

[Crambone]

I have used my credit card online to only SSL sites which are run by companies that have really good reputations for online. About five months ago recently I noticed a $353.14 charge on my credit card to a photo company in Texas. I contacted my credit card company and told them I didn't make the purchase and had me fill out the form. The took the charge off my card, and said it was under investigation. It turned out the a whole bunch of people had been calling about the same charges and it was to a fake company using "guessed" (generated) CC#s. Despite that I have still purchased about 80% of my Xmas gifts online as I have for the past 3 holiday seasons.

When you think about it, there is not much to lose if you keep track of what you purchase and look at your statement. I have 1 credit card to make sure things don't get out of hand with multiple bills coming in at different times. Also, it is not a good idea to keep accepting credit increases, if you don't spend 10,000 per month then there is no real reason to have a limit that high. You can always call and request a limit increase it only takes them 2 to 3 days to proccess it (especially if you have passed up increases in the past).

Re:CC# stolen, or guessed?

[LetterJ]

There's also no indication that the number was obtained electronically.

Hello, my name is Jacques, here's your bill for dinner. Would you like me to take your credit card in the back room and come back in 5 minutes?

3 weeks later Jacques is in Colombia living the good life and the customer thinks that the number was stolen on the Internet because he ordered a book and people on the Internet steal credit card numbers. Of course he totally forgot the fact that Jacques and countless others during the month had access not only to the number, but the physical card, number, and signature, sometimes with pretty good privacy during access.
LetterJ
Writing Geek/Pixel Pusher
jwynia@earthlink.net
http://home.earthlink.net/~jwynia

Re:CC# stolen, or guessed?

[Negadecimal]

It's more like 10^12. The first four generally identify the merchant, and the rest are customer specific. Of course, there are expections.

For Discover/Novus Cards, the first four digits are always 6011. Visa cards start with 4, but can begin with one of a number of 4-digit codes. Amex cards feature only 15 digits, but I believe that only the first digit (3) isn't user-specific.

Cookies are not evil but..

[Malcontent]

It's true that we a need to keep state in writing out web apps but maybe we should retink this whole web app thing in the first place. Trying to write a serious commerce app over a stateless anonymous protocol is a recipe for disaster. What we need is another protocol for delivering code over the net and leave http for delivering content. Something like RMI but language independent if possible.

BTW I know CORBA is language independent but honestly it's bit complicated for the average developer. HTML was great because it was so simple to learn and effective at what it wanted to accomplish.

Re:Cookies are not evil but..

[jilles]

I agree with this. The whole problem is that each web app deals with security on its own way. Many sites require a person to identify himself. This is commonly solved with a username/password combination. What would be nice is if there were a third party that would do user identification. Rather than providing each site with all your details you could authorize (through a certificate) a company to verify with that third party that you are you. This would also be a way to limit the amount of information you show to that company. The third party could of course maintain a database of user data but you could agree (with a contract if necessary) to restrict access to that database.

This would solve the privacy issue and it would allow sites to verify that you are who you say you are.

What we need for this is standards. We have standards to verify that a piece of software is from a certain company, why don't we have a standard to establish the identity of someone.

Re:Cookies are not evil but..

Because some of us prefer that BIG BROTHER does not know everything we do and when and at what time....Anyone foolish enuff to leave a cookie on their system long term deserves to get ripped off. I remove all cookies during boot up each time and I NEVER KEEP sensitive personal info on my PC. CC#'s adress info and such is entered each time. Any other behavior is just proof of evolution in action...the stupid shall be fleeced :)

There is ONE born every minute...Oops there he goes...

Re:Cookies are not evil but..

[radish]

I am so bored of this FUD....you cannot get "ripped off" from having cookies on your machine. The "worst" that could happen is you get tracked via advertising. If that bothers you, fine. If not (like me) then leave Cookies on. I do know about the subject (before I get the usual "you don't know sh**") response, and I am personally perfectly happy to use them. Cookies are used for session ID, and auto-login to some sites. So some cracker can log into TechNet with my ID? So what...The only thing I care about is stuff like banking and shopping, and I have yet to find an auto-login ecommerce site.

Re:Cookies are not evil but..

[jilles]

you should see a doctor to get treatment for your paranoia.

"I remove all cookies during boot up each time and I NEVER KEEP sensitive personal info on my PC."

If I were you I would unplug the computer, lock the door and be afraid for the rest of my life. Not taking part in society is excellent defense against Big Brother. But seriously, what's the big deal with cookies? Only the site that created them can access them and they might as well store it serverside if there really is something worth storing. Cookies are mostly for your convenience so with deleting them you only give yourself extra trouble.

Moving privacy sensitive data to a central place gives you more privacy because you know who leaked information when something goes wrong. In my view your privacy sensitive data should be legally protected (i.e. you can sue when somebody illegally accessess it).

"Because some of us prefer that BIG BROTHER does not know everything we do and when and at what time...."

I suppose you're not that paranoid that you don't store your money in a bank. I.e. anytime you make a payment with your creditcard (online/offline) that information is registered anyway.

"Any other behavior is just proof of evolution in action...the stupid shall be fleeced :)"

*sarcasm* Ok we an über mensch posting here.*/sarcasm* Just because you learned to operate a computer doesn't make you any smarter. In fact the smart let geeks like you do the monotonous work of operating a computer since they have better things to do.

Re:Cookies are not evil but..

[Kyobu]

Actually, it's not true that only the site that created them can access them. Some are that way, and some aren't. Check the Netscape options.

I dont trust my computer, but I trust Novell !

[Manifest]

I am paranoid. I dont trust any one. Cookies are bad. Javascripts are yuckkkk .. But I TRUST Novell. They are so carefull people. see they learn from their.. opps their CEO's experience.

I hope they implement "digitalme" soon. My cash is running out. I need a database of credit card numbers.

Manifest

Say what?

[florin]

I'm hesitant to condemn the man on the spot, because after all, he is CEO of a multimillion dollar company and one would guess that his vide presidents shield him carefully from saying anything TOO embarassing in public. But when I read the vague 'I don't know how it worked, but I'm sure cookies had something to do with it', I really started to have my doubts.
Are there sites that store cookies with your freshly entered credit card number in it? I can't believe it. Only thing this shows is that he lacks a fundamental grasp of what cookies are and how they work.

Drink Coke (they pay me to say this)

[Star+Traveller]

This is a bunch of kazooie.
Cookies are in the most part not entirely insecure.
This shows how people always blaim what they don't understand so as to put blame on something, so they can't blaim themselves.

The only way they could have lifted the cookie file is if it had too much yeast in it

Re:Drink Coke (they pay me to say this)

Jesus Christ, guys! This guy accidentally leaves bold on and you guys flame him? Cut him some slack! He's not bad.

Re:Drink Coke (they pay me to say this)

you get flamed around here for anything...not enuff real news leaves the vultures time to circle

Latest in a long line...

[TBedsaul]

Of CEOs shooting off their mouths to try and move product.

Anyone else remember McAfee and the Michalangelo virus?

Re:Latest in a long line...

I supposed that there aren't any Slashdot readers who have slammed Windows and in the same breath extolled the virtues of Linux... ;-)

Re:Latest in a long line...

only when both of them deserved it :) and the oppurtunity does arise alot :)

Re:Latest in a long line...

[TBedsaul]

Yes but strangely, my salary never increases as the number of Linux users goes up.

It's just one of those necessary evils.

[tweder]

Sure, you could rant and rave about how bad cookies suck - but what would you do without shopping carts, user preferences, and *GASP* slashboxes? Of course I suppose you could petition all programmers to use Php4's session functions and not only get nowhere fast, but get rid of cookies all together.

Re:It's just one of those necessary evils.

PHP4 will support Session? How about Application? That kicks ass.

IIS has been doing this for ages, I'm glad that OSS developers are no longer being so pigheaded and stubborn about the academic pursuit of software development, and actually doing something *practical* like Microsoft and Novell have been doing for twenty-odd years. I guess that would mean an end to crappy software like GNOME and Fetchmail, then...

Re:It's just one of those necessary evils.

[tzanger]

Sure, you could rant and rave about how bad cookies suck - but what would you do without shopping carts, user preferences, and *GASP* slashboxes?

Actually cookies DONT'T suck at all... the implementation by braindead web-developers sucks... I mean think about it...

why have a cookie with all that info, just return a GID-style string that is unique for you and keep all the state info on your own goddamn server, just asking the end user for his/her/its ID?? no more problems.

Re:It's just one of those necessary evils.

Slashdot's reliance on cookies is the reason I post as AC. Not because I fear cookies, but because I haven't implemented them yet.

Oh no!

[pen]

Rob just stole your credit card! Look out!

Re:Oh no!

[TBedsaul]

THAT explains all the pr0n charges to my account.

At least, that's what I'll tell my wife :D

Re:Oh no!

Jesus Christ, dude... lay off of Rob! He's not bad.

Re:Oh no!

I wish I had this much free time

Like we need another "cookies are bad" headline

[chart]

Shame on ZDNet for this headline. It flashed across my MSNBC breaking news thingy, too.

Lots of people may see this headline, but not read far enough into the article to see it's a thinly-veiled product plug. Now all the newbies have one more reason to think cookies are some evil scam.

Grrrrrr.

-- Cara

....

[Signal+11]

RUN! It's OSCAR THE GROUCH, and he's running an E-COMMERCE site!

I'm the guy who writes those silly fortunes. =)

Credit Cards Online

[rodbegbie]

Let's get this straight once and for all.

It is NOT easy to grab a credit card number on-line. Sniffing packets, intercepting e-mails, grabbing cookies, etc. is bloody hard work. Especially since you could spend 5 minutes raking in the bins at your local mall and get 100 numbers.

I am willing to bet $50 that Mr. Schmidt has at some point in the last 6 months handed over his credit card in a restaurant. Doing that is opening up his card number to a wider audience than using it on Amazon.com ever could.

However, it is helluva easy to use a credit card number online, once you have it. Go on, fill in a few forms, and it doesn't matter if you're a 13-year-old boy in Arseville, Tenessee -- you can use that card number from the 70-year-old woman in Alaska who wouldn't know a modem if it bit her on the arse.

Last week, I found a $60 Amazon.com charge on my card which wasn't mine. I don't blame the internet. I don't blame Amazon. I don't blame cookies, SSL, e-mail, or Elvis.

I don't even care that much. So what? I shout a bit, get my $60 back, and carry on like nothing ever happened. No big deal.

This kind of thing has been happening for years on the phone. This is nothing new, except for the sheer volume of fake transactions. But until the card companies make it easier to verify transactions on the fly (see Philip Greenspun's excellent book for a description of how pathetic the whole thing is), it's not going to get better any faster.

Just don't forget to burn your carbons.

rOD.

--

Re:Credit Cards Online

[Junks+Jerzey]

Especially since you could spend 5 minutes raking in the bins at your local mall and get 100 numbers.

This always comes up in these discussions, just as fraternities always drag out the "But we also do charity work!" line whenever they get busted for hazing. Has anyone who uses the above argument ever gone dumpster diving for CC numbers? I expect that the companies that provide credit card processing services for merchants are pretty hard-nosed about keeping numbers secret. If Sears throws all their receipts through a shredder, are you really going to be able to sift through that mess and find one good number? You'd be better off picking numbers randomly.

Re:Credit Cards Online

[KnightStalker]

Ever look at YOUR receipts when you use a credit card? One from Sun Coast Motion Pictures and one from Papa Murphy's. Used my check card on both of them. Both of them have my Visa number and expiration date printed on them. But I'll bet you NEVER throw your receipts away.

Re:Credit Cards Online

[KnightStalker]

er... insert "I just pulled two receipts out of my wallet" after the first sentence there :-)

Re:Credit Cards Online

[zantispam]

"Has anyone who uses the above argument ever gone dumpster diving for CC numbers?"

Yup.

"f Sears throws all their receipts through a shredder, are you really going to be able to sift through that mess and find one good number?"

Having worked at a mall before, I can assure you that most places (not all) do very little in the interest of CC security. None (that I saw) even owned a shredder, much less used one.

As an example, the place where I worked threw the carbons out with the trash. The trash went into the dumpster. Within the span of ten minutes, I promise I could dig up 50+ CC numbers out of one bag of trash. (if I could stand the smell :-)

And it's worse during the holidays. :-p


Jedi Hacker (Apprentice) and Code Poet

Re:Credit Cards Online

Having worked in a restaurant I know for a fact that we disposed of hundreds, even thousands of CC receipts a night. At most we'd tear them in half and it'd be absolutely no work to put them together again. Although it's easy to envision the retailer of the future that goes to great lengths to protect the consumer, the sad reality is that most people are extremely lazy.

On top of that I think of the countless delivery guys who I've handed over my CC to. If one of them was on the net in a CC group... One very large pizza chain in my locality, EVEN IF YOU SAY YOU WANT TO PAY CASH, feels some odd need to print your credit card number/expiry date on the bill! (which they've carefully pushed away in their database from a previous call...without bothering to ask me if I want this in some undoubtably grossly unsecure DB)

Although I wouldn't say we should tolerate less security on the net, it is amazing how lax and pathetic privacy policies and security standards are in "the real world". I primarily blame the credit card companies however: Couldn't they make the CC standard just a BIT more secure. For example I'd like a system where I obtain a secure connection to Mastercard, enter my secret info, enter a new transaction request and the approximate amount, and get a PIN that can be used for one following transaction, and then I give that and my card number to the desired retailer. The current system is just preposterous and we all pay for it through higher charges, not even counting the people who don't even notice they are being ripped.

How Very Unfortunate

[Kozz]

It really ticks me off to see people spreading the FUD about cookies. Especially when it's all in the vein of marketing. Clearly, Schmidt wants to plug his new "digitalme" online identification-management service, and needed a good reason to do so. Here's another example of someone exploiting the media to get gratuitous advertisement. He wants to say that his "digitalme" is better than cookies, and that's all fine and dandy. But it's not a real big deal yet. But maybe if he claims that he was the victim of credit card fraud through insecure cookies it will get him more attention. Hell, he's not even sure it was due to cookies (if it even happened at all):

Although he isn't sure exactly how his card number was lifted, Schmidt says he believes it was through a mechanism that reads the cookies-files sitting on a user's desktop and storing personal information, such as passwords and preferences.

Besides this, most any company that I would do online business with has the integrity & knowledge to NOT store credit card information in my cookie. Very few do so.


Quidquid latine dictum sit, altum viditur.

Re:How Very Unfortunate

[gorilla]

Besides this, most any company that I would do online business with has the integrity & knowledge to NOT store credit card information in my cookie. Very few do so.

I agree, I've never seen any cookies storing cc numbers. I've seen userids, email addresses, zip codes, all sorts of stuff, but never cc numbers.

If any website is storying cc numbers, or anything else which is sensitive, we should publicly scold them until they do. Anyone got URL's to check out?

Oh, not again...

[Millennium]

Yes, there are quite a few problems with cookies. The major two have to deal, of course, with encryption. The encrypted storage is depressingly easy for a browser company to fix; I can only wonder why Netscape, Mozilla, or even IE hasn't at least done a weak scheme (at this stage, with the RSA patents set to expire in less than a year unless I'm mistaken, Mozilla will probably be the first to do it).

The problem of sending cookies in cleartext is harder. The solution is of course encrypted communication. For anyone with Apache this shouldn'e be too difficult (SSL should be sufficient)... except for the whole certificate problem. I'll be glad when encryption is built into the protocol.

Come to think of it, the only way this credit-card number could have actively been stolen would be if the sessions hadn't been encrypted. Does this mean that one of the "great" computer executives was actually stupid enough to give his credit card number to an insecure site? I find that hard to believe, though if he's trying to hawk his own wares I suppose it could be some kind of play.

More likely he simply fell victim to a credit card number generator (which exist all over the place) and blamed cookies since he could use that as an advertisement.

Re:Oh, not again...

[gorilla]

I personally prefer having my cookies unencrypted. I go in every so often and clean out the ones I don't want. If they were encrypted, then I couldn't do this.

Re:Oh, not again...

The "problems" you point out are non-existant. Cookies are set by the server. The server can encrypt whatever information stored in a cookie before sending it off to the client computer.

This means that whether the communications path is insecure means nothing. It also means that used properly, the user cannot even change the value of a cookie without it being detected at the server. The user will also have zero knowledge of the information that is being stored in the cookie.

So cookies can be made secure over insecure communication linkes and tamperproof. No changes needed, except education for clueless "web-programmers".

Re:Oh, not again...

[rent]

IE5 keeps the cookies encrypted..
So I have the problem you mentioned.

I have 234KB worth of cookie files, of which 4 of them are from slashdot which look something like:

user
%2536%2536%2533%2535%2535%253a%253a%256d%2561%25 6c%2569%256e%2565%2574
slashdot.org/
0
152228096
29383324
3320002304
29309901
*

Any ideas on how to unencrypt it?

Other things worry me more

[meckardt]

Sure, its possible for a clever Cracker to get at my cookies. But I'm not too concerned with it. The guys who are that good have bigger fish to fry.

I'm more worried about some store clerk collecting card numbers and passing them on to someone else. That is a lot more likely to happen in the real world!

Mike Eckardt meckardt@yahoo.spam.com

Big problem with cookies

[twit]

The big problem with cookies, I think, is that they're misused. You should maintain state, not useful information, using cookies. They're perfect for stuff like a session ID, a user ID, that kind of thing, which does not need to be kept secure.

Credit card numbers should either be kept in a back-end database, or (preferably) not at all. I'd prefer it happen the latter way. I like net commerce as a bright idea (both generic and in the IBM-branded net.commerce) and have even worked on some commercial sites, but that's part of the problem: you don't want schmoes like me safeguarding your credit card :).

If Novell's CEO is having problems with credit cards kept in cookies, it isn't the fault of the medium but the way it's being used. If anything, we should adopt best practise standards which keep credit card numbers secure and press business software vendors, like IBM or MS, to do the same.

Of course, I suspect that it wasn't the fault of cookies at all; it was a cracked machine or even a shopclerk who swiped his card twice. But that's just my nasty, nasty suspicion.

--

Re:Big problem with cookies

[irix]

As a web developer who does this kind of stuff, I can tell you that 99% of places only use cookies for that reason - keeping state.

Quite frankly, this is the only way to keep state after you close you browser. Rob is right - if you like personalization, etc. then you better like cookies.

more your ~/.netscape/cookies file and see what is in there. Mine is over 20K and all it is is user id serial numbers.

The other thing to note with cookies is that many places use temporary cookies - stored in RAM only and never stored on your hard drive. They terminate when your close your browser.

Re:Big problem with cookies

[jon_c]

In my last project we used hidden input tags to maintain state. Basically we would pass in all the state fields into each page over and over again. While this does work, the pipe was taking a little more data then it should have, and things like "bookmarks" wouldn't work.

Key to the trick was the whole page was in a big . any anchor link would actually be routed to a javascript function that would submit the forum. they we're some other things we had to work out, but I don't want to violate any NDA or whatever. After hearing about the whole Amazon.com 1-Click BS, you can' be to paranoid.

This of course is not a real solution, it's a hack. Unfortunately there isn't any good standard solution. Maybe this thing from Novel is good, but on principle I'm not going to endorse it. that "my credit card was stolen from a cookie" crap is just to much.

-Jon

Re:Big problem with cookies

[Royster]

more your ~/.netscape/cookies file and see what is in there.

Hmmmm. Let's see. Three cookies for the NYTimes site. One for Slashdot. One for Gist (an online TV guide)

That's it.

If all developers ever cared about were state, then cookies that do not persist when the browser was closed or ones with short termination dates would be necessary. Why can't I be the one to determine how long cookies are kept? As it is, I decline cookies unless *I* have a reason to keep it. Any sight that presents me with too many cookies dialogs does not get revisited.

Re:Big problem with cookies

[Fastolfe]

They're perfect for stuff like a session ID

I'm sorry but any developer that uses a cookie to store a full credit card number needs to be fired (out of a cannon).

No competant developer in his right mind would implement something as stupid as this. You're absolutely right, cookies should only be used for state information.

Re:Big problem with cookies

[Rakarra]

Key to the trick was the whole page was in a big . any anchor link would actually be routed to a javascript function that would submit the forum. they we?re some other things we had to work out, but I don?t want to violate any NDA or whatever. After hearing about the whole Amazon.com 1-Click BS, you can? be to paranoid

(OT)
And was it really worth it? This is one of my biggest pet peeves about some websites -- overuse (or use) of Javascript where it just isn't necessary. I like to surf around with Javascript turned off, and it annoys me when none of the links work on a site that tries to be really flashy, because all the links are just JS calls.

Re:Big problem with cookies

[twit]

In my experience, JavaScript is an excellent way to pass some of the server-side processing on to the client, not to mention all the client-side tricks which can make your job much easier.

I'd personally like to do mostly script-free sites, or at least offer script-free alternatives, but clients simply will not pay for that - it's their business to address the great majority of browsers, and that quite often means neglecting alternative browsers (or any other than the strict mainstream) and users who customize their browser config.

In other words, it's a no-win situation for an architect to suggest - "you want to spend how much money addressing the needs of how few users?". You start losing proposals if you end up playing technology pedant like this, and unfortunately consulting is the game of winning, not losing, proposals.

A lot of the cutting-edge UI stuff relies on javascript, but the core functionality shouldn't. IMHO, of course. But clients pay for as much eye-candy as they can afford, and because it tends to attract repeat visitors it is a strategy that works. I disapprove of it on personal and puritanical grounds, but it does pay the rent :).


--

Credit Card Authentication Services

[Evil+Greeb]

Okay, now smart cards are obviously the solution here, but your average online purchaser isn't going to have a card reader for a while.

So here's my suggestion...

When a person is issued with a credit/debit card account, they are asked if they want to make online purchases. If they think they might want to, the bank supplies them with a small device, like a pager.

Whenever a customer wants to make a purchase, they enter their credit card details and send them off, where the mod 10 algorithm and expiration dates are checked.

If this passes the test, the bank sends a message to the pager-like device asking the user if he/she authorises the transaction. The device has at least 2 buttons, maybe 3: one for "yes", one for "no", one for "alert, someone else is trying to use my account!"

I think it would be a good idea for a bank to provide this sort of service, because then users would be much happier with their security, and less worried about the possibility of online fraud.

Re:Credit Card Authentication Services

what if i want to use my credit card at a kiosk or at someone else's computer...your systems has some large convience holes but technically it is correct..I'd never use it. What if i do not have a port for this useless device or i do not want it. This hype is BS..this joker is a liar or very stupid..either one does not constitute an emergency on my part..I hope the theives got a bundle of this bozo :)

Re:Credit Card Authentication Services

Since your pager would be connected server side to the bank, and is only used for authentication you could use some pretty strong encryption hmmmm. Max Fenig

"funny as hell"

how funny is hell?

Re:"funny as hell"

Hell is not funny. I'm a permanent resident and can tell you that Lucifer's sense of humor just isn't what it used to be. If it weren't for my frequent trips to earth for the humor you call the US president, I don't know I'd do.

-Az

Re:"funny as hell"

[Powers]

I dunno, this is pretty funny. =)

Powers&8^]

Re:"funny as hell"

[Glytch]

Ah, relax. My sources in Amnesty Interfactional says that nothing in Hell is any worse than the shade of pink on the walls.

Banner ad that set cookie

[jyang]

I am always curious on this one, hope this is not off topic:

What's the implication if a banner ad that send me a cookie?

As far as I can think of, using this cookie, the ad provider company will know which page I viewed their ad, can they get more info out of this?

Re:Banner ad that set cookie

[RedX]

As far as I can think of, using this cookie, the ad provider company will know which page I viewed their ad, can they get more info out of this?

Well, they can then match up this cookie with other cookies from them that you have, giving them a pretty good history of your web travels. And they may even eventually grab your personal information from a survey, contest, or other source and match that up to your web travels in a nice database. Who knows what other companies this ad provider might buy/merge with in the future and what the info in this database will be used for?

Re:Banner ad that set cookie

See the comment under the Nickname "Manifest" earlier in this thread. It contains links to a couple of excellent articles and discussions on the subject.

Re:Banner ad that set cookie

[Dicky]

This, unfortunately, is one of the larger and more worrying misuses of cookies. There are actually a relatively small number of companies online who 'do' banner ads. The large sites (C|net, /., Yahoo, etc.) do their own banners, and smaller sites usually don't have banners, but most medium-sized sites use one of the small number of banner ad agencies.

The problem is that the agency can track you across multiple sites. If you visit www.site1.com, you can only get a cookie which will be sent back to that server, right? WRONG. While you were at www.site1.com, you viewed a banner from ad.doubleclick.net (for example). The problem is that when you visit www.site2.com, which should not be able to 'see' the cookie from www.site1.com, you took another banner from ad.doubleclick.net. This means that Doubleclick can track you between sites, which is a bad thing. I also saw something (this morning, I think, but I can't remember where) saying that companies are sending HTML mail which downloads an image which sets a cookie. The agency then has your e-mail address associated with a cookie, giving them (potentially at least) a lot more information about you. Not a problem for me, of course, since I use Pine for mail :-)

I have no problem at all with certain sites using cookies. I am currently (since earlier on this week) using Junkbuster, and I have it set to allow cookies from Slashdot, LinuxToday, Amazon, and a couple of stock sites. If anyone else wants to send me a cookie, they can ask me and I'll decide on each individual case. At least I have the choice.

Re:Banner ad that set cookie

[RedX]

I also saw something (this morning, I think, but I can't remember where) saying that companies are sending HTML mail which downloads an image which sets a cookie. The agency then has your e-mail address associated with a cookie, giving them (potentially at least) a lot more information about you.

Could this be from our beloved Doubleclick as well, considering they just announced they're moving into email spamming? Fortunately my computer resolves doubleclick.net as 127.0.0.1

Re:Banner ad that set cookie

Could this be from our beloved Doubleclick as well, considering they just announced they're moving into email spamming? Fortunately my computer resolves doubleclick.net as 127.0.0.1

Doubleclick.net has several weird buisness practices. I used to have 700k+ of PING icmp packets from various ips in doubleclick.net for no apparent reason. I finally figured that they (used to at least) ping your machine from different ips when they serve you an add. Why? no idea. As for cookies, there is no way i'm going to accept any from doubleclick.net, much less open any email from them ;)

Re:Banner ad that set cookie

so how about implementing a cookies.allow file into mozilla or something? that would solve everyone's problems.

Re:Banner ad that set cookie

You are one hundred percent correct on these counts. I work in third party trafficking for a rather large online advertiser (won't say which) and we frequently utilize cookies to get email addresses. Although we have yet to use them for any projects, the idea of using them in a permission marketing campaign has been bandied about. It might sound very paranoid, but for my home surfing I disable my cookies, which is inconvenient, but gives me more of a sense of security.

A prediction (?) about smart cards

[dmorin]

A few years ago I did a commercial system for using digital certificates to identify yourself to a web site. It was generally liked as being nice and secure, but hated as being too hard for the consumer to understand. That was before smart cards.

Imagine that, as a web surfer, you have a smart card that identifies you as a web surfer. Personally I am a believer that you should have to identify yourself as adult/child in order to cruise some areas of the web, but that's my personal opinion. But that's not for this thread to discuss. Add to the smart card some sort of bio sensitive way to identify yourself, maybe a thumb, maybe an iris scan. The key being that everything you need (short of the reader hardware) is stored on the card. You can take it with you to any browser (unlike cookies).

Your smart card not only identifies you, it has a profile on you. It can keep your web site preferences, but it can also keep your buying habits, etc. And your age, marital status, and so on. It's here that people scream bloody murder about privacy on the net. But here's my hopeful suggestion : that your profile will come with trust zones. If you're doing anonymous surfing, maybe all the site gets is your age -- or maybe nothing at all. For sites you want to register with long enough to read a story (like NYTimes), you let them have your name but not your profile. And so on. For trusted sites like slashdot you set up preferences. For sites where you are actually a customer of some sort, you let them have your profile (linking in yesterday's discussion about IBM's miniature vegetable commercials).

Wouldn't this be nice? My company has a large number of business units, each with their own web site, and we've worked to setup a shared profile system so that, once you've told us something once, you don't have to tell us again. Wouldn't it be good if this extended to multiple businesses? Don't you think it's a pain in the ass to have to continually identify yourself and set up preferences on every site you want? Wouldn't it be nice to have a mini-profile that you could use to bootstrap your registration to new sites?

My point is that, with a self contained smart card, you can have a level of control over the information that you provide. It's the card that has the brains. A web site couldn't just tell the card "Give me the whole profile". It would have to say "Please validate me as being a trusted site and give me whatever information I am entitled to." And then, in something of an ironic twist, *it* has to identify itself to *you*, and you get to decide what to do next.

Will this happen anytime soon? I wish. I think the reason that digital certificate authentication didn't catch on is that it was too confusing to get the certificates into the browsers, people didn't want to give up their passwords, and the certificates weren't portable. In a world where you have a smart card reader built into your keyboard, these problems seem like they might go away. Nobody thinks twice about having to flash a passport when flying internationally, and they usually only grumble a little bit about being carded at the local bar. Is it really that much of a stretch to think that there'll come a day when you take your webId card out, stick it in the slot, and then periodically answer a question about how much information you want to provide to the web site you just visitd? I don't think it's really all that bad.

I'm curious to know if I'm, like, *way* off on this one. Are people going to flame the hell out of me on this one? Or agree completely?

d

Re:A prediction (?) about smart cards

[Powers]

Sounds like a great idea. I assume you intend a company to market these cards? Would they be free, or would you have to pay an annual fee?

One potential drawback I see is theft of the actual card. That's a problem with anything you carry in your wallet, of course, but the problem is still there.

Of course, then there's the fact that I don't want to have to go fetch my wallet when I trudge out to the computer in my PJs every morning. =)

Powers&8^]

Re:A prediction (?) about smart cards

>I'm curious to know if I'm, like, *way* off on this one. Are people going to flame the hell out of me on this one? Or agree completely?
Way off. To download the very needed latest patch from microsoft.com (or about everyone else), you'll have to give them full access to your 'smart card' (like you currently have to enable cookies to get to some sites, to give a valid email address to download demo software...)

Re:A prediction (?) about smart cards

God, this is like a description of the unholy synthesis of the ultimate wet-dream of marketers and Louis Freeh.

The reason this shit has failed in the past, and will fail in the future is two-fold.

First, every company will get into an endless Beta-VHS standards war seeking to control the standard and therefore the royalties. If it don't work everywhere, it don't work in the real world. If a company/organization managed to get past the standards war, it would be virtually impossible to resist the temptation to gouge the hell out of the consumer - thereby killing the market.

Second, this type of "universal profile" turns people off. The corporate types have managed to pervert the system to the point that the "rights" of a massive corporation to use _MY_ personal property (in the form of information) have absolute precedence over my rights. I cannot even legally prevent personal information from being shared between completely unrelated business that happen to be under the same corporate umbrella. To the extent that I can, I do not do business with such entities. However, thanks to the recent banking "reform", there is only going to be 2-3 firms doing banking/insurance/finance within 10 years (probably 5).

Re:A prediction (?) about smart cards

[dmorin]

Sounds like a great idea. I assume you intend a company to market these cards? Would they be free, or would you have to pay an annual fee?

The business logic of the poor adoption of smart cards has been that they're currently too expensive. Nobody will pay $5 just for a card, especially if there are a number of different entities that each expect you to get your own card. As an example, they have "SpeedPass" at my local gas station. It's a smart card that's in a keychain, you wave it at the pump instead of having to get out a credit card. This is a free service. I don't think anybody would pay for the card. Because then they would be worry about if they lost the card, or it got worn out, or whatever. When it's free they can always get a new one.

So, smart cards won't be truly adopted until they're "relatively" free (maybe a cost of $1 or something could be eaten by other fees). As for who sponsors/provides them, the question turns to one of identification. Traditionally you rely on a government agency to provide your identification (passport, driver's license, birth certificate...) so it's logical to extend that into this arena. But again, people will go bananas if you start talking about the government being involved in such a thing when it relates to the web.

Who knows. Maybe some enterprising company will figure out a way to market the cards as essentially free, but then sell the readers. The trick there would be in fostering the adoption of the card/standard. You'd need to get all kinds of retailers on board that use your card, so that people would get use out of it. This has been tried numerous times with a variety of "electronic cash" methods, but none have really caught on that I know of.

Re:A prediction (?) about smart cards

[dmorin]

The reason this shit has failed in the past, and will fail in the future is two-fold.

This logic implies that "Those who do not study history are doomed to repeat it" is incorrect. That industry does not learn from its mistakes. This might be true, I don't know. I don't think it is. You're welcome to. There's no real way to tell if it's an absolute truth, now is there?

First, every company will get into an endless Beta-VHS standards war seeking to control the standard and therefore the royalties.

And by this logic, we would never have settled on the magnetic stripe card, would we? Somewhere along the line competing plcaes like Visa and Mastercard got together enough to agree on the format. Why is it so unbelievable a stretch that this couldn't happen with smart cards, which are often compared very closely to magnetic stripe cards? There's a darwinistic element to the introduction of a standard, no question about it. And we all know that it's not usually the technically superior standard that wins. But a standard does usually emerge. It's not an endless battle.

Second, this type of "universal profile" turns people off.

Define "people" in this case. You forget that most people out there are not freedom fighters. They are consumers. More than that, they are lazy, cheap consumers. It's cost-benefit analysis. What am I giving up by having the card? What benefit does the card give me? If people perceive that the card makes life easier, they are likely to use it. If you don't wnat to use it, fine. I know people that don't use ATM cards for many of the reasons you list. Fine. But that hasn't stopped them from becoming very popular.

d

Re:A prediction (?) about smart cards

[Signal+11]

I posted this exact idea about 4 months ago about so-called "smart cards". The problem is that unless they have built-in circuitry to limit the information being extracted, it's up to the reader to determine what information gets sent, and how secure it is. Client-side security, in other words. Smart cards can't be cards - not yet anyway. We need something with a UI, whether it be a keypad with an LCD display or a palm pilot.. to control information being sent.

Re:A prediction (?) about smart cards

[Royster]

Wouldn't this be nice?

No, not really.

My company has a large number of business units, each with their own web site, and we've worked to setup a shared profile system so that, once you've told us something once, you don't have to tell us again. Wouldn't it be good if this extended to multiple businesses?

No.

Don't you think it's a pain in the ass to have to continually identify yourself and set up preferences on every site you want?

Yes. I don't want to identify myself to every website that I visit. Frankly, moist sites I visit once and never return. Neither do I want prefeences set at every website that I visit. Most sites aren't as configurable as /.

My point is that, with a self contained smart card, you can have a level of control over the information that you provide. It's the card that has the brains.

My point is that I have the brains. I don't want a smart card giving out any information on me. I don't need the card. If I want to lie to a site and tell them that I am a 75 year old lesbian mother of three, I will do so. I don't need your smart card and I don't want it.

Re:A prediction (?) about smart cards

[DeadSea]

No. Its not a great idea. In return for me giving information to anybody, I expect to get something in return. I also expect that there should be some reason I should have to give info to get what I get in return. I don't want to give everybody my information, and if I have the choice of whether I give or not, I don't want it to be an all or nothing proposition.

I usually browse the web with cookies turned off and only turn them on when I need to to look at a site, or if doing so would really make my life easier. I usually delete most of my cookies daily, except for a few sites which I use often and having cookies will save some state which I want saved.

I often sign up for something on the web using false information. Why should I let my free email service know anything about me other than my real name so they can tell people who I send mail to, who it is from? Maybe they want to know my income and marital status, but they won't get it just because they can target ads at me better. If I buy something, they get my address and credit card, but no more. Certainly not my real phone number.

I can't believe anybody would use a system where they say "here, take my info and share it. Shaft me for all I worth, please!!!"

Re:A prediction (?) about smart cards

[dmorin]

You may have the brains, but I'm not sure where you apply them. You took from my post that I was somehow not attempting to solve the problem, but instead trying only to get all the information into one place where it would still be fully accessible. I never said "identify yourself to every website you visit" or "set preferences at every website". As a matter of fact, for your "most sites I visit once" argument I specifically said that you could/would set up an "anonymous" mode where the card was completely off.

Read what I wrote again, and you'll see that you still get to use your brain. All the card does it regulate and structure the flow of information. You still get to set up the whole "trust" mechanism. If you trust no one, and it sounds like you don't, then don't use the thing. But you must not be a customer many places, though, because I would think that you'd be willing to identify yourself to a web site in order to get a look at your stock portfolio, or the status of your new order of blowup dolls.

As for pretending to be a 75yr old lesbian, your personal life is your business. Sounds to me like wearing a different disguise to the supermarket every week so that nobody recognizes you as a regular shopper, though. Kinda pointless. But if that's where you want to spend your time and energy, more power to ya. I'm just trying to spend mine coming up with ways that might actually benefit both people and industry. It can happen, ya know.

Re:A prediction (?) about smart cards

NOTE: This is not a personal attack. I freely concede that there are some short term benefits to be realized. I just feel _very_ strongly about the long-term implications of the tech being foisted out there, and I don't think that any of the benefits gained are great enough to balance the potential for damage.

>More than that, they are lazy, cheap consumers. It's cost-benefit analysis. What am I giving up by having the card? What benefit does the card give me? If people perceive that the card makes life easier, they are likely to use it.

So massive corporate profiling (sure to be transferred to the government based on a tenuous hint that a warrant _might_ be obtained) is OK as long as most of the sheeple don't care? I don't think so. Centralized, shared databases of details about everyone on the scale you're talking about is something Orwell could not even conceive.

>If you don't wnat to use it, fine.

Is it even going to be optional? That is not the way it is looking here from the trenches. I know this sounds alarmist and paranoid, but look at what's been implemented or proposed.

1) Doubleclick/Abacus merger - Doubleclick is, of course, one of the chief minions of Satan. Abacus maintains a database of just about any catalog purchase ever made. How long before the links between surfing, purchases, and names/addresses are made? It will certainly only be as long as it takes technically, because nothing else will ever hold it up.

2) Banking "reform" - Credit card and checking account information can now be merged with other financial information and insurance - WHETHER I WANT IT TO OR NOT. I don't care if banks own insurers and sell stocks or vice versa, but goddamit, I want control over where my personal information is sent and who sees it. I'm sure you would argue that your techology does just that, but the history is that companies get more intrusive over time. That's fine if it's the corner store because I can and do go somewhere else. It's not when there is only one bank/insurer/broker in town because it is the official government policy to allow/promote these types of mega-businesses.

3) Surfer's license - The implications are left as an exercise to the reader.

4) Echelon - Boy, if the TLA's could tap the three above (and they will), just think about the tax money saved by not having to build up the same infrastructure. The synergies between the police state and corporate greed are actually pretty phenomenal (for a slightly less vitriolic discussion along the same lines see Katz' latest screed).

Re:A prediction (?) about smart cards

[Raven667]

Oh, goody, an intelligent counter-argument instead of saying "Ooohh, SmartCard bad,bad,bad" without providing any evidence or showing any thought on the matter.

Now, continuing, this is a great idea, one that I have had myself. When I think of this I think of FORTEZZA cards or SecurID. That is what they sould be based on. They should be a repository for a strong private key, just like carrying your PGP/GPG key on a floppy. All data on the card would be encrypted and would require a passphrase from yourself to access it. Integrating this in the PalmPilot form factor with a real UI would be perfect, it would allow you to manage/edit the data as well as control ACLs on it. Similar work is being done for the Palm by GNU.

The main idea though is that YOU would create the database on the card, YOU would control the access to the information and YOU would be able to tailor what information gets sent to who. You trust the device, not the card reader (for it can be easily subverted) and encrypt all stored and transmitted data. Ideally you would have encryption keys for each place you visit and want to exchange data with so that even the reader and any go-between doesn't see the plaintext.

This is a Great idea!

PS: It would also HAVE to run an Open Source, verifiably secure OS, and open, verifibly secure protocols. OpenBSD is a start.

Re:A prediction (?) about smart cards

You sold me! If I use a smart card to authorize my doll purchases I could use strong crypto and a rolling key to authorize the purchase.

The cashier recognized my credit card number and has been giving me dirty looks the last couple of visits. Good thing my credit card company doesn't have a separate category for blow up dolls, I would hate to see what my annual statement would look like!

Re:A prediction (?) about smart cards

[bushboy]

Bad Idea, There's little enough privacy in the world today without adding to the problem via a smart card unit hooked up to your PC. When I go shopping in the physical world, I like to remain as anonymous as possible - if I can pay with cash, I do so, if I have to resort to my credit card, ok. Online, I feel safer typing in whatever details I feel like typing - if I want to give bogus information, I can. With a smart-card, how do I really know what information is actually being passed to a website ?

Re:A prediction (?) about smart cards

[bushboy]

Maybe the waiter in his favourite restuarant wrote down his credit card number on a scrap of paper and went on a massive $50 shopping spree !

Or perhaps it was the check-out girl at his local store ?

This is starting to get ridiculous ...

Re:A prediction (?) about smart cards

[Politas]

Indeed, there's no reason you can't have an "Anonymous" smart card. Something that identifies an entity, but has no way of linking that net entity with the real person using it, much the same way as a PGP key can show that the "Politas" writing this message is the same "Politas" that wrote that message last week.

Age verification should be a simple case of going to an agency, showing some ID and recieving a digital certificate on your smart card from them. This should be able to be done without them reading any info from your card.

As for the form factor, I think that the credit-card size is a necessary part of smart cards, otherwise they will never get widespread adoption.

The smart card will only accept requests from a reader that you certify (via PIN/whatever). There should be some system of multiple PINs to allow progressively higher levels of trust.

Alternatively, maybe the card could run a secure web server, and force all devices to communicate via SHTML, asking for input from user.

I'm not a security/privacy expert, but I'm sure there must be some way to keep everyone happy.

Re:A prediction (?) about smart cards

[Raven667]

The problem is that you can't trust any device you plug this thing into. You can't be sure that the ATM or Kiosk that you plug this thing into isn't scamming your password/PIN even if it is on an encrypted connection to the card (it has to read keyboard input from somewhere). That means that the only way to trust the device is to have the UI on the device, anything else could be compromised, when you cannot trust the Kiosk/ATM software.

Please dont waste time. Read this instead

[Manifest]

Please dont waste time. Read this artic le on the evils of cookies instead. Atleast these people know a bit about what they are talking about.

If I am not mistaken, it talks about the security loophole that was created when GIF images were allowed to embed cookies in computers. This has been discussed on /.

Hopefully you didn't miss the point, though

[haggar]

I really thought that the 'Cookies are Evil' was dying down as people realized that while they aren't the best solution,
they are as good as we're gonna get any time soon. Then to see someone who ought to know better get out and
throw fire ants into the mix to plug his software, well thats just really rubs me the wrong way.

Well, it may rub you the wrong way, but I wonder whether you are missing the most important point: there IS a technology out there that solves the problem of identifying yourself on hte 'net in a secure way, giving out only the information you want and only to those you want. It's based on NDS and it's working. Novell has baeen developing NDS for about 10 years now, it's a proven directory solution and there are many applications already that use, plug into, distribute data through or collect data through NDS. One of them is DigitalMe, and it solves the ancient mechanism of cookies. It's a flawed mechanism for many applications, and guess what? Novell has a solution that works today (Microsoft AD anyone?) and solves the problem. Is there anything wrong with that?

Re:Hopefully you didn't miss the point, though

[swb]

I like NDS, especially for managing the hordes of end-users across a zillion servers.

But when is Novell going to finally get around to releasing a GPL-ish version of NDS that can be incorporated into Linux or other platforms in a stand-alone fashion? As long as I'm stuck running @#$%^& "Netware" OS for NDS and NDS management, it's pretty much worthless.

And I'm talking about a full-blown NDS v8 compliant version, not that ancient 4.10 thing that Caldera sells. Yes, I know that the sell NDS for Solaris and NT, but they want a small fortune for it AND it still requires Netware running someplace to host the replicas.

Re:Hopefully you didn't miss the point, though

[RedX]

Novell announced an NDS product at Comdex called eDirectory that is OS independent and will run on Linux. And it sells for $2/user.

Re:Hopefully you didn't miss the point, though

[gorilla]

Speaking as someone who doesn't know much about NDS, is there anything that NDS does that LDAP doesn't?

Given the choice between something propriatary & something open, I know which way I'd lean.

Re:Hopefully you didn't miss the point, though

[swb]

Ah yes, another announced product that's long on promised benefits, short on details.

The other problem is that I doubt that any version of NDS will ever be free enough to gain the kind of widspread support in free software circles to really succeed in the Linux arena.

Maybe if Redhat bought Novell...

Stolen at a restaurant?

[scumdamn]

Isn't it more likely that this guy paid with credit card and a waiter wrote the number down? If I were going to commit credit card fraud I'd just get a job at Red Lobster and start writing.

Re:Stolen at a restaurant?

[c+o+r+e]

The underlying point is well taken. However, if *I* wanted to commit credit card fraud, I wouldn't want the credit card of someone dining at Red Lobster! Get a job where the patrons don't check their bills or the amounts on the menu (better yet--where the menu doesn't even have amounts!). I'd rather get numbers on cards with $50-100k limits than $500 or $5000 limits ;-)

-core

Cookies don't contain credit card info...

[w3woody]

Most shopping sites that I'm aware of, and most software packages that allow you to add a shopping cart to your web site, don't store the credit card info in the cookie. They store a session identifier--either a UUID or some other unique key generated by their database engine. So it's impossible for someone to lift your credit card from your machine by simply reading your cookies: they'd also have to be able to get into the shopping vender's database and look up your credit card. At which point, they could get *everyone's* credit card.

The only way a cookie could be used to steal from your credit card is if they copy the cookie to another machine and hit a site such as 'Amazon.com' when you have 'one-button' shopping enabled.

I think this whole cookie scare is total nonesense--there are easier ways to steal credit cards than trying to reverse engineer site-specific database key identifiers out of a cookie file. Such as working as a waiter for a restaurant...

CPUID / HostID

[QZS4]

Intel would love to use a CPU ID to help us. This has so many problems that I'm just not going to go into it. But it would work.

Many boxes already have HostID numbers, but the PC world has not had this, traditionally. I have not heard any complaints from Sun users, apart from when they need to fool a license server somewhere - but in a PC a hostid is suddenly something bad? (Well, you can change the ID in a Sun, but if it's etched into the CPU it might be harder to change.)

But what I was going to say was that it wouldn't work, since a CPUID/HostID identifies a machine, and not a user. Think about multiuser environments. Think about typical university setups, where you can sit at any one of hundreds of machines. Or when you set up individual accounts for each member of your family on your home box.

No, we absolutely need something that follows the user, and not the machine. I don't see any better solutions than cookies, but I'm sure that there are some.

Re:CPUID / HostID

What happens if I upgrade(?) my PIII-450 to a PIII-733? Don't I now have a different CPU ID?
Aren't all of my CPU ID-dependent certificates trash?

I've tripped over this one when we had software that relied on a Sun system ID and we upgraded or
had to replace a system due to a hardware failure.

We definitely need user authentication, but how many users can remember a usefully secure code?
Or keep track of a smart card?

I suspect that human-specific identification, like finger or retinal prints (how about those without
the appropriate "part"?), is closer to secure, but that whatever mechanism is widespread will attract
skilled forgers.

Personally, I make all of my online purchases with
a credit card having a small enough credit line
that I can afford, if necessary, to pay a maxed-out fraudulent charge. It's the same one
that I use in other vulnerable (resturant) situations.

The Evil Use of Cookies

[Merk]

I think one of the greatest dangers of cookies is that right now they're insecure an invisible.

I had a friend who had his browser set up to accept all cookies. I was ranting to him one day about how I hate being forced to accept cookies at some sites, and how I nearly always refuse to accept them. He decided to check out his cookie file. Guess what he found...

Some site (I don't remember the offender) had set a cookie that contained a ridiculous amount of information about him: full name, home phone number, home address, job title, etc. Obviously he had filled out some kind of form at some point and they just dumped the info into a cookie. This meant that without his knowledge, every time he used their website, all of his personal info was being sent back and forth in plain text.

A system that allows this kind of abuse is seriously flawed.

I don't think it's time to rewrite the whole cookie spec -- and I don't like the alternatives to cookies either, but this current situation isn't acceptable.

What I'd like to see is some "cookie" icon in the statusbar of your browser that's shown whenever the site you're communicating with is using cookies, and clicking on that "cookie" would give the full cookie details.

I also think that all new browsers should have cookie filtering built in. I don't mind accepting any cookie from Slashdot.org, but I don't want to accept a single cookie from doubleclick. I'd also like to see some content based filtering available. This would allow me to refuse cookies that try to do dumb things like store my password in the cookie.

In the mean time, I'll keep plugging Cookie Pal for Windows users. It does a great job of filtering and handling cookies, and is very unintrusive and small. I'm a satisfied user, but don't have anything to do with the company other than that.

You mean, like Slashdot?

I am not an Anonymous Coward.

I am Bob Washburne rcwash@concentric.net

I am a registered slashdot reader. But Slashdot refuses to accept my password even though I am looking at it on the screen.

I do not accept cookies. They can be harvested by any number of means (just check BugTraq) unless you devote your life to securing your box and don't make any mistakes. Ever. I have other things to spend my life on, so I take reasonable precautions and then refuse all cookies.

Cookies are not necessary. I fill in my Nickname and Passwd on the first screen and it is brought along through the Preview and subsequent screens. This is done without a cookie, so why any cookie at all?

I would be quite willing to enter my passwd each time I make a submission rather than leaving personal information lying around for a rogue marketing-bot to harvest.

That is the whole purpose of a password; to authenticate the action. Storing a password defeats the entire purpose. So why have a password at all if anyone can just walk up to your box and post without it?

I would even rather be mistaken for an Anonymous Coward than subscribe to the urban legend that cookies are safe. Anyone who thinks cookies are harmless obviously doesn't know much about them.

Re:You mean, like Slashdot?

[OneThreeSeven]

I would even rather be mistaken for an Anonymous Coward than subscribe to the urban legend that cookies are safe. Anyone who thinks cookies are harmless obviously doesn't know much about them.

I would argue that anyone who thinks cookies are some sort of security hazard doesn't know much about them. The RFC describes them as a mechanism for maintaining state across HTTP transactions. They are an HTTP header with a specific function, just like Content-type, Date, and any other header you choose to put in your requests and responses.

There is no bogey man.

Re:You mean, like Slashdot?

Yeah! I'm not an AC either, I'm Christoph...why can't I use my user ID and password if I don't accept cookies? Can't that can go in the URL?

Anyway, why don't I accept cookies? I don't believe in privacy online, I've posted my own medical information for that matter. But then I read Phillip Greenspun's explanation of how banner ads use them to track your browsing, without asking or informing you . I don't believe in privacy, but I do believe in informed consent!

I have used Internet Explorer's "prompt" option for accepting cookies; in order to read an online article on an ad-laden page, I'm asked to accept up to a dozen cookies(without explanation as to who's sending them, what they're for, etc.). This is obviously a gross perverion of the user prefernces model behind cookies. It's market research done covertly on me, without my informed consent. Which I would probably give if they asked, I just want to know what it's for. It could be MS research on what sites users of IE browse...shouldn't I be told that so I can choose not to cooperate? Is it wrong to want to say "No" to some market research and still have my shopping carts and Slashboxes? I may be wrong, but I'm commited to my point of view, so it feels very "right".

Re:You mean, like Slashdot?

[cybaea]

I am a registered slashdot reader... I do not accept cookies...

Interesting, I wonder how that works :-) I don't think it is possible to be a /. user without accepting cookies. Maybe that's why you can not log in?

Re:You mean, like Slashdot?

[Bud]

I do not accept cookies. They can be harvested by any number of means (just check BugTraq) unless you devote your life to securing your box and don't make any mistakes. Ever. I have other things to spend my life on, so I take reasonable precautions and then refuse all cookies.

Have you checked Junkbuster? It's a bit like a firewalling proxy. I've set it to refuse all cookies except for those emanating from slashdot.org, nytimes.com and a few other sites. It also gets rid of most advertisements.

--Bud

not caused by cookies

[avdp]

I could just start and speculate for hours as to how his credit card number was stolen. Maybe somebody sniffed a packet and read the card. unlikely but technically possible. Maybe the random card generator. Maybe it's not an online problem at all. But there is one thing I am pretty sure of, regardless of how flawed the cookie system might be, whoever got his credit card number in all likelyhood did not get it through a cookie!!

What's being stored in cookies? Well, a session id. Or a user name. Or maybe even some personal info or preferences. But I have never ever seen any site storing the credit card number in a cookie! And I shop online an awful lot.

If the credit card number was in fact lost online, and you must blame it on someone, blame it on the stupidity of this particular user. You don't send that info online in a non-encrypted format and as a general practice you probably should not shop online at a store you don't trust (for a variety of reasons, privacy and security being only some of those reasons.

I'll bet that Schmidt is lying

. . . it's just TOO convenient for him.

I don't believe that his card number was stolen. He's making the whole thing up as a third-rate scare tactic.

It's just too damn cheap and easy, and frankly, it's pathetic.

Junkbusters

[nhowie]

I love Junkbusters, it lets you specify only the domains that you trust with your cookies, and filters out the rest. If you don't like the idea of arbitrary web sites tracking your every move (the eyes, the eyes), don't like all the 'accept this cookie' windows that pop up when you have the confirm option on in Netscape, and still want /. to auto-log you in, you should check it out.

Also, it lets me tell everyone that the web-browser I'm using is 'Flipper the web-surfing goat (C64 edition)' ;-)

God, that sounded to much like an advert, btw you can it from here.

All Cookies -> /dev/null

[mail11325]

I protect my privacy by linking my Netscape
cookies files to /dev/null (the infamous bit-
bucket). Netscape never knows the difference!
Works great!

I also refrain from shopping at grocery stores
which encourage membership cards. I hate people
keeping files on me.

Re:All Cookies -> /dev/null

[Epi-man]

I protect my privacy by linking my Netscape cookies files to /dev/null (the infamous bit- bucket).
Netscape never knows the difference!

Well, I had never thought of doing that (being a relative newbie to Linux at home and having the powers to explore UNIX as a system), and yes, it certainly does seem to be a wonderful solution, with the small exception that here at least, each new pages requires me to log in again. A small price to pay I guess! Thanks for the suggestion.

Re:All Cookies -> /dev/null

[KnightStalker]

Better yet... delete your cookie file, then use Netscape to visit a site whose cookie you want to retain (like Slashdot). Set the permissions on your cookie file to 0400. Netscape won't overwrite it and you don't have to log back in to whatever site you've stored.

Cookie Monster?

[Chris+Burke]

How tragic that the CEO of Novell has been assaulted by a plush puppet. I'm glad to hear that he came away with nothing worse than a stolen CC#. Cookie monster can be pretty viscious when he's mad.

The big question in my mind -- Sure, Novell's new software may protect you from Cookie Monster, but can it protect you from other muppet menaces like the powerful Big Bird or Bert (who everyone knows is Evil)? The article doesn't say, and I'd have to assume not.

Which is of course where my software comes in. Sesame Shield is released under the GPL and is easily configurable to run as a daemon that will block all Sesame Street characters, and soon Muppet Show characters as well. Don't rely on closed-source programs to protect you!

Re:Cookie Monster?

[Stonehand]

...and upon further research, we find out that ssh really stands for Sesame Street Hell.

Folks, don't run sshd -- it's WAY too dangerous to be r00t3d by B1g b1rD, and he and his l33t friends will probably raid ~/.netscape/cookies.

(and let's not talk about Barney's Gateway Protocol...)

someone tell me...

i use windows/ie5 (i have linux but only a 14.4 modem, my 56k is a winmodem , and i cant get X to work right with my vid card so i dont use linux much) ... IE stores cookies as seperate files, and sofar the cookies ive checked just have numbers, i want to see whats in the cookies, anyone know a cookie viewer or something that reads IE cookie files? please help

Re:someone tell me...

[phil+reed]

www.kburra.com has a Win95/WinNT shareware utility called Cookie Pal which will let you police and control cookies on a site-by-site basis.


...phil

wouldn't someone steal something MORE?

[Knytefall]

Assuming that SSL was in use, and the site he was at implemented some kind of expiration on the session ID stored in the cookie, the only way this hack could have occurred is if someone had actually cracked his computer to obtain his cookies file.

Now, WHY, pray tell, would someone who broke into the CEO of Novell's computer take JUST a credit card number? I'm sure there were FAR more interesting things lying around than a cookie file. Especially if it was a Windows PC - then there's all sorts of neat things like (crackable) password lists, etc., which could probably get you into some pretty interesting places at Novell. But no, none of this was stolen.

Hence, my bullshit meter has gone off the chart.

Re:wouldn't someone steal something MORE?

[BoneFlower]

Oh yes, all good systems guys keep password files and other work system information on their home computers. No systems guy would leave vital access information to the corporate network on just the work computeres, he needs it at home.

Cookie handling in IBrowse 2

[Stephen+Williams]

One of the Web browsers I use is IBrowse 2 on an Amiga. (I'm aware that I'm encouraging flames by even mentioning the Amiga here, but I'm going to take the chance :-)

IBrowse 2's cookie handling is very good. If you elect to be asked before accepting a cookie, the request that gets popped up give you a number of choices - accept cookie, accept cookie but don't save it, accept all cookies from this server for the rest of the session, reject cookie, reject all cookies from this server for the rest of the session. It's cool because when doubleclick.net (or whoever) sends me a cookie, I can hit "reject all". If Slashdot sends me one, I can safely hit "accept all".

Additionally, IBrowse 2 has a "URL prefs" feature, allowing one to set per-URL preferences, including cookie handling prefs. I can therefore set the brower up to automatically reject all doubleclick.net's cookies without asking, for example (this is a fake example, as I never get anything from doubleclick.net; it's aliased to 127.0.0.1 in my hosts file ;-)

I use Netscape 4.5 at work, and its cookie handling is primitive in comparison. Since IBrowse and Netscape are the only two browsers I use with any frequencey, I don't know how IBrowse's cookie handling features compare with (for example) MSIE's.

-Stephen

Re:Cookie handling in IBrowse 2

[lordsutch]

MSIE lets you assign sites to "trusted" and "restricted" zones, which is better than Netscape, but a per-URL scheme would be much nicer. Probably too late to get it into the first release of Mozilla, though it'd be a nice add-on project.

Incidentally, I've found lynx's cookie handling fairly good; you at least have the site granularity, which is nice.

Re:Cookie handling in IBrowse 2

Then there are all the add-in cookie handling things. I use Cookie Pal, which does all the things you mention and more, and works with not only Netscape and MSIE, but can be configured to work with any browser that pops up a screen asking you whether you want to accept or reject a cookie. Of course you have to be running Windows to use it. :)

Re:Cookie handling in IBrowse 2

[Raven667]

This is very similar to the way Konquerer handles cookies. It gives you the two options of: Always/Never/Just-This-Once Accept/Reject/Ask. This works on a per domain basis, and I believe that wildcards are allowed but I don't know how far that support goes (regexp, yeah). So I can say Always-Reject-* but Always-Ask-slashdot.org, or Always-Ask-*, Always-Reject-doubleclick.net, Always-Accept-slashdot.org. The possibilities are endless.

somebody needs to corner the aluminum foil market

[jhoffmann]

(or as they say in these parts al-u-min-ee-um)

i should be putting it in my walls, on my windows, heck i should be be wearing it. what, me paranoid?

seriously, if a cookie cost somebody their credit card number, the responsibility is on the web site, not on cookies. it was just a bit to promote there digitalme stuff, but in a high-tech world and as a head of a high-tech company, you shouldn't be making yourself look like an idiot. it might have sounded cool to some marketers, but it didn't come out that way.

Really Secure Transactions Methods...

[fuzzybunny]

...Don't store stuff on your hard drive.

The ideal form any secure transaction takes, whether it's cash or information changing hands, is one where none of the participants really knows any more than absolutely necessary about the other parties involved.

There are a lot of variations of this sort of scheme, usually including some sort of trusted third party or PKI (public key infrastructure,) as well as any non-vulnerable local authentication storage medium. Smart cards come to mind.

One really cool scheme I've seen involved having user info stored in a strongly encrypted form on a web page, where the user used a key exchange between his authentication info on a local chip card and a TPT to access his info automatically. Great idea, since the TPT doesn't know anything about the user's content, but just provides their half of the security info, nobody can go mucking around with it while it's inert, and the user isn't storing anything locally or in a publicly accessible format. Maybe an alternative to cookies, since the sort of infos they are used for is pretty small, and thus almost instantly retriavable via the net...

Cookies are a pretty dumb way of doing things in any case.

Re: are there sites that send cookies with c.c #'s

[CodeShark]

If there are, they'll be dead meat following the first lawsuit which tags them. Even in the initial Netscape spec, they specifically caution against using cookies to do anything much more than identifying a computer to a server, the same way /. knows "who I am" by reading an ID off of the hard drive where I am viewing the pages.

In relation to using personal information on the net (including my e-mail address, you may notice that I did not "anti-spam" my e-mail address here on /. However, I only use that e-mail address in conjunction with a few sites, limiting the number of points from which my personal information can be derived to those sites with privacy policies that are up to spec, saving my regular e-mail address only being given to a much more private and personalized list of people that I am willing to receive information from. That way if there is a security problem, I know where it originated by my email address. Similarly, when I write software that uses cookies, I don't put any personal information in it. All of that type of information can and should only be kept in a back end database, well shielded from crackers, etc. For example, on one e-commerce site I designed, the cookie "knew" who you were, but in order to place a credit card order, you had to validate certain information within an encrypted page, even though the user had already "registered" their information (including the c.c. #) into the database via the web. We also included a fraud detection program designed to stop the c.c. # generators from ever being able to spoof an order. And folks, it just wasn't that hard to do!!

I agree with previous posters. The Novell CEO was trying to sell proprietary software, and claiming to have been attacked by the "poison cookie" monster in order to do so.

DigitalMe

[The+Second+Horseman]

In all fairness, it's actually a fairly cool idea. It was designed from the ground up to give end-users control over their own electronic identities, and control who can see and retreive what information. And it's designed with multiple profiles for each user in mind. All the information is encrypted and stored in NDS on Netware, Solaris, NT or Linux (current platforms). The idea is that user info would be stored in a lock-box that you have to give someone permission to retreive. The NDS admin can't see the content, assuming there aren't any encryption problems. I agree that the article is a little goofy, and it's a stretch for him to make the cookie claim, but it doesn't detract from the overall idea, which I suspect a lot of companies aren't going to like because it puts the customer in control.

Re:DigitalMe

[demon]

Oh yes. These kinds of things are always lovely ideas. They look great on paper. But you have other considerations:

• Encrypted on the server, huh? If it can be encrypted, it can be decrypted too - and if it HAS to be decrypted to be used, the key has to be SOMEWHERE, SOMETIME. If someone managed to crack the central server, they could easily harvest (theoretically) MASSIVE amounts of personal information about a lot of people.
• Now instead of having to have separate user ID/password or similar combinations, you only have one for everything - oh yes, that's SO much better. And users are going to magically start picking really good passwords too - yea right. Lovely idea, but if someone gets that one user ID/password pair, they can traipse about, pretending to be that person, buying goods/services in their name, not at just ONE place, but ANYWHERE that uses this service!

Like I said - looks good on paper, but in practice, it just makes it easier for those who would misuse networked systems and electronic commerce to do so.

That's the trouble with convenience - makes things more convenient for the good guys AND the bad guys!

Eric Schmidt: BceOFH?

[Effugas]

A user rings

"Do you know why the system is slow?" they ask

"It's probably something to do with..." I look up today's excuse ".. clock speed"

I'm feeling very uncomfortable here. I mean...I've grown up worshipping the BOFH...and now...what doth my eyes detect, but...

A Bastard Chief Executive Operator From Hell?

You know, some strange part of me wants to see this as a complement.

The odds that Mr. Schmidt purchased something from such a fly by night operation that the credit card number was embedded in the cookie so low, that it stretches the imagination beyond repair to consider the idea that that same operation would ever have the technical desire or even knowledge to use Novell's new DigitalMe software!

Of course, he could have just been tricked by a *real* BOFH... "GEEK! HOW DID MY CREDIT CARD NUMBER GET TAKEN!" "Mmmm. Cookie." "I knew those things were trouble!" "Mmm. Oreo. Chips Ahoy. Yum."

Seriously, there's a gigantic amount of irony embedded in Novell proposing that their DigitalMe system would improve consumer privacy. Consider: Most sites that require state don't require your identity, pretty much because it takes time to get somebody to reveal who they are, and attention spans are small. Look how much traffic The New York Times loses from people too lazy to even lie on a form--MTV may have done more for consumer privacy than any other company in history.

Novell's DigitalMe changes that. Assuming the infrastructure is such that any site that wants to do trustable-state transactions(which is really what Schmidt and Novell is trying to sell) actually has enough DigitalMe access to not have to worry about Yet Another Single Point of Failure, DigitalMe lets the user disclose every piece of information the user could possibly expose in the click of a "OK, tell 'em whatever they want to know."

Heh, Novell--Suddenly everyone's finding out a hell of alot more about you!

And the worst part? Unlike that paltry $50 liability had, you'll never know what people are doing with your personal information. I find it interesting that in a place that espouses freedom and individuality so much, people don't own their identities.

Yours Truly,

Dan Kaminsky
DoxPara Research
http://www.doxpara.com

What about encrypted cookies?

[sterno]

If secure data is being store in the cookie, why not encrypt it. The server can have the keys to encrypt and decrypt the contents of the cookie. Then if somebody gets your cookie file they still have to crack the encryption of the cookie itself.

The only potential issue I can see with this is the possibility that the limited size of the cookies may make decent grade encryption too big. I'm not certain though.

Personally I like the use of cookies as a session token for server-side session management. The only thing stored on the client is a one-use session ID which expires. Thus, even if somebody could get your cookie file, they'd have to take the session ID and use it within say 15 minutes, otherwise it would be totally useless. To further prevent fraud, you can link the session ID with the IP address, which eliminates all but the most complex hijackings that I can think of.

---

Manage Your Cookies

[Duxup]

I use a program called At Guard to deal with cookies. It does not just block those I do not want, but also allows me (upon visiting a site for the first time) to accept cookies from sites I wish to use them on (i.e. Slashdot.org). The program also has some nice firewall and add blocking features.
http://www.atguard.com/

Re:WWWWWWWWWWWWOOOOOOOOOHHHHHHHOOOOOOOOO!!!!!!!!!!

NO!

TEH i5 t3|-| l33t sp3lling of THE

BY SAYING THIS YOU PROVE U R N0T 31337 LIEK ME!

Comment removed

[account_deleted]

Comment removed based on user account deletion

Session ID URLs /are/ stored on your drive.

[plumpy]

I've read that argument on the mod_perl list before (that session IDs are better because they aren't stored on your drive), but it just isn't true. Netscape, at least, stores every URL you visit in it's history file. I don't know about IE.

So I think they're worse, personally. You can make decently secure cookies (i.e. encode the time and the IP address in the cookie with an MD5 hash, so they only last an hour and only work from YOUR computer, otherwise you have to log in again)

Re:Session ID URLs /are/ stored on your drive.

[BoneFlower]

The history file can be cleared, and I think it can be turned off, I'm not sure if it can be or how to do it. Just clear history when you close yourbrowser, I know for sure IE4 for windows lets you, I think it will even do that automatically if you want.

Rejecting the Cookie Monster

I never really was a big fan of the cookie monster, and that's probably why it took me so long to appreciate death metal. I used to completely hate cookie monster vocals altogether, but recently I've had to grudgingly admit that some of the Gothenburg stuff like In Flames is actually pretty damn good. And I also recently heard Death's "The South of Perseverence" and was amazed.

So I won't completely condemn the cookie monster. But I still prefer clean vocals, like the immensely talented Warrel Dane. (I'm currently on a Sanctuary/Nevermore binge, and just can't get enough of Warrel.) And also Bruce Dickinson, Ralf Scheepers, Roy Khan, etc. These guys are great singers.

(Geoff Tate used to be good too, but I recently saw him on concert and I have to say that the man has just about lost it. On one hand, I was very glad that they played many songs from Operation:Mindcrime, but on the other hand, it exposed Tate's weaknesses, because he didn't sound anywhere near as good as the old recording.)

Look at Control Denied vs. Death. It's basically the same band, but with the cookie monster replaced with a real singer, and it just completely kicks ass. I hope Chuck Shuldiner realizes what a great thing he has going there.

So what am I trying to say? I guess I'm saying that the cookie monster doesn't necessarily ruin a band, but replacing him with a singer will almost certainly result in an improvement. I wonder what In Flames would be like if the got a power metal singer.

Wait a minute, you mean this article isn't about the cookie monster in a metal band? Oh, it's in reference to some internet thing. Oh. Never mind.

Re:Rejecting the Cookie Monster

Er, 'South of Perseverence'? I meant 'Sound of Perseverence' of course. How embarrassing.

One flaw in your logic

[jjupin]

You pointed out the "Oops" if you bookmark a session. Doesn't matter if they do. The sessions (at least from a java perspective) time out - so the session logic should send back and "invalid session" response page. That's one reason why you should not bookmark the page. peace. JOe...

Sad to see, really...

[abram_fettig]

This kind of blatant FUD seems like sour grapes to me:

"Maybe my company hasn't proven itself to be a major force in the internet, but that's only because we didnt want to be anyway! The internet runs on BAD TECHNOLOGY! Sure, e-commerce has exploded in the past two years, but everyone buying things on line is a FOOL! How childish of all of you for thinking that you could implement key internet standards without Novell! All you web developers should have been patient enough to wait for us!"

"That's OK though, we forgive you. And what's more, we have lovingly designed a system that will eliminate those pesky security headaches forever. Just sign up for our new INSTA-SECURE service and we'll take care of all your problems! For just a small monthly fee, we'll store all your customer's secure data on OUR server! To sign up, visit our secure site NOW! Just make sure that you enable cookies first..."

Perhaps you think I'm kidding with that last "enable cookies" comment. But I'm not! The following was cut-and-pasted from the shop.novell.com website just moments ago:

Warning
It has been determined that you have disabled cookies in your browser. ShopNovell requires cookies be enabled before you continue. For more information on this subject, please see Store Policies at shop.novell.com/shopnovell/help.html

Excuse Server (was Re:Eric Schmidt: BceOFH?)

[Jeff+Ballard]

...I look up today's excuse...

Offtopic slightly, I know, but here's the shamless plug, and pointer, to the BOFH Excuse server.

Cheers.

cold fusion cookies

[zulubeta]

Cold Fusion (by allaire) lets you designate the life of a cookie. so it will either expire after a predetermined time, or as soon as your browser closes.

Re:cold fusion cookies

[donarb]

Duh. All cookies have expiration dates. This is part of the Netscape cookie spec, it has nothing to do with Cold Fusion.

An alternate method of session tracking

[umoto]

When I started writing my own HTTP server I decided to try a new way of keeping sessions without using cookies. URL's looked like this:

http://www.wherever.com/ss.asdf98cs/some/path/fi le.html

I tested it for months. Pros:

- No cookies at all.
- Very reliable. Session state is retained without problems.
- Works even in Lynx.

Cons:

- Search engines record the URL with the session ID. Although the session ID is invalid after only a short time, it's quite ugly.
- When people would try to tell each other what URL to visit, they would try to pronounce the session ID.
- Absolute links always cause the browser to ignore the ID. Solution: dynamic HTML or no absolute links.
- The browser reveals the session ID to other sites when the user follows a link there. The ID is even recorded in the referrer log.
- Browser redirects are required. However, cookie solutions often face the same problem.

Eventually, I decided that cookies were a better solution for our purposes and switched over.

One thing that people need to understand, however, is that there are cookies that never make it to the user's hard drive. It puzzles me that browser makers put all cookies in the same category. The Best Way, at this time, to keep session state is to send a cookie to the user's browser that is never stored anywhere but in memory.

Counter-rant

CmdrTaco's rant had a few substantial mistakes that are worth clearing up:

Most systems store them in a readable format on your harddrive. Yeah, that kinda sucks. The storage has to be plaintext-equivalent, if not actually plaintext. What should browsers do, xor your cookie with susageP the way WinCE does with passwords?

Someday all net transmissions will be encrypted anyway.

Even discounting the substantial performance and political problems that stand in the way of that, that will still never happen. There's no reason to encrypt all communications, and it's not even technically possible in all cases.

Intel would love to use a CPU ID to help us. This has so many problems that I'm just not going to go into it. But it would work.

It would work for everyone with a Pentium-III and an OS/browser combination that is aware of it. As long as only one user ever uses the computer. The processor-ID scheme is flawed even if you ignore privacy problems altogether.

Some sort of third party big brother handling authentication.

On that, we agree. Uh, what, so I'm going to trust Novell with all of my information?

Now, what is really wrong with cookies. They're a substantial invasion of privacy, and they're being used to establish local and global click-trails. Allowing cookies only from the same site as the current page alleviates the problem sort of. Using Junkbuster can solve it entirely (and help you block ad banners!).

And what's really wrong with the Schmidt and most of the other people who whine about the insecurity of cookies: they don't get it. Odds are that his credit card number was not stored in the cookie. Even if it was, someone who gets access to arbitrary files on his computer can do a lot worse than steal one credit card number. People blame cookies when the real culprit is One-Click Shopping (patented!) and its ilk, which make a cookie a credit-card equivalent. Dumb, dumb -- you need per-session state for shopping carts and permanent state for preferences, but using permanent state for shopping carts is asking for trouble. Hooray for Amazon.

And hooray for the Internet Junkbuster.

Re:Counter-rant

That was a damn good response. Thank you. You ought to be moderated way up, but you won't be.

I'm frankly shocked by all of this *support* which cookies are receiving here. Is everyone *that* in awe of CmdrTaco that they feel the need to support even his more obviously incorrect statements?

Cookies are plain BAD. And while the Internet does not, by and large, run on bad technology, the World Wide Web certainly does (don't confuse the two; I hate that). HTTP is a BAD protocol (it even has a spelling mistake; what the hell is a "referer," anyway?) Cookies are a BAD addition to it. Web browsers are some of the worst-engineered pieces of software I have *ever* seen. I work for a company whose entire business is a web-based application; I *know* what I am talking about,

Cookies do not exist!!

[zCyl]

rm ~/.netscape/cookies; ln -s /dev/null ~/.netscape/cookies

Comment removed

[account_deleted]

Comment removed based on user account deletion

What are the odds?

[KFury]

Visa and MasterCard reiterate every quarter that neither one has traced a single instance of credit card fraud to online interception or acquisition of a credit card number.

Wow, what are the odds that the first guy it happens to is Novell's CEO? It's a good thing he has a plan to make sure it doesn't happen to anyone else! Phew!

Sounds to me like the second case of stealing money over the net is being propogated by Eric Schmidt himself!

Kevin Fox
www.fury.com

Third party authentication

[functor]

Some sort of third party big brother handling authentication. I'd much rather just have a cookie that I can turn on or off than have a third party take care of it for me. I trust me more than them.

It's a pretty well-accepted fact today that trusting the end user to keep his/her keys and identification information is a fallacy. Such systems are securable but not secure, since you can expect most people to be careless, and occasionally, for instance, leave themselves logged in, or in the case of strictly single-user operating systems like DOS and non-NT Windows, one can just turn the computer on and assume the identity of the person.

This means that there has to be a mechanism by which the server can know who you really are, without trusting you to keep your key or identification information lying around easily accessible through the computer. (This is still not failsafe, because, in the case of password-based authentication, you might still do something stupid like tape your password to your monitor, or keep it lying around . . . the possibilities are endless, and worsen with each additional secret key one has to keep.) One fairly elegant solution is to have a trusted third party, who you can sue if your information is divulged, etc. As long as you can put the blame on them after the fact, it will be a reasonable deterrent for them preventing them from being dishonest.

The reason for having a trusted third party is that neither side needs to be suspicious of the other side -- the client goes to the third party to find out how to talk to the other side, and the fact that the other side can understand our end of communication and we can understand the other end means that the connection is secured.

Another advantage is that the number of times the shared secret (or shared key) is used can be minimized -- a new temporary session key based on the nonce (a temporary, session-specific quantity calculated to prevent replay attacks) can be newly computed and passed to the client and the server, and thrown away later -- so that the more long-lived key -- such as a password, or principal-auth server key, or auth-server-to-service key -- have a minimal chance of being compromised.

So just because an individual is paranoid and can guarantee that he or she will never compromise security by leaving their account wide open for anyone to access, does not make this true in general. Most people are not bothered as much about security and secure transactions to keep their cookies inaccessible by an attacker. So for the general case, it is better to opt for a trusted third party, where the keyword is trust. Perhaps additional legislation and additional penalties would help to enforce this trust.

Absolutely

You're absolutely right. When programming pages, you don't send clear text to cookies. Instead, you generate some random string as a cookie, and store the info on the server. Then, only the server has the data, and the server can match up the cookie with the data. Kids, stop using Frontpage to write web sites.

Cookies

The biggest problem with cookies are places like doubleclick.net and imgis.com who, because people stick banner ads that go to their server, can track people across sites. There are four solutions to this problem. First is to have the web browser ask if you want to accept a cookie. Most tend to spam that dialog per page, so clicking 'no' is a time-waste. Second is disabling cookies. Then, a lot of functionality is lost. Third is adding all the Big Brother sites into your /etc/hosts and aliasing them to your loopback adapter. And fourth is (if you are on win32) is using a cookie munch program.

To heck with all that. Konquerer has a very elegant solution to the problem. I just wished it offered to allow selected Javascript commands to be executed, others ignored (such as popups if the site is some freeweb thing.) However, having the ability to not show your personal life to people who sell this info to anyone is great, anyway.

Guessing CC numbers is easier than you think...

[john@iastate.edu]

First, you don't have to throw 10^16 numbers at a CC checker to get a valid one. Look at the first 4 digits, use them. Then make up digits for the rest such that all the digits match the checksum. The checksum is supposed to catch typos and transpositions and such, but it is pretty lame...

#include<stdlib.h>

intluhn_ok(
char*inp
){
return((luhn(inp)%10) ==0);
}

intluhn(
char*inp
){
staticint x[2][10]= {0,1,2,3,4,5,6,7,8,9,0,2,4,6,8,1,3,5,7,9};
char* p;
int s =0;
int sum =0;
char c;

if((inp==NULL)|| (*inp=='\0'))return -1;/*biteme, doughboy!*/
for(p=inp;*p !='\0';++p){}
do{
c=*--p;
if((c<'0')|| (c>'9'))continue;
sum+=x[s][c-'0'];
s^=1;
}while(p!=inp);
returnsum;
}

URL rewriting

[TurkishGeek]

You probably already know that this method is called "URL rewriting"; and comes standard with many server-side programming technologies, Java servlets come to mind. Of course, it probably would not be a problem to implement them with any good server and server-side programming technology combination. I agree to your points, and the pros and cons of the technology probably could not be summarized better.

I don't really understand all the negative publicity about cookies. URL rewriting is an alternative when session information is kept only for a short time, and there is no reliable way of keeping persistent state information on the client's browser other than cookies. I believe it's possible to keep temporary session state using cookies set to expire in a very short time, but there is still a need for cookies for keeping persistent state.
--

BluetoothCentral.com
A site for everything Bluetooth. Coming in January 2000.

Controlling information flow with the browser

Since the browser controls the flow of information in and out of the machine, and there are open source browsers available, anyone who really wants to should be able to create a browser which responds to remote information requests in whatever way he wishes. This makes all sorts of cookie management schemes possible. You might do something simple such as accepting cookies only from certain preselected sites, or you might do something more complex such as putting together different types of replies for different types of information requests. You could even have the browser lie by pretending to save cookies when it really isn't and sending back fake information when the cookie is requested. This would be useful for accessing sites which require cookies to be enabled, but without actually giving away any real information.

Companies aren't going to do anything to protect the privacy of the individual; it's not in their economic interest. Politicians aren't likely to be of much help, either, since corporations have a lot of political power while individuals have a great deal of difficulty organizing around a cause. So the only practical situation is for web users to take action on their own to screw up the information-gathering technologies and make them useless. Modifying the browser is one such approach.

(Another would be to write a worm to hnt down information about yourself and erase it, but that would get you thrown in jail.)

--- Brian

Re: fortunes

[GeorgeH]

I'm pretty sure that those fortunes come from Zippy the Pinhead.

#ifndef disclaimer
I'm not humor impaired, I realize that Signal 11 doesn't actually claim to write those fortunes, I'm just trying to make sure that everyone enjoys the wit and surrealism that is Zippy.
#endif

The Real Deal?

Free Advertisement. Novell's CEO has more money than I will ever see? So whys he all cranky about 50 bucks? Hes not. He just wants to sell you something.

Guessed!

It's so darn easy to see that he's totally fibbing and setting up his excuse ("well, I said i wasn't sure"). Give me a break. It was almost certainly guessed - or stolen from the trash. You'd probably add more security to your credit cards if you shredded your paper trash than if you stopped using cc's on the web altogether. Anyone with any sense will get not just expiration dates, but zip codes as well. Without a billing address you are SOL with the CC companies if anyone challenges it. The burden of proof is on the vendor, and those $25 chargebacks add up.

Credit card facts, not fiction

Sorry, this has all the makings of a convenient LIE to push Novell's technology, made up by a CEO. I work in ecommerce and have devised and implemented our fraud-protection system. We do over $2 million of business per year, and we ship all product over the internet (i.e. no physical product delivery where we get an address). We also process all our own credit cards (i.e. straight to FirstUSA/Paymentech, not through a CyberCash-type intermediary).

Listen up to some interesting facts:

1. Nobody can buy squat unless they AT LEAST know the zip code of the card's billing address. If we wanted to, we could verify all the way down to the street address, but too many people mis-type that info and we'd lose too many sales. Whether to check address, and to what degree (zip, full address, etc.) is up to the vendor.
2. It is true that MANY credit card verification services don't care about the expiration date.
3. There is NO $50 liability to consumers unless there is a CARD IMAGE MADE at the time of purchase (this is where Schmidt gets caught in the lie...anyone who has had their CC number used in phone/internet fraud would know there's no consumer liability). No card image = vendor pays 100% of the cost. That means if you snag a fresh card number from the web, get Dell to ship you a Xeon, and you take off with it, DELL gets stiffed. Not Visa, not the cardholder.
4. Visa/MC/Amex don't give a damn about catching online fraud, because it doesn't cost them a penny (except for processing card cancellations and issuing replacements). They won't even take information to help catch the crooks. Case in point: In our business (long-distance telephony) we collect origination numbers and destination numbers of all calls, for billing/rating purposes. We can EASILY provide Visa/MC with telephone numbers and times used by the thieves. We also know IP addresses (sometimes useful) and email addresses (seldom useful). We let them know this, and they HAVE NO INTEREST in the information. In the words of one of their reps,"If nobody's dead, we're not going after them."

   NB: We DO, however, work with the FBI and local police and have had some success, but it's expensive to pursue.

5. If a vendors percentage of chargebacks (i.e. users complain to the credit card company that charges are invalid) exceeds about 5% depending on the vendor, the fines range from $10,000/month to over $100,000/month, increasing for each consecutive month that the chargebacks are over the limit. Hence, if you have a complaint take it up first with the vendor, to save him some bucks. After all, he doesn't want the fraud either.

To summarize:
(1) You're FULLY protected when you use your card online.
(2) Visa/MC/Amex don't care about online fraud, because the more there is, the more penalties they collect from vendors.
(3) When possible, let the vendor know you've been robbed, so they will reverse the charges. Then call the credit card company to cancel the card.

Reply to fraudchaserAnyProblems@hotmail.com without AnyProblems. Humans, you know what I mean!

Does this Eric Schmidt guy take us for idiots??

[Travoltus]

I mean, he says he has no idea how his credit card was really stolen, picks the most unlikely suspect in the world (cookies), and then turns right around and markets his own 'alternative' to cookies.

Sup wid dat man?

Re:Does this Eric Schmidt guy take us for idiots??

[demon]

Well, it would certainly seem so. At least, it smells that way to ME.

Newest first!

[Hermelin]

Instead of oldest first.

You can just skip the usually long first post thread and read the normal stuff which comes in later.

You can also moderate the new ones, which no one seems to do as much as the first posts.

one way of dealing with cookies

[alizard]

Replace the COOKIES.DAT file in Netscape or Opera with a COOKIES.DAT directory.

Tell your browser to accept all cookies. Did this several months ago with no problems.

There's probably an equivalent for MSIE, but since I don't use it, I don't know what it is.
y2k info - http://www.ecis.com/~alizard/y2k.html

Excuse Generator

[KlomDark]

Has anybody ever actually made an excuse generator? That would kick ass! :)

The URL is the place for state information

I don't do cookies either. I have set up a simple web site for a free Esperanto course. I ask participants to submit the minimum amount of information, promise to keep it absolutely confidential and keep the user ID in a URL.

To avoid the URL method with cookies is a cheap excuse at least for sites like Slashdot.

Yeah, URLs can be bookmarked but the act of bookmarking is very visible to the user. In fact, I very much like having personal URLs instead of personalized URLs.

Marko

An important point buried in BS?

[unDees]

The article sure looked like a shameless plug to me. And sure, many people have posted comments to the effect that users have gotta store their preferences somewhere, BUT:

I've seen poor implementation of cookies lead to server B looking at cookies that had been set and should only have been readable from server A. I've gotten spam because of it. Blame the Webmasters? Sure, but I'll stick to blaming the browsers. They ought to have more fine-grained control over cookies. Why, even IE4 (*suppresses gag reflex*), on which I am typing this post, only offers "cookies on" or "cookies off." What about "prohibit cookies from server foo.bar.com" or "foo.bar.com can only read foo.bar.com's cookies?" Then, the users who still wanted loads of customizable preferences could leave everything on and not worry about it, while people like me could turn on just enough cookies to keep our favorite tech support sites from barfing in a cookie-less environment.

Hope some browser writer is listening somewhere (or better, a knowledgeable user of an existing browser I don't know about).

Bye all....
--unDees

Cookies DO need fixing

Everyone's posting about how terrible the Novell DigitalMe hype is, and that we should all be happy with our cookies. Cookies ARE used to link information together to violate your privacy. They also have many legitimate uses, as people have pointed out. I think we do need a better way to manage cookies. DigitalMe is a radical solution, but I don't think the idea of returning control over personal information to users is a bad idea. The only way to be completely safe right now is to comb through your cookies between visits to sites and weed out all the cookies you didn't authorize, or not use cookies at all and miss out on the benefits. Better solutions are possible, and I'm not upset with Novell for working on DigitalMe.

CORBA or RMI won't help

[Krollekop]

Using RMI/IIOP, RMI/JRMP, pure CORBA or any fancy protocol will not bring any new value in this case.

First of all, with those protocols, you will have to write a Java applets that use complex tricks to pass though firewalls, something pure HTTP does very easily.

Then, you will still be stuck with the same problem on the client machine: how do you store the state information between two different browser sessions? Your applet will have to ask for access to your hard-drive, and this implies pop-up windows, certificates and a lot of faith and trust from the user.

Optionnaly, the applet could upload everything to the server before exiting, so that the info is stored on the server-side, but then the user will have to relog again next time he visits the site if he wants the applet to retrieve the previous information. Something, again, that cookies and pure HTTP do very easily.

I'm rather happy with the Cookies/HTTP/JSP/Servlet mix for the moment. It's light, fast and predictable.

Just make sure your $Netscape/user directory (or equiva~1) is only readable by you, and check that https in turned on each time you're really sending confidential info, and you're as safe as you can be.

Kk.

Linking Cookies and E-mail

[Rudolf]

I also saw something (this morning, I think, but I can't remember where) saying that companies are sending HTML mail which downloads an image which sets a cookie. The agency then has your e-mail address associated with a cookie, giving them (potentially at least) a lot more information about you. Not a problem for me, of course, since I use Pine for mail :-)

The essay on HTML enabled e-mail and cookies is at:
http://www.tiac.net/users/smiths/p rivacy/cookleak.htm

cookies

[mcc]

aarrgghh.. i _realize_ you like to put up humorous headlines, but DON'T GET MY HOPES UP LIKE THAT!!

there was only about a tenth of a second betwen the time i read the headline and the time i saw that you meant web browser cookies. But that tenth of a second was so filled with wonder and hope that maybe, just maybe it could be true.. that when those hopes came crashing down it felt horrible.

next time think about the consequences of your actions before you post..

then again.. maybe we could MAKE it true. i wonder what the security at the Childrens Television Workshop equipment storage areas are like.. hmm

state in a stateless protocol

[sinator]

I just dont get it.
if they want state, why use a stateless protocol like http?

why not iiop (that is stateful, no?)?
Why not a protocol like ftp or ssh (if you're a security nut) which is stateful?

Hack over hack over hack.. the statelessness of HTTP was a performance hack... the cookies are a statefulness hack... junkbuster is a stateless stateful statelessness hack...

Re:state in a stateless protocol

[DragonHawk]

if they want state, why use a stateless protocol like http? why not iiop (that is stateful, no?)?

Of course! Why didn't I think of that? I'll just surf on over to Amazon.com using my IIOP-based web browser and...

Oh.

Re:state in a stateless protocol

[sinator]

That's the point. Why are we using the web for commerce? It was never meant for state-dependent operations.

This is easy

[Local+Loop]

Just create a session ID and pass it in the the URL. Also, associate an IP address with the session ID.

To avoid problems with bookmarking, expire them after an hour.

I do this on a bunch of different sites, and it works great, with no cookies. -Loopy

why are we talking about cookies?

[OnlyNou]

the CEO doesn't even know if the criminal used information from cookies to get his CC#.

it could have been a clerk at a retail store.
it could have been me sleeping with his secretary whom happened to have his CC#.

the discussion should be about how this CEO feels that his customers are so low on the brain cells to believe his hype.

the only good thing from the article is the ad for xcam on the lower left hand corner. yummy.

Re:why are we talking about cookies?

[demon]

The only reason cookies are coming into it is because (a) the CEO of Novell is claiming someone was using his credit card number due to the number being stored in a cookie by his web browser on the disk of his machine (not likely - no reputable site, or sane webmaster, would do such a thing), and (b) because Novell has a centralized-storage system that they are hawking as a replacement for cookies (great - move any personal information from my machine, where I can make sure it's secure, or remove it if I like, to their system, where if someone cracks the centralized server, they have access to information for a LOT of people - and I have no way to verify that they're keeping up on security issues).

This is simply an advertisement for Novell's "new" technology, assisted by Ziff/Davis. I don't trust this technology - it makes me nervous. And frankly, I hope it makes EVERY DAMNED ONE of you nervous too!

Cookies cause instability in accessing pages

I was posting to Deja when the connection was broken. Trying to reaccess the site I was unable to in Netscape but able to in MSIE. Clearing the caches, reinstalling Netscape, rebooting, nothing worked. I went to another machine and could easily access www.deja.com with Netscape. The solution was to go into the user subdirectory and delete cookies.txt. Netscape accessing deja.com suddenly worked again with no problem. Cookies and/or Netscape 4.7 are broken.

Cookie abuse

[Mr.+Slippery]

The thing to remember with cookies is that the information comes from the server.

The thing to remember about cookies is that the server giving you the cookie may come belong to scumbag banner companies like DoubleClick that wants to track your browsing. You movements between sites that serve ads from the same scumbag banner provider can be tracked quite easily.

Cookies are only a problem for the ultra-paranoid.

Bullshit. If you want to know the nefarious possibilities, see this chapter from Philip and Alex's Guide to Web Publishing.. Scroll down to the heading "I want to know the age, sex, and zip code of every person who visited my site so that I can prepare a brochure for advertisers."

If not wanting my browsing habits tracked this way makes me "ultra-paranoid", sign me up.

Re:Cookie abuse

[vawlk]

"I want to know the age, sex, and zip code of every person who visited my site so that I can prepare a brochure for advertisers."

You have to remember that a lot of these web sites out there need to track their users surfing habits. It's called Demographics and Marketing. Without knowing who your users are, you can't specialize the content for them. I agree that there are a lot of bad cookie implementations out there, but the need still exitsts.

It's not like tracking customers was new with the internet. Radio Shack directly asks you for your information at the checkout counter. They may sell/use this information to help them serve you at a later date. When I bought my house, it was quite weird when all these mortgage loan companies started sending me loan applications. How did THEY get that information. It happens all around us daily, and the internet is no different.

When I started my online shop, I thought my target age group was 15-25, but have since found out that it is closer to the parents of the 15-25yr olds. In my case, the information was given to us by the customer and not through cookies, but any company out there will get all the information it can in any way it can. It only helps them.

If people are really scared about cookies then simply turn them off and use sites that dont require cookies. Its not that hard. There is a lot more information about you being transferred from company to company in the Real World (tm) that you should be more concerned about.

Re:Cookie abuse

[Mr.+Slippery]

You have to remember that a lot of these web sites out there need to track their users surfing habits. It's called Demographics and Marketing.

They can very easily track my surfing at their site without cookies, and they absolutely don't have to track my surfing habits between sites. If they want demographic information, they can bloody well do it the old-fashioned way by surveying their customers. A damn site better than spying on them, no?

It's not like tracking customers was new with the internet. Radio Shack directly asks you for your information at the checkout counter.

But the guy at Radio Shask is not following me around the mall to see what other stores I visit. And I know when they try to collect my info and can tell them "No." C'mon folks, there's no reason the guy at Rat Shack needs my phone number to sell me a headphone cable, or the lady at Home Depot needs my zip code when I buy some plywood. All they need to know is that the cash in my hand is legal tender. I've never had a problem in declining to answer their questions.

If people are really scared about cookies then simply turn them off and use sites that don't require cookies.

Better yet, use Junkbuster to accept cookies only from sites you choose. And you remove annoying banner ads too - whadda deal.

Re:Cookie abuse

[ncc74656]

Better yet, use Junkbuster to accept cookies only from sites you choose. And you remove annoying banner ads too - whadda deal.

I tried it once...it had the annoying habit of announcing to the world that you were using Netscrape as your browser, regardless of what you were actually using (IE, Lynx, kfm, etc.) Several websites I frequent didn't work right through it, probably because of this.

Another ad-filtering proxy you might want to investigate is WebWasher. I've used it for a few months now, and it's worked pretty well. AFAIK, it's Win9x-only (maybe NT as well), but if you have only one Win9x box on your network, you can install WebWasher on it and make it available to your entire LAN. It also doesn't mangle the browser information, so websites know that I'm using IE and not Netscrape. It's free (in the "free beer" sense) if you're not using it for business purposes.

SSL provides secure sessions without cookies

[WesBiggs]

Ecommerce sites should enable SSL by default. The performance difference is a small penalty to pay and can be addressed by hardware solutions for larger sites. With SSL, you already have a certificate and session, so you don't need cookies or encoded URLs. Unfortunately most web app APIs ignore this fact (though the new JSDK 2.2 spec has provisions for doing it in the Java world).

Re:SSL provides secure sessions without cookies

[demon]

No, you don't understand - SSL is simply an encryption layer for running data through a socket. HTTP tunnelled through an encryption layer. It has nothing to do with session management - AT ALL. Cookies are fine for storing a limited-lifetime unique identifier to temporarily associate several HTTP requests as part of a single session. It just has to be done correctly.

Bone up on how HTTP and SSL work and are connected together - then come back and we'll talk.

the urban legend

[alder]

Anyone who thinks cookies are harmless obviously doesn't know much about them.

Cookies are not harmless. As well as kitchen knives, golf or baseball clubs, [add you favorite misuse here], even the wheel and fire. But it looks like you mixed up the tool and the use of it. Someone can send you a cookie to truck your habits, another will dumbly put sensitive information in it (and browser will store it as a text file for anyone to read), but yet another will just use it to track your session, to help you see only what you want to see, to be better for you. So why do we continue to blame the tool?!

Yes. There are better ways, and maybe one day we all will be there to use them, but for now cookies are good enough, provided you can control what you send, where and when. Can you really do this with current browsers? Not really. What I personally saw is either everything or nothing, though there is a post in this discussion about better implementation in IBrowse. But should we eat raw food waiting for a fire to be put in stoves? Or we can still use it for our benefit?...

Re:the urban legend

This whole "cookies are good enough" argument is just plain silly. Everyone knows there are better ways to handle state -- more secure ways to handle state -- even over lame-ass HTTP connections. The only reason they're not used is because of this sort of concilliatory bullshit.

I don't know anything about Novell's authentication technology, but that's hardly the point; I'm not advocating it; I don't have to in order to point out the OBVIOUS failings of cookies.

Why don't we all use 40 bit DES encryption? It's good enough, right? Well, NO -- of course it isn't. And neither are cookies.

Sigh

[DragonHawk]

I don't want to give everybody my information... I usually browse the web with cookies turned off...

When are people going to get it through their heads that cookies can only return information the server sends to you? The only way cookies are going to "give" your information to a site is if you already told the site your information in the first place.

Why should I let my free email service know anything about me other than my real name...?

Maybe so they can pay for the free email service? Didn't anyone ever tell you There Ain't No Such Thing As A Free Lunch?

PS

>they are useless for interserver tracking
Hmm... I need to qualify that a little; as described below the banner ad servers can track their own cookie against the URLs used to fetch images, which doubtless have something to identify the corporate entity inlining the image. "Devilishly clever," I think Daffy Duck said.

However, that's just boosting the argument for practical user-level cookie filtering. Not the Nessie and Messie kind, which just pester and pester until you either accept or reject all cookies.

If you win, you lose

[DragonHawk]

The thing to remember about cookies is that the server giving you the cookie may come belong to scumbag banner companies like DoubleClick that wants to track your browsing.

Question: Would you pay to visit all of the websites you visit? And I do mean all of them, from Slashdot to cNet to Yahoo to some two-bit page on GeoCities?

The reason I ask is that banner advertising is what pays for an awful lot of the web today. Unless the page is promoting a company's product (making the whole page one big ad) or supporting a company's product (you already paid for the page), banner advertising is the only alternative to charging for access.

If banner ads go away, then you will lose all of your free web pages. Web content providers will instead start charging for access. That will require you to -- guess what -- identify yourself to facilitate payment. And that identification process will be far more in-depth, involved, and intrusive then any banner ad from Doubleclick.

I am not saying this makes what Doubleclick does right or wrong. I am just wondering if you have considered the consequences of your actions, or if you are simply hoping for a free lunch, like so many people seem to do.

Be careful what you wish for. You might just get it.

Re:If you win, you lose

[Mr.+Slippery]

The reason I ask is that banner advertising is what pays for an awful lot of the web today... banner advertising is the only alternative to charging for access.

I expect that banner ads will eventually die, as advertisers are discovering that they're pretty ineffective. Clickthru rates are dropping, and ad blocking programs are becoming more popular (go Junkbuster!).

Fortunately, there are other possible sources of website revenue - sponsored links, merchandizing (get those /. tee shirts), affiliate programs, and voluntary contributions (works for NPR and PBS stations) come to mind.

If banner ads go away, then you will lose all of your free web pages.

Supported by advertizing != free. Just on the basic level, if Coke runs a banner ad on a site, where do you think the money for their ad budget comes from? It's figured into the cost of every can of carbonated caffeinated sugar you buy from them. Then there's the cost of your time to download the ad. Harder to measure is the psychological cost of being engulfed the sea of advertizing that encourages the culture of consumption in which we dwell.

That will require you to -- guess what -- identify yourself to facilitate payment.

Nope. Anonymous digital cash is a solved problem.

I want to be anonymous, but I post my email addy

[DragonHawk]

I do not accept cookies. They can be harvested by any number of means... I would be quite willing to enter my passwd each time I make a submission...

Interesting to note that the techniques for skimming cookies off net traffic can also skim that same password and user ID.

What's that, you say? Encrypt the password? Well, sure... but why not just encrypt the cookie instead?

Anyone who says "cookies are not needed" has obviously never done any programming. Without persistent, state information, computer programming is just about useless. Oh, sure, you can do one-way content delivery that way, but I, for one, want the web to be something a bit more interactive then a glorified TV broadcast.

I really get a kick out of the fact that you don't want people tracking you, but you post your email address in a public forum. Yah.

There are issues with cookies that make them less then perfect (to put it mildly), but treating them with extreme paranoia and fear is rather an over-reaction.

Why blame cookies?

[Sneftel]

Okay, so cookies are flawed. They're insecure and undiscriminating. But that isn't really the problem here. Online stores, plain and simple, should NOT store your CC info there. Why would they? The rest of your data (full name, address, etc.) is stored on their servers. All they should need is some randomly generated, IP address-tagged session id or customer id. Nevertheless, I am willing to accept the guy's assertion that there is some website that stored his CC num in a world-readable format.

If I ran a conventional store, and you bought something with a credit card, I could xerox 200 pieces of paper with the number on it and post them on telephone poles. This does NOT mean we need to blame telephone poles! Credit cards, not cookies, are the dangerously flawed technology we need to cope with here. You have a 20- or so digit number, which anyone can use to spend your money any number of times, for anything and for any amount of money, without your approval? Suddenly, cookies sound rather benign in comparison.

CmdrTaco demoted to LtCmdr, Eric Schmidt demoted..

[gatekeeper-eu]

Proving that two negatives (- x 2) do not equal a positive, the Lord High Admiral (c) Gilbert & Sullivan, charges CmdrTaco with endangering his vessel by navigating in red hot chilli infested waters, thereby causing his double-bottom to be scorched BER (beyond ecconomic repair). Further, although a civilian (and therefore ignorant of the dangers of red hot chillies to CmdrTaco's vessel's (double) bottom) Mr Schmidt, did with no malice aforthought, by displaying false navigation lights did lure ComdrTaco and his vessel into the aforementioned red hot chilli infested waters thus endangering HMS/USS (strike out as necessary, according to prejudice) 'Slash-Dot'. Mr Eric Schmidt is hereby demoted to Eric Schmidtlein (diminutive of Schmidt, for none linguists) with immediate effect.

The right place for cookes...

I copy my cookies down on paper and delete them from my hard drive. That way they can't search my drive for information to send out to all the bad people.

Few people know that it is actually cookes that are behind the Y2K problem. Oh, yes, you had better believe it.

It does take some time to type them back in again, but it is well worth it.



Seriously, who was the clod that called them 'cookies'? Anything would be better, even 'feces'.

Re:Tracking Info via Cookie Exploits

"the only real way I can see them being abused... i(s) that they could possibly be exploited to track your movements between cooperating sites."

Well, here's another one.

You cannot use what you do not have

[DragonHawk]

That's the point. Why are we using the web for commerce? It was never meant for state-dependent operations.

Because it is there. It exists. It can be used.

CORBA is nice, fun, elegant, cool, whatever, but you cannot use it because it isn't available to the target market.

An inferior solution that works will always win over a superior solution that does not exist.

(It is also worth pointing out that a lot of things are used for purposes they were never intended. Thus do we evolve.)

And Here's Another Link...

The above ZDNN article quotes Richard Smith. Here's a link to his complete article (more informative): "The Cookie Leak Security Hole in HTML Email messages"

Anonymous digital cash?

[DragonHawk]

I am replying twice to one message, because two threads have sprung into existence. The other should be very close after this one (I cannot link them both to each other, unfortunately (chicken-and-egg problem)).

Anonymous digital cash is a solved problem.

I'm intrigued. Could you provide some more info on this? In particular, I generally see information technology leading to very easy tracking (to wit, the whole Doubleclick cookie issue). How does anonymous digital cash work?

Re:Anonymous digital cash?

[Mr.+Slippery]

How does anonymous digital cash work?

It's reasonably complicated; consult Applied Cryptography or the Cyphernomicon for details. But the basic mechanism involves blinded digital signatures.

I'll try to give a paper and envelopes version of a simple scheme; replace the envelopes with blinding (a reversable encryption operation on a message that allows a blinded message to be signed without the signer knowing its contents) and physical signatures with digital ones. IANA crytographer, so I invite correction on this.

I want to send you an anonymous money order. I write up 100 of them, each of the form "This is money order [random large id string]; pay to bearer $42." and place each one in an envelope. I go to the bank with all 100. They choose 99 of them to open and see that they're all for $42. So they have a high degree of certainty that the one they didn't pick is also for $42. They sign the envelope with a special ink that stains through onto the money order, and take my $42 (plus a handling fee, no doubt). I take the envelope, open it, and send you the money order. You cash it for $42. The id string uniquely identifies each order and prevents double spending.

More complicated algorithms allow the tracking of counterfiters while leaving legitimate transactions private, but they make my head hurt.

Advertising, "free" content, and more

[DragonHawk]

I expect that banner ads will eventually die, as advertisers are discovering that they're pretty ineffective.

Could be. Alternatively, consider highly targeted banner ads. I deliberately fill out a survey giving the advertiser demographics information, such that they can target their ads to
the sorts of things I am interested in. My interest goes up, clickthroughs increase, sales benefit.

Now, why would I fill out such a survey, you ask? Well, one the purposes of advertising is to inform potential customers of your product or service, whereas they may have been in the dark before. That is a useful thing, to me. If I am going to be bombarded with ads, at least they could be relevant ads.

I have to wonder just how "ineffective" banner ads really are. I see 'em. I read some of them. I even click interesting ones from time to time. Sometimes I learn something, sometimes I close the window in disgust, occasional I bookmark a site for future investigation. This works better, for me, then ads on the side of a bus, where I cannot easily remember the company or investigate their product.

there are other possible sources of website revenue

Okay...

sponsored links

Sponsorship is just another way of saying "advertising", is it not? Sponsors will likely want an attractive, thing to get my attention, no? How is that different from a banner ad?

merchandizing (get those /. tee shirts)

I somehow doubt Slashdot could be funded on the income from T-shirt sales. :-)

affiliate programs

You mean like, "Link to our online store, and you get a kickback"? Frankly, I find those sorts of agreements more insidious then advertising. With ads, you see a product of possible interest and get the chance to evaluate it. The content provider gets their money regardless. With affiliate programs, I am locked into a choice. What if the affiliate provides lousy service? Do I use them anyway, and support my preferred content-provider? Or do I leave the C.P. out in the cold and use my preferred online store (or whatever)?

voluntary contributions (works for NPR and PBS stations)

Riiiight. Voluntary contributions are never enough. You think NPR and NPTV aren't funded through your tax dollars? There are too many things of possible interest to possibly get supported through donations. No, I don't buy it. Sorry. I want more then two channels worth of National Public Internet.

Supported by advertizing != free

Good point. Touche. However, supported by advertising is also not the same as paying cash.

Harder to measure is the psychological cost of being engulfed the sea of advertizing that encourages the culture of consumption in which we dwell.

Oh, please. I'm not going to crawl into a hole and isolate myself from the rest of the world just because I might fall in with a trend. :-)

Anonymous digital cash is a solved problem.

Very interesting. See my post at #215 for a seperate thread on this.

iCab cookie handling

[jaed]

Let me take this opportunity (for those of you who use Macs) to plug iCab. Its cookie handling is close to perfect. You can set a preference to accept, reject, ask, or accept but expire all cookies at the end of the session. The cookie-query dialog displays the cookie name, data, expiration date, and server, and has options to accept or reject, to auto-expire at the end of the session, and to add this server to the always-accept or always-reject list.

It's also in a user interface that makes all this a lot simpler than my explanation. ;-) Has selective blocking of images (by server or by dimensions) and applets, too, and a built-in list of common banner sizes.

The whole web is fubar!

Hello? Who cares about the arguable evil of cookies?! The whole "web" sucks! The multimedia / hypertext concept was invented in the late 1930's, and implementation ideas (note: multiple!) date from at least -68. (That I've heard of.) And we use http/html, (dhtml, cookies, css, cgi, javascript, java, plugins, and its ilk!) which is about as close to flat files + phlegm you can get, and has practically none of the features of real hypertext.

It's about as sexy as ascii-art, when you know you could almost as easily have a raytracer!
Cookies are just one of the symptoms!

gargoyle#stonedemon.yi.org

How about micropayments

[aaarrrgggh]

Seems strange that everybody is thinking of this as a direct replacement for cookies. I would think that the opportunity (for Novell to want to do it) would be to provide some added value.

As I understand it, the biggest hurdle for micropayments is that the processing cost for a typical credit card transaction is about US$0.15, plus profit!

So, my slightly off-topic question would be this: what does it take to make micro-payments work? Is it smart cards that operate in a debit fashion? Something that can aggregate millions of transactions an hour to the point that they are actually WORTH something?

die la,mer last post!!!

[Last+Post!]

EZ NOVEL OWNS JOO. novel is novel, which means ita new thingy.. you probablu difdnt even knwo that simple yawn.

last post

LAST POST
!@!

YOU CAN'T BeAT MORE FOR LAT POST YOU IW OWNED YO(U AHAHAHHAHAHAHAHAHAHAHA

_.......................__
||.....__...._._||_..||-\\..._...._._||_
||......_\\.(/_'..||....||-//.//.\\.(/_'..||
||__((_||_,_/).||_..||....\\_//.,_/).\\_
The final word; anything following is redundant.

Sessions via URLs

[Citrix]

• Webmasters could create a session and pass it in a URL with each page. This suffers from all of the same problems as cookies, except that the session ID isn't stored on your hardrive. Unless you bookmark it. Ooops.

What if your browser keeps a history that has all the URLs in it?
Sorry to be anal.
In general I think cookies are a fine.
just my two cents
Citrix