Novell CEO Attacked by Cookie Monster

CitizenC sent us a funny as hell article where Novell CEO Eric Schmidt talks about having his credit card stolen. The funny part is that he blames cookies. Cookies are certainly flawed, but he goes as far as to call them one of the biggest disasters in computers and tell us that they are stored in the wrong place (what, we're gonna keep them on floppy disks?). Finally he (surprise!) plugs Novell's own digital authentication mechanism (aha! The truth comes out). Hit the link to read a little more ranting by me on the subject.

It is a given that cookies are flawed:

• Most systems store them in a readable format on your harddrive. Yeah, that kinda sucks. But if your machine isn't secure, then you've got bigger problems then just your cookies file.
• They are sent in plaintext over the internet. But thats why we have SSL when you need security. Someday all net transmissions will be encrypted anyway. (assuming nobody else from the IETF gets bothered by the FBI)
• Cookies used to be pretty well forced on netscape users, but now most browsers give you an option. And there's always junkbusters for the more paranoid.

It is given that I need state over httpd. I want shopping carts. I want net commerce. I want user preferences on websites I frequent. Maybe you don't want these things, but I do, and I don't think I'm alone on this one. There are a few ways besides cookies to do this.

• Intel would love to use a CPU ID to help us. This has so many problems that I'm just not going to go into it. But it would work.
• Webmasters could create a session and pass it in a URL with each page. This suffers from all of the same problems as cookies, except that the session ID isn't stored on your hardrive. Unless you bookmark it. Ooops. It also has the added benefit of making URLs messy, and being a huge pain in the ass for a webmaster.
• Some sort of third party big brother handling authentication. I'd much rather just have a cookie that I can turn on or off than have a third party take care of it for me. I trust me more than them.

I really thought that the 'Cookies are Evil' was dying down as people realized that while they aren't the best solution, they are as good as we're gonna get any time soon. Then to see someone who ought to know better get out and throw fire ants into the mix to plug his software, well thats just really rubs me the wrong way.

It's like telling people that the water that comes through your pipes has floride in it, so you ought to buy their brand of bottled water instead. You ever see a communist drink water, Mandrake?

Security and Privacy

[Belgand]

One of the greatest problems in this whole arena is that anytime someone stores any bit of information for whatever reason people will get unnecessarily angry. It's a fact of life, albiet a sad one, that many people have become so astoundingly paranoid. If we had slightly more trust then maybe things could start to work, but not until then.

Re:Security and Privacy

[finkployd]

In a perfect world, trust would be nice.
However, we are bombarded by examples of companies and government taking advantage of us every which way. Including ways we didn't even know were possible. I think it's sad people aren't MORE paranoid, given the track record.

Finkployd

Re:Security and Privacy

[Fastolfe]

There is really no legitimate reason to have cookies in the first place

Are you just totally ignoring what everyone's been saying? Cookies are quite necessary to preserve state information between web site requests and visits.

I personally love the fact that I can re-visit outpost.com and not have to enter my address in every time I want to order something. I like being able to pick out a book or two from Amazon, set them aside, and come back in a week to complete the order. It's all about convenience, and I'm sorry, but outpost.com doesn't spam me, so I don't really see where you get off labelling all cookie users as evil conspirators that want to spam you.

There are quite legitimate uses, and the only real way I can see them being abused has been discussed on Slashdot ad nauseum in that they could possibly be exploited to track your movements between cooperating sites. The only marketing-related way they're being used today is to try and "target" those banner ads that you see to your tastes. The banner ads are still there, mind you, but now they're advertising stuff you're interested in.

Read the "Talkbalk"

[legoboy]

I saw this a few hours ago. I was thinking, "Good god, not the cookies are evil thing again." But no, it turns out that the article is nothing but a shameless plug for a product that this fellow is trying to shill.

The most telling part of the whole tale though, is the ZDNet TalkBalk. When "Larry, Internet Web Designer" can identify it as a joke, you know that even the lowest common denominator can see right through this guy.

I can't help but wonder why even ZDNet would lower their quality control to this level.

------

CC# stolen, or guessed?

[Masem]

There's not enough details in this article to say whether the CC# was stolen, or was guessed at by a random # generator. I know that about a year ago, I was victim to the random # generator fraud that charged $19.95 to my card, enough to rake in money, but not enough to tip ppl off that aren't careful with their statements. Fortunatley, I caught it, called my CC bank, and got the money removed.

The thing with the latter is due to the fact that most CC # checkers check the numbers, and not the expiration date. Thus, pass 10^16 numbers to one of the sites, and you're bound to get some cash. Once they have a number that works, then they're set.

Therefore, he might have been hit with this instead of true CC# stealing (It's really hard to get at cookies although there are some bugs, but require a lot of assumptions on the end user's actions). This only suggests to me that we need to make sure that CC# verification systems are more secure, and ask for the experiation date in addition to all other info. Or even better, add a PGP-like key to CC# info to make it more secure.

Re:CC# stolen, or guessed?

[AJWM]

Thus, pass 10^16 numbers to one of the sites,

Not even that many. 10^14, tops. The first digit identifies the type of card (Visa, Amex, MC, etc) and the last digit is a checkdigit. (I used to know the formula for the checkdigit, since I coded software to check it, but that was years ago).

And I believe the next few digits after the first identify the issuing bank, so one could probably make educated guesses about that.

Not that there aren't a zillion other ways to just go ahead and steal real CC numbers, if one is so inclined.

I dont trust my computer, but I trust Novell !

[Manifest]

I am paranoid. I dont trust any one. Cookies are bad. Javascripts are yuckkkk .. But I TRUST Novell. They are so carefull people. see they learn from their.. opps their CEO's experience.

I hope they implement "digitalme" soon. My cash is running out. I need a database of credit card numbers.

Manifest

Latest in a long line...

[TBedsaul]

Of CEOs shooting off their mouths to try and move product.

Anyone else remember McAfee and the Michalangelo virus?

It's just one of those necessary evils.

[tweder]

Sure, you could rant and rave about how bad cookies suck - but what would you do without shopping carts, user preferences, and *GASP* slashboxes? Of course I suppose you could petition all programmers to use Php4's session functions and not only get nowhere fast, but get rid of cookies all together.

Oh no!

[pen]

Rob just stole your credit card! Look out!

....

[Signal+11]

RUN! It's OSCAR THE GROUCH, and he's running an E-COMMERCE site!

I'm the guy who writes those silly fortunes. =)

Credit Cards Online

[rodbegbie]

Let's get this straight once and for all.

It is NOT easy to grab a credit card number on-line. Sniffing packets, intercepting e-mails, grabbing cookies, etc. is bloody hard work. Especially since you could spend 5 minutes raking in the bins at your local mall and get 100 numbers.

I am willing to bet $50 that Mr. Schmidt has at some point in the last 6 months handed over his credit card in a restaurant. Doing that is opening up his card number to a wider audience than using it on Amazon.com ever could.

However, it is helluva easy to use a credit card number online, once you have it. Go on, fill in a few forms, and it doesn't matter if you're a 13-year-old boy in Arseville, Tenessee -- you can use that card number from the 70-year-old woman in Alaska who wouldn't know a modem if it bit her on the arse.

Last week, I found a $60 Amazon.com charge on my card which wasn't mine. I don't blame the internet. I don't blame Amazon. I don't blame cookies, SSL, e-mail, or Elvis.

I don't even care that much. So what? I shout a bit, get my $60 back, and carry on like nothing ever happened. No big deal.

This kind of thing has been happening for years on the phone. This is nothing new, except for the sheer volume of fake transactions. But until the card companies make it easier to verify transactions on the fly (see Philip Greenspun's excellent book for a description of how pathetic the whole thing is), it's not going to get better any faster.

Just don't forget to burn your carbons.

rOD.

--

Re:Credit Cards Online

[zantispam]

"Has anyone who uses the above argument ever gone dumpster diving for CC numbers?"

Yup.

"f Sears throws all their receipts through a shredder, are you really going to be able to sift through that mess and find one good number?"

Having worked at a mall before, I can assure you that most places (not all) do very little in the interest of CC security. None (that I saw) even owned a shredder, much less used one.

As an example, the place where I worked threw the carbons out with the trash. The trash went into the dumpster. Within the span of ten minutes, I promise I could dig up 50+ CC numbers out of one bag of trash. (if I could stand the smell :-)

And it's worse during the holidays. :-p


Jedi Hacker (Apprentice) and Code Poet

Oh, not again...

[Millennium]

Yes, there are quite a few problems with cookies. The major two have to deal, of course, with encryption. The encrypted storage is depressingly easy for a browser company to fix; I can only wonder why Netscape, Mozilla, or even IE hasn't at least done a weak scheme (at this stage, with the RSA patents set to expire in less than a year unless I'm mistaken, Mozilla will probably be the first to do it).

The problem of sending cookies in cleartext is harder. The solution is of course encrypted communication. For anyone with Apache this shouldn'e be too difficult (SSL should be sufficient)... except for the whole certificate problem. I'll be glad when encryption is built into the protocol.

Come to think of it, the only way this credit-card number could have actively been stolen would be if the sessions hadn't been encrypted. Does this mean that one of the "great" computer executives was actually stupid enough to give his credit card number to an insecure site? I find that hard to believe, though if he's trying to hawk his own wares I suppose it could be some kind of play.

More likely he simply fell victim to a credit card number generator (which exist all over the place) and blamed cookies since he could use that as an advertisement.

Re:Oh, not again...

[gorilla]

I personally prefer having my cookies unencrypted. I go in every so often and clean out the ones I don't want. If they were encrypted, then I couldn't do this.

Big problem with cookies

[twit]

The big problem with cookies, I think, is that they're misused. You should maintain state, not useful information, using cookies. They're perfect for stuff like a session ID, a user ID, that kind of thing, which does not need to be kept secure.

Credit card numbers should either be kept in a back-end database, or (preferably) not at all. I'd prefer it happen the latter way. I like net commerce as a bright idea (both generic and in the IBM-branded net.commerce) and have even worked on some commercial sites, but that's part of the problem: you don't want schmoes like me safeguarding your credit card :).

If Novell's CEO is having problems with credit cards kept in cookies, it isn't the fault of the medium but the way it's being used. If anything, we should adopt best practise standards which keep credit card numbers secure and press business software vendors, like IBM or MS, to do the same.

Of course, I suspect that it wasn't the fault of cookies at all; it was a cracked machine or even a shopclerk who swiped his card twice. But that's just my nasty, nasty suspicion.

--

Re:Big problem with cookies

[irix]

As a web developer who does this kind of stuff, I can tell you that 99% of places only use cookies for that reason - keeping state.

Quite frankly, this is the only way to keep state after you close you browser. Rob is right - if you like personalization, etc. then you better like cookies.

more your ~/.netscape/cookies file and see what is in there. Mine is over 20K and all it is is user id serial numbers.

The other thing to note with cookies is that many places use temporary cookies - stored in RAM only and never stored on your hard drive. They terminate when your close your browser.

Re:Big problem with cookies

[Royster]

more your ~/.netscape/cookies file and see what is in there.

Hmmmm. Let's see. Three cookies for the NYTimes site. One for Slashdot. One for Gist (an online TV guide)

That's it.

If all developers ever cared about were state, then cookies that do not persist when the browser was closed or ones with short termination dates would be necessary. Why can't I be the one to determine how long cookies are kept? As it is, I decline cookies unless *I* have a reason to keep it. Any sight that presents me with too many cookies dialogs does not get revisited.

Re:Big problem with cookies

[twit]

In my experience, JavaScript is an excellent way to pass some of the server-side processing on to the client, not to mention all the client-side tricks which can make your job much easier.

I'd personally like to do mostly script-free sites, or at least offer script-free alternatives, but clients simply will not pay for that - it's their business to address the great majority of browsers, and that quite often means neglecting alternative browsers (or any other than the strict mainstream) and users who customize their browser config.

In other words, it's a no-win situation for an architect to suggest - "you want to spend how much money addressing the needs of how few users?". You start losing proposals if you end up playing technology pedant like this, and unfortunately consulting is the game of winning, not losing, proposals.

A lot of the cutting-edge UI stuff relies on javascript, but the core functionality shouldn't. IMHO, of course. But clients pay for as much eye-candy as they can afford, and because it tends to attract repeat visitors it is a strategy that works. I disapprove of it on personal and puritanical grounds, but it does pay the rent :).


--

A prediction (?) about smart cards

[dmorin]

A few years ago I did a commercial system for using digital certificates to identify yourself to a web site. It was generally liked as being nice and secure, but hated as being too hard for the consumer to understand. That was before smart cards.

Imagine that, as a web surfer, you have a smart card that identifies you as a web surfer. Personally I am a believer that you should have to identify yourself as adult/child in order to cruise some areas of the web, but that's my personal opinion. But that's not for this thread to discuss. Add to the smart card some sort of bio sensitive way to identify yourself, maybe a thumb, maybe an iris scan. The key being that everything you need (short of the reader hardware) is stored on the card. You can take it with you to any browser (unlike cookies).

Your smart card not only identifies you, it has a profile on you. It can keep your web site preferences, but it can also keep your buying habits, etc. And your age, marital status, and so on. It's here that people scream bloody murder about privacy on the net. But here's my hopeful suggestion : that your profile will come with trust zones. If you're doing anonymous surfing, maybe all the site gets is your age -- or maybe nothing at all. For sites you want to register with long enough to read a story (like NYTimes), you let them have your name but not your profile. And so on. For trusted sites like slashdot you set up preferences. For sites where you are actually a customer of some sort, you let them have your profile (linking in yesterday's discussion about IBM's miniature vegetable commercials).

Wouldn't this be nice? My company has a large number of business units, each with their own web site, and we've worked to setup a shared profile system so that, once you've told us something once, you don't have to tell us again. Wouldn't it be good if this extended to multiple businesses? Don't you think it's a pain in the ass to have to continually identify yourself and set up preferences on every site you want? Wouldn't it be nice to have a mini-profile that you could use to bootstrap your registration to new sites?

My point is that, with a self contained smart card, you can have a level of control over the information that you provide. It's the card that has the brains. A web site couldn't just tell the card "Give me the whole profile". It would have to say "Please validate me as being a trusted site and give me whatever information I am entitled to." And then, in something of an ironic twist, *it* has to identify itself to *you*, and you get to decide what to do next.

Will this happen anytime soon? I wish. I think the reason that digital certificate authentication didn't catch on is that it was too confusing to get the certificates into the browsers, people didn't want to give up their passwords, and the certificates weren't portable. In a world where you have a smart card reader built into your keyboard, these problems seem like they might go away. Nobody thinks twice about having to flash a passport when flying internationally, and they usually only grumble a little bit about being carded at the local bar. Is it really that much of a stretch to think that there'll come a day when you take your webId card out, stick it in the slot, and then periodically answer a question about how much information you want to provide to the web site you just visitd? I don't think it's really all that bad.

I'm curious to know if I'm, like, *way* off on this one. Are people going to flame the hell out of me on this one? Or agree completely?

d

Re:A prediction (?) about smart cards

[dmorin]

Sounds like a great idea. I assume you intend a company to market these cards? Would they be free, or would you have to pay an annual fee?

The business logic of the poor adoption of smart cards has been that they're currently too expensive. Nobody will pay $5 just for a card, especially if there are a number of different entities that each expect you to get your own card. As an example, they have "SpeedPass" at my local gas station. It's a smart card that's in a keychain, you wave it at the pump instead of having to get out a credit card. This is a free service. I don't think anybody would pay for the card. Because then they would be worry about if they lost the card, or it got worn out, or whatever. When it's free they can always get a new one.

So, smart cards won't be truly adopted until they're "relatively" free (maybe a cost of $1 or something could be eaten by other fees). As for who sponsors/provides them, the question turns to one of identification. Traditionally you rely on a government agency to provide your identification (passport, driver's license, birth certificate...) so it's logical to extend that into this arena. But again, people will go bananas if you start talking about the government being involved in such a thing when it relates to the web.

Who knows. Maybe some enterprising company will figure out a way to market the cards as essentially free, but then sell the readers. The trick there would be in fostering the adoption of the card/standard. You'd need to get all kinds of retailers on board that use your card, so that people would get use out of it. This has been tried numerous times with a variety of "electronic cash" methods, but none have really caught on that I know of.

Re:A prediction (?) about smart cards

[dmorin]

The reason this shit has failed in the past, and will fail in the future is two-fold.

This logic implies that "Those who do not study history are doomed to repeat it" is incorrect. That industry does not learn from its mistakes. This might be true, I don't know. I don't think it is. You're welcome to. There's no real way to tell if it's an absolute truth, now is there?

First, every company will get into an endless Beta-VHS standards war seeking to control the standard and therefore the royalties.

And by this logic, we would never have settled on the magnetic stripe card, would we? Somewhere along the line competing plcaes like Visa and Mastercard got together enough to agree on the format. Why is it so unbelievable a stretch that this couldn't happen with smart cards, which are often compared very closely to magnetic stripe cards? There's a darwinistic element to the introduction of a standard, no question about it. And we all know that it's not usually the technically superior standard that wins. But a standard does usually emerge. It's not an endless battle.

Second, this type of "universal profile" turns people off.

Define "people" in this case. You forget that most people out there are not freedom fighters. They are consumers. More than that, they are lazy, cheap consumers. It's cost-benefit analysis. What am I giving up by having the card? What benefit does the card give me? If people perceive that the card makes life easier, they are likely to use it. If you don't wnat to use it, fine. I know people that don't use ATM cards for many of the reasons you list. Fine. But that hasn't stopped them from becoming very popular.

d

Re:A prediction (?) about smart cards

[Royster]

Wouldn't this be nice?

No, not really.

My company has a large number of business units, each with their own web site, and we've worked to setup a shared profile system so that, once you've told us something once, you don't have to tell us again. Wouldn't it be good if this extended to multiple businesses?

No.

Don't you think it's a pain in the ass to have to continually identify yourself and set up preferences on every site you want?

Yes. I don't want to identify myself to every website that I visit. Frankly, moist sites I visit once and never return. Neither do I want prefeences set at every website that I visit. Most sites aren't as configurable as /.

My point is that, with a self contained smart card, you can have a level of control over the information that you provide. It's the card that has the brains.

My point is that I have the brains. I don't want a smart card giving out any information on me. I don't need the card. If I want to lie to a site and tell them that I am a 75 year old lesbian mother of three, I will do so. I don't need your smart card and I don't want it.

Re:A prediction (?) about smart cards

[DeadSea]

No. Its not a great idea. In return for me giving information to anybody, I expect to get something in return. I also expect that there should be some reason I should have to give info to get what I get in return. I don't want to give everybody my information, and if I have the choice of whether I give or not, I don't want it to be an all or nothing proposition.

I usually browse the web with cookies turned off and only turn them on when I need to to look at a site, or if doing so would really make my life easier. I usually delete most of my cookies daily, except for a few sites which I use often and having cookies will save some state which I want saved.

I often sign up for something on the web using false information. Why should I let my free email service know anything about me other than my real name so they can tell people who I send mail to, who it is from? Maybe they want to know my income and marital status, but they won't get it just because they can target ads at me better. If I buy something, they get my address and credit card, but no more. Certainly not my real phone number.

I can't believe anybody would use a system where they say "here, take my info and share it. Shaft me for all I worth, please!!!"

Re:A prediction (?) about smart cards

[dmorin]

You may have the brains, but I'm not sure where you apply them. You took from my post that I was somehow not attempting to solve the problem, but instead trying only to get all the information into one place where it would still be fully accessible. I never said "identify yourself to every website you visit" or "set preferences at every website". As a matter of fact, for your "most sites I visit once" argument I specifically said that you could/would set up an "anonymous" mode where the card was completely off.

Read what I wrote again, and you'll see that you still get to use your brain. All the card does it regulate and structure the flow of information. You still get to set up the whole "trust" mechanism. If you trust no one, and it sounds like you don't, then don't use the thing. But you must not be a customer many places, though, because I would think that you'd be willing to identify yourself to a web site in order to get a look at your stock portfolio, or the status of your new order of blowup dolls.

As for pretending to be a 75yr old lesbian, your personal life is your business. Sounds to me like wearing a different disguise to the supermarket every week so that nobody recognizes you as a regular shopper, though. Kinda pointless. But if that's where you want to spend your time and energy, more power to ya. I'm just trying to spend mine coming up with ways that might actually benefit both people and industry. It can happen, ya know.

Please dont waste time. Read this instead

[Manifest]

Please dont waste time. Read this artic le on the evils of cookies instead. Atleast these people know a bit about what they are talking about.

If I am not mistaken, it talks about the security loophole that was created when GIF images were allowed to embed cookies in computers. This has been discussed on /.

Stolen at a restaurant?

[scumdamn]

Isn't it more likely that this guy paid with credit card and a waiter wrote the number down? If I were going to commit credit card fraud I'd just get a job at Red Lobster and start writing.

Re:Cookies are not evil but..

[jilles]

I agree with this. The whole problem is that each web app deals with security on its own way. Many sites require a person to identify himself. This is commonly solved with a username/password combination. What would be nice is if there were a third party that would do user identification. Rather than providing each site with all your details you could authorize (through a certificate) a company to verify with that third party that you are you. This would also be a way to limit the amount of information you show to that company. The third party could of course maintain a database of user data but you could agree (with a contract if necessary) to restrict access to that database.

This would solve the privacy issue and it would allow sites to verify that you are who you say you are.

What we need for this is standards. We have standards to verify that a piece of software is from a certain company, why don't we have a standard to establish the identity of someone.

The Evil Use of Cookies

[Merk]

I think one of the greatest dangers of cookies is that right now they're insecure an invisible.

I had a friend who had his browser set up to accept all cookies. I was ranting to him one day about how I hate being forced to accept cookies at some sites, and how I nearly always refuse to accept them. He decided to check out his cookie file. Guess what he found...

Some site (I don't remember the offender) had set a cookie that contained a ridiculous amount of information about him: full name, home phone number, home address, job title, etc. Obviously he had filled out some kind of form at some point and they just dumped the info into a cookie. This meant that without his knowledge, every time he used their website, all of his personal info was being sent back and forth in plain text.

A system that allows this kind of abuse is seriously flawed.

I don't think it's time to rewrite the whole cookie spec -- and I don't like the alternatives to cookies either, but this current situation isn't acceptable.

What I'd like to see is some "cookie" icon in the statusbar of your browser that's shown whenever the site you're communicating with is using cookies, and clicking on that "cookie" would give the full cookie details.

I also think that all new browsers should have cookie filtering built in. I don't mind accepting any cookie from Slashdot.org, but I don't want to accept a single cookie from doubleclick. I'd also like to see some content based filtering available. This would allow me to refuse cookies that try to do dumb things like store my password in the cookie.

In the mean time, I'll keep plugging Cookie Pal for Windows users. It does a great job of filtering and handling cookies, and is very unintrusive and small. I'm a satisfied user, but don't have anything to do with the company other than that.

You mean, like Slashdot?

I am not an Anonymous Coward.

I am Bob Washburne rcwash@concentric.net

I am a registered slashdot reader. But Slashdot refuses to accept my password even though I am looking at it on the screen.

I do not accept cookies. They can be harvested by any number of means (just check BugTraq) unless you devote your life to securing your box and don't make any mistakes. Ever. I have other things to spend my life on, so I take reasonable precautions and then refuse all cookies.

Cookies are not necessary. I fill in my Nickname and Passwd on the first screen and it is brought along through the Preview and subsequent screens. This is done without a cookie, so why any cookie at all?

I would be quite willing to enter my passwd each time I make a submission rather than leaving personal information lying around for a rogue marketing-bot to harvest.

That is the whole purpose of a password; to authenticate the action. Storing a password defeats the entire purpose. So why have a password at all if anyone can just walk up to your box and post without it?

I would even rather be mistaken for an Anonymous Coward than subscribe to the urban legend that cookies are safe. Anyone who thinks cookies are harmless obviously doesn't know much about them.

not caused by cookies

[avdp]

I could just start and speculate for hours as to how his credit card number was stolen. Maybe somebody sniffed a packet and read the card. unlikely but technically possible. Maybe the random card generator. Maybe it's not an online problem at all. But there is one thing I am pretty sure of, regardless of how flawed the cookie system might be, whoever got his credit card number in all likelyhood did not get it through a cookie!!

What's being stored in cookies? Well, a session id. Or a user name. Or maybe even some personal info or preferences. But I have never ever seen any site storing the credit card number in a cookie! And I shop online an awful lot.

If the credit card number was in fact lost online, and you must blame it on someone, blame it on the stupidity of this particular user. You don't send that info online in a non-encrypted format and as a general practice you probably should not shop online at a store you don't trust (for a variety of reasons, privacy and security being only some of those reasons.

Cookie Monster?

[Chris+Burke]

How tragic that the CEO of Novell has been assaulted by a plush puppet. I'm glad to hear that he came away with nothing worse than a stolen CC#. Cookie monster can be pretty viscious when he's mad.

The big question in my mind -- Sure, Novell's new software may protect you from Cookie Monster, but can it protect you from other muppet menaces like the powerful Big Bird or Bert (who everyone knows is Evil)? The article doesn't say, and I'd have to assume not.

Which is of course where my software comes in. Sesame Shield is released under the GPL and is easily configurable to run as a daemon that will block all Sesame Street characters, and soon Muppet Show characters as well. Don't rely on closed-source programs to protect you!

Cookie handling in IBrowse 2

[Stephen+Williams]

One of the Web browsers I use is IBrowse 2 on an Amiga. (I'm aware that I'm encouraging flames by even mentioning the Amiga here, but I'm going to take the chance :-)

IBrowse 2's cookie handling is very good. If you elect to be asked before accepting a cookie, the request that gets popped up give you a number of choices - accept cookie, accept cookie but don't save it, accept all cookies from this server for the rest of the session, reject cookie, reject all cookies from this server for the rest of the session. It's cool because when doubleclick.net (or whoever) sends me a cookie, I can hit "reject all". If Slashdot sends me one, I can safely hit "accept all".

Additionally, IBrowse 2 has a "URL prefs" feature, allowing one to set per-URL preferences, including cookie handling prefs. I can therefore set the brower up to automatically reject all doubleclick.net's cookies without asking, for example (this is a fake example, as I never get anything from doubleclick.net; it's aliased to 127.0.0.1 in my hosts file ;-)

I use Netscape 4.5 at work, and its cookie handling is primitive in comparison. Since IBrowse and Netscape are the only two browsers I use with any frequencey, I don't know how IBrowse's cookie handling features compare with (for example) MSIE's.

-Stephen

Re:Cookie handling in IBrowse 2

[lordsutch]

MSIE lets you assign sites to "trusted" and "restricted" zones, which is better than Netscape, but a per-URL scheme would be much nicer. Probably too late to get it into the first release of Mozilla, though it'd be a nice add-on project.

Incidentally, I've found lynx's cookie handling fairly good; you at least have the site granularity, which is nice.

Re: are there sites that send cookies with c.c #'s

[CodeShark]

If there are, they'll be dead meat following the first lawsuit which tags them. Even in the initial Netscape spec, they specifically caution against using cookies to do anything much more than identifying a computer to a server, the same way /. knows "who I am" by reading an ID off of the hard drive where I am viewing the pages.

In relation to using personal information on the net (including my e-mail address, you may notice that I did not "anti-spam" my e-mail address here on /. However, I only use that e-mail address in conjunction with a few sites, limiting the number of points from which my personal information can be derived to those sites with privacy policies that are up to spec, saving my regular e-mail address only being given to a much more private and personalized list of people that I am willing to receive information from. That way if there is a security problem, I know where it originated by my email address. Similarly, when I write software that uses cookies, I don't put any personal information in it. All of that type of information can and should only be kept in a back end database, well shielded from crackers, etc. For example, on one e-commerce site I designed, the cookie "knew" who you were, but in order to place a credit card order, you had to validate certain information within an encrypted page, even though the user had already "registered" their information (including the c.c. #) into the database via the web. We also included a fraud detection program designed to stop the c.c. # generators from ever being able to spoof an order. And folks, it just wasn't that hard to do!!

I agree with previous posters. The Novell CEO was trying to sell proprietary software, and claiming to have been attacked by the "poison cookie" monster in order to do so.

Eric Schmidt: BceOFH?

[Effugas]

A user rings

"Do you know why the system is slow?" they ask

"It's probably something to do with..." I look up today's excuse ".. clock speed"

I'm feeling very uncomfortable here. I mean...I've grown up worshipping the BOFH...and now...what doth my eyes detect, but...

A Bastard Chief Executive Operator From Hell?

You know, some strange part of me wants to see this as a complement.

The odds that Mr. Schmidt purchased something from such a fly by night operation that the credit card number was embedded in the cookie so low, that it stretches the imagination beyond repair to consider the idea that that same operation would ever have the technical desire or even knowledge to use Novell's new DigitalMe software!

Of course, he could have just been tricked by a *real* BOFH... "GEEK! HOW DID MY CREDIT CARD NUMBER GET TAKEN!" "Mmmm. Cookie." "I knew those things were trouble!" "Mmm. Oreo. Chips Ahoy. Yum."

Seriously, there's a gigantic amount of irony embedded in Novell proposing that their DigitalMe system would improve consumer privacy. Consider: Most sites that require state don't require your identity, pretty much because it takes time to get somebody to reveal who they are, and attention spans are small. Look how much traffic The New York Times loses from people too lazy to even lie on a form--MTV may have done more for consumer privacy than any other company in history.

Novell's DigitalMe changes that. Assuming the infrastructure is such that any site that wants to do trustable-state transactions(which is really what Schmidt and Novell is trying to sell) actually has enough DigitalMe access to not have to worry about Yet Another Single Point of Failure, DigitalMe lets the user disclose every piece of information the user could possibly expose in the click of a "OK, tell 'em whatever they want to know."

Heh, Novell--Suddenly everyone's finding out a hell of alot more about you!

And the worst part? Unlike that paltry $50 liability had, you'll never know what people are doing with your personal information. I find it interesting that in a place that espouses freedom and individuality so much, people don't own their identities.

Yours Truly,

Dan Kaminsky
DoxPara Research
http://www.doxpara.com

What about encrypted cookies?

[sterno]

If secure data is being store in the cookie, why not encrypt it. The server can have the keys to encrypt and decrypt the contents of the cookie. Then if somebody gets your cookie file they still have to crack the encryption of the cookie itself.

The only potential issue I can see with this is the possibility that the limited size of the cookies may make decent grade encryption too big. I'm not certain though.

Personally I like the use of cookies as a session token for server-side session management. The only thing stored on the client is a one-use session ID which expires. Thus, even if somebody could get your cookie file, they'd have to take the session ID and use it within say 15 minutes, otherwise it would be totally useless. To further prevent fraud, you can link the session ID with the IP address, which eliminates all but the most complex hijackings that I can think of.

---

Manage Your Cookies

[Duxup]

I use a program called At Guard to deal with cookies. It does not just block those I do not want, but also allows me (upon visiting a site for the first time) to accept cookies from sites I wish to use them on (i.e. Slashdot.org). The program also has some nice firewall and add blocking features.
http://www.atguard.com/

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Banner ad that set cookie

[Dicky]

This, unfortunately, is one of the larger and more worrying misuses of cookies. There are actually a relatively small number of companies online who 'do' banner ads. The large sites (C|net, /., Yahoo, etc.) do their own banners, and smaller sites usually don't have banners, but most medium-sized sites use one of the small number of banner ad agencies.

The problem is that the agency can track you across multiple sites. If you visit www.site1.com, you can only get a cookie which will be sent back to that server, right? WRONG. While you were at www.site1.com, you viewed a banner from ad.doubleclick.net (for example). The problem is that when you visit www.site2.com, which should not be able to 'see' the cookie from www.site1.com, you took another banner from ad.doubleclick.net. This means that Doubleclick can track you between sites, which is a bad thing. I also saw something (this morning, I think, but I can't remember where) saying that companies are sending HTML mail which downloads an image which sets a cookie. The agency then has your e-mail address associated with a cookie, giving them (potentially at least) a lot more information about you. Not a problem for me, of course, since I use Pine for mail :-)

I have no problem at all with certain sites using cookies. I am currently (since earlier on this week) using Junkbuster, and I have it set to allow cookies from Slashdot, LinuxToday, Amazon, and a couple of stock sites. If anyone else wants to send me a cookie, they can ask me and I'll decide on each individual case. At least I have the choice.

Sad to see, really...

[abram_fettig]

This kind of blatant FUD seems like sour grapes to me:

"Maybe my company hasn't proven itself to be a major force in the internet, but that's only because we didnt want to be anyway! The internet runs on BAD TECHNOLOGY! Sure, e-commerce has exploded in the past two years, but everyone buying things on line is a FOOL! How childish of all of you for thinking that you could implement key internet standards without Novell! All you web developers should have been patient enough to wait for us!"

"That's OK though, we forgive you. And what's more, we have lovingly designed a system that will eliminate those pesky security headaches forever. Just sign up for our new INSTA-SECURE service and we'll take care of all your problems! For just a small monthly fee, we'll store all your customer's secure data on OUR server! To sign up, visit our secure site NOW! Just make sure that you enable cookies first..."

Perhaps you think I'm kidding with that last "enable cookies" comment. But I'm not! The following was cut-and-pasted from the shop.novell.com website just moments ago:

Warning
It has been determined that you have disabled cookies in your browser. ShopNovell requires cookies be enabled before you continue. For more information on this subject, please see Store Policies at shop.novell.com/shopnovell/help.html

Re:How Very Unfortunate

[gorilla]

Besides this, most any company that I would do online business with has the integrity & knowledge to NOT store credit card information in my cookie. Very few do so.

I agree, I've never seen any cookies storing cc numbers. I've seen userids, email addresses, zip codes, all sorts of stuff, but never cc numbers.

If any website is storying cc numbers, or anything else which is sensitive, we should publicly scold them until they do. Anyone got URL's to check out?

An alternate method of session tracking

[umoto]

When I started writing my own HTTP server I decided to try a new way of keeping sessions without using cookies. URL's looked like this:

http://www.wherever.com/ss.asdf98cs/some/path/fi le.html

I tested it for months. Pros:

- No cookies at all.
- Very reliable. Session state is retained without problems.
- Works even in Lynx.

Cons:

- Search engines record the URL with the session ID. Although the session ID is invalid after only a short time, it's quite ugly.
- When people would try to tell each other what URL to visit, they would try to pronounce the session ID.
- Absolute links always cause the browser to ignore the ID. Solution: dynamic HTML or no absolute links.
- The browser reveals the session ID to other sites when the user follows a link there. The ID is even recorded in the referrer log.
- Browser redirects are required. However, cookie solutions often face the same problem.

Eventually, I decided that cookies were a better solution for our purposes and switched over.

One thing that people need to understand, however, is that there are cookies that never make it to the user's hard drive. It puzzles me that browser makers put all cookies in the same category. The Best Way, at this time, to keep session state is to send a cookie to the user's browser that is never stored anywhere but in memory.

Re:someone tell me...

[phil+reed]

www.kburra.com has a Win95/WinNT shareware utility called Cookie Pal which will let you police and control cookies on a site-by-site basis.


...phil

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Hopefully you didn't miss the point, though

[gorilla]

Speaking as someone who doesn't know much about NDS, is there anything that NDS does that LDAP doesn't?

Given the choice between something propriatary & something open, I know which way I'd lean.

Guessing CC numbers is easier than you think...

[john@iastate.edu]

First, you don't have to throw 10^16 numbers at a CC checker to get a valid one. Look at the first 4 digits, use them. Then make up digits for the rest such that all the digits match the checksum. The checksum is supposed to catch typos and transpositions and such, but it is pretty lame...

#include<stdlib.h>

intluhn_ok(
char*inp
){
return((luhn(inp)%10) ==0);
}

intluhn(
char*inp
){
staticint x[2][10]= {0,1,2,3,4,5,6,7,8,9,0,2,4,6,8,1,3,5,7,9};
char* p;
int s =0;
int sum =0;
char c;

if((inp==NULL)|| (*inp=='\0'))return -1;/*biteme, doughboy!*/
for(p=inp;*p !='\0';++p){}
do{
c=*--p;
if((c<'0')|| (c>'9'))continue;
sum+=x[s][c-'0'];
s^=1;
}while(p!=inp);
returnsum;
}

Re:Cookies are not evil but..

[jilles]

you should see a doctor to get treatment for your paranoia.

"I remove all cookies during boot up each time and I NEVER KEEP sensitive personal info on my PC."

If I were you I would unplug the computer, lock the door and be afraid for the rest of my life. Not taking part in society is excellent defense against Big Brother. But seriously, what's the big deal with cookies? Only the site that created them can access them and they might as well store it serverside if there really is something worth storing. Cookies are mostly for your convenience so with deleting them you only give yourself extra trouble.

Moving privacy sensitive data to a central place gives you more privacy because you know who leaked information when something goes wrong. In my view your privacy sensitive data should be legally protected (i.e. you can sue when somebody illegally accessess it).

"Because some of us prefer that BIG BROTHER does not know everything we do and when and at what time...."

I suppose you're not that paranoid that you don't store your money in a bank. I.e. anytime you make a payment with your creditcard (online/offline) that information is registered anyway.

"Any other behavior is just proof of evolution in action...the stupid shall be fleeced :)"

*sarcasm* Ok we an über mensch posting here.*/sarcasm* Just because you learned to operate a computer doesn't make you any smarter. In fact the smart let geeks like you do the monotonous work of operating a computer since they have better things to do.

Re:Trust

[Fastolfe]

even browser type (although Konqueror allows you to change that).

Umm.. heh. Can someone please explain to me what you gain out of changing this information? I can't see any possible gain, but there are tons of drawbacks. Specifically, web pages that dynamically generate content based on the browser string will be generating content that either doesn't work in your browser, or is meant for sub-standard browsers (hence you'll be missing out on features or content that might necessarily be limited to more capable browsers).

So what's the rush to change this text?

one way of dealing with cookies

[alizard]

Replace the COOKIES.DAT file in Netscape or Opera with a COOKIES.DAT directory.

Tell your browser to accept all cookies. Did this several months ago with no problems.

There's probably an equivalent for MSIE, but since I don't use it, I don't know what it is.
y2k info - http://www.ecis.com/~alizard/y2k.html

An important point buried in BS?

[unDees]

The article sure looked like a shameless plug to me. And sure, many people have posted comments to the effect that users have gotta store their preferences somewhere, BUT:

I've seen poor implementation of cookies lead to server B looking at cookies that had been set and should only have been readable from server A. I've gotten spam because of it. Blame the Webmasters? Sure, but I'll stick to blaming the browsers. They ought to have more fine-grained control over cookies. Why, even IE4 (*suppresses gag reflex*), on which I am typing this post, only offers "cookies on" or "cookies off." What about "prohibit cookies from server foo.bar.com" or "foo.bar.com can only read foo.bar.com's cookies?" Then, the users who still wanted loads of customizable preferences could leave everything on and not worry about it, while people like me could turn on just enough cookies to keep our favorite tech support sites from barfing in a cookie-less environment.

Hope some browser writer is listening somewhere (or better, a knowledgeable user of an existing browser I don't know about).

Bye all....
--unDees

Linking Cookies and E-mail

[Rudolf]

I also saw something (this morning, I think, but I can't remember where) saying that companies are sending HTML mail which downloads an image which sets a cookie. The agency then has your e-mail address associated with a cookie, giving them (potentially at least) a lot more information about you. Not a problem for me, of course, since I use Pine for mail :-)

The essay on HTML enabled e-mail and cookies is at:
http://www.tiac.net/users/smiths/p rivacy/cookleak.htm

state in a stateless protocol

[sinator]

I just dont get it.
if they want state, why use a stateless protocol like http?

why not iiop (that is stateful, no?)?
Why not a protocol like ftp or ssh (if you're a security nut) which is stateful?

Hack over hack over hack.. the statelessness of HTTP was a performance hack... the cookies are a statefulness hack... junkbuster is a stateless stateful statelessness hack...

Re:state in a stateless protocol

[DragonHawk]

if they want state, why use a stateless protocol like http? why not iiop (that is stateful, no?)?

Of course! Why didn't I think of that? I'll just surf on over to Amazon.com using my IIOP-based web browser and...

Oh.

Re:state in a stateless protocol

[sinator]

That's the point. Why are we using the web for commerce? It was never meant for state-dependent operations.

This is easy

[Local+Loop]

Just create a session ID and pass it in the the URL. Also, associate an IP address with the session ID.

To avoid problems with bookmarking, expire them after an hour.

I do this on a bunch of different sites, and it works great, with no cookies. -Loopy

Cookie abuse

[Mr.+Slippery]

The thing to remember with cookies is that the information comes from the server.

The thing to remember about cookies is that the server giving you the cookie may come belong to scumbag banner companies like DoubleClick that wants to track your browsing. You movements between sites that serve ads from the same scumbag banner provider can be tracked quite easily.

Cookies are only a problem for the ultra-paranoid.

Bullshit. If you want to know the nefarious possibilities, see this chapter from Philip and Alex's Guide to Web Publishing.. Scroll down to the heading "I want to know the age, sex, and zip code of every person who visited my site so that I can prepare a brochure for advertisers."

If not wanting my browsing habits tracked this way makes me "ultra-paranoid", sign me up.

Re:Cookie abuse

[Mr.+Slippery]

You have to remember that a lot of these web sites out there need to track their users surfing habits. It's called Demographics and Marketing.

They can very easily track my surfing at their site without cookies, and they absolutely don't have to track my surfing habits between sites. If they want demographic information, they can bloody well do it the old-fashioned way by surveying their customers. A damn site better than spying on them, no?

It's not like tracking customers was new with the internet. Radio Shack directly asks you for your information at the checkout counter.

But the guy at Radio Shask is not following me around the mall to see what other stores I visit. And I know when they try to collect my info and can tell them "No." C'mon folks, there's no reason the guy at Rat Shack needs my phone number to sell me a headphone cable, or the lady at Home Depot needs my zip code when I buy some plywood. All they need to know is that the cash in my hand is legal tender. I've never had a problem in declining to answer their questions.

If people are really scared about cookies then simply turn them off and use sites that don't require cookies.

Better yet, use Junkbuster to accept cookies only from sites you choose. And you remove annoying banner ads too - whadda deal.

Sigh

[DragonHawk]

I don't want to give everybody my information... I usually browse the web with cookies turned off...

When are people going to get it through their heads that cookies can only return information the server sends to you? The only way cookies are going to "give" your information to a site is if you already told the site your information in the first place.

Why should I let my free email service know anything about me other than my real name...?

Maybe so they can pay for the free email service? Didn't anyone ever tell you There Ain't No Such Thing As A Free Lunch?

If you win, you lose

[DragonHawk]

The thing to remember about cookies is that the server giving you the cookie may come belong to scumbag banner companies like DoubleClick that wants to track your browsing.

Question: Would you pay to visit all of the websites you visit? And I do mean all of them, from Slashdot to cNet to Yahoo to some two-bit page on GeoCities?

The reason I ask is that banner advertising is what pays for an awful lot of the web today. Unless the page is promoting a company's product (making the whole page one big ad) or supporting a company's product (you already paid for the page), banner advertising is the only alternative to charging for access.

If banner ads go away, then you will lose all of your free web pages. Web content providers will instead start charging for access. That will require you to -- guess what -- identify yourself to facilitate payment. And that identification process will be far more in-depth, involved, and intrusive then any banner ad from Doubleclick.

I am not saying this makes what Doubleclick does right or wrong. I am just wondering if you have considered the consequences of your actions, or if you are simply hoping for a free lunch, like so many people seem to do.

Be careful what you wish for. You might just get it.

Re:If you win, you lose

[Mr.+Slippery]

The reason I ask is that banner advertising is what pays for an awful lot of the web today... banner advertising is the only alternative to charging for access.

I expect that banner ads will eventually die, as advertisers are discovering that they're pretty ineffective. Clickthru rates are dropping, and ad blocking programs are becoming more popular (go Junkbuster!).

Fortunately, there are other possible sources of website revenue - sponsored links, merchandizing (get those /. tee shirts), affiliate programs, and voluntary contributions (works for NPR and PBS stations) come to mind.

If banner ads go away, then you will lose all of your free web pages.

Supported by advertizing != free. Just on the basic level, if Coke runs a banner ad on a site, where do you think the money for their ad budget comes from? It's figured into the cost of every can of carbonated caffeinated sugar you buy from them. Then there's the cost of your time to download the ad. Harder to measure is the psychological cost of being engulfed the sea of advertizing that encourages the culture of consumption in which we dwell.

That will require you to -- guess what -- identify yourself to facilitate payment.

Nope. Anonymous digital cash is a solved problem.

I want to be anonymous, but I post my email addy

[DragonHawk]

I do not accept cookies. They can be harvested by any number of means... I would be quite willing to enter my passwd each time I make a submission...

Interesting to note that the techniques for skimming cookies off net traffic can also skim that same password and user ID.

What's that, you say? Encrypt the password? Well, sure... but why not just encrypt the cookie instead?

Anyone who says "cookies are not needed" has obviously never done any programming. Without persistent, state information, computer programming is just about useless. Oh, sure, you can do one-way content delivery that way, but I, for one, want the web to be something a bit more interactive then a glorified TV broadcast.

I really get a kick out of the fact that you don't want people tracking you, but you post your email address in a public forum. Yah.

There are issues with cookies that make them less then perfect (to put it mildly), but treating them with extreme paranoia and fear is rather an over-reaction.

Why blame cookies?

[Sneftel]

Okay, so cookies are flawed. They're insecure and undiscriminating. But that isn't really the problem here. Online stores, plain and simple, should NOT store your CC info there. Why would they? The rest of your data (full name, address, etc.) is stored on their servers. All they should need is some randomly generated, IP address-tagged session id or customer id. Nevertheless, I am willing to accept the guy's assertion that there is some website that stored his CC num in a world-readable format.

If I ran a conventional store, and you bought something with a credit card, I could xerox 200 pieces of paper with the number on it and post them on telephone poles. This does NOT mean we need to blame telephone poles! Credit cards, not cookies, are the dangerously flawed technology we need to cope with here. You have a 20- or so digit number, which anyone can use to spend your money any number of times, for anything and for any amount of money, without your approval? Suddenly, cookies sound rather benign in comparison.

You cannot use what you do not have

[DragonHawk]

That's the point. Why are we using the web for commerce? It was never meant for state-dependent operations.

Because it is there. It exists. It can be used.

CORBA is nice, fun, elegant, cool, whatever, but you cannot use it because it isn't available to the target market.

An inferior solution that works will always win over a superior solution that does not exist.

(It is also worth pointing out that a lot of things are used for purposes they were never intended. Thus do we evolve.)

Anonymous digital cash?

[DragonHawk]

I am replying twice to one message, because two threads have sprung into existence. The other should be very close after this one (I cannot link them both to each other, unfortunately (chicken-and-egg problem)).

Anonymous digital cash is a solved problem.

I'm intrigued. Could you provide some more info on this? In particular, I generally see information technology leading to very easy tracking (to wit, the whole Doubleclick cookie issue). How does anonymous digital cash work?

Re:Anonymous digital cash?

[Mr.+Slippery]

How does anonymous digital cash work?

It's reasonably complicated; consult Applied Cryptography or the Cyphernomicon for details. But the basic mechanism involves blinded digital signatures.

I'll try to give a paper and envelopes version of a simple scheme; replace the envelopes with blinding (a reversable encryption operation on a message that allows a blinded message to be signed without the signer knowing its contents) and physical signatures with digital ones. IANA crytographer, so I invite correction on this.

I want to send you an anonymous money order. I write up 100 of them, each of the form "This is money order [random large id string]; pay to bearer $42." and place each one in an envelope. I go to the bank with all 100. They choose 99 of them to open and see that they're all for $42. So they have a high degree of certainty that the one they didn't pick is also for $42. They sign the envelope with a special ink that stains through onto the money order, and take my $42 (plus a handling fee, no doubt). I take the envelope, open it, and send you the money order. You cash it for $42. The id string uniquely identifies each order and prevents double spending.

More complicated algorithms allow the tracking of counterfiters while leaving legitimate transactions private, but they make my head hurt.

Advertising, "free" content, and more

[DragonHawk]

I expect that banner ads will eventually die, as advertisers are discovering that they're pretty ineffective.

Could be. Alternatively, consider highly targeted banner ads. I deliberately fill out a survey giving the advertiser demographics information, such that they can target their ads to
the sorts of things I am interested in. My interest goes up, clickthroughs increase, sales benefit.

Now, why would I fill out such a survey, you ask? Well, one the purposes of advertising is to inform potential customers of your product or service, whereas they may have been in the dark before. That is a useful thing, to me. If I am going to be bombarded with ads, at least they could be relevant ads.

I have to wonder just how "ineffective" banner ads really are. I see 'em. I read some of them. I even click interesting ones from time to time. Sometimes I learn something, sometimes I close the window in disgust, occasional I bookmark a site for future investigation. This works better, for me, then ads on the side of a bus, where I cannot easily remember the company or investigate their product.

there are other possible sources of website revenue

Okay...

sponsored links

Sponsorship is just another way of saying "advertising", is it not? Sponsors will likely want an attractive, thing to get my attention, no? How is that different from a banner ad?

merchandizing (get those /. tee shirts)

I somehow doubt Slashdot could be funded on the income from T-shirt sales. :-)

affiliate programs

You mean like, "Link to our online store, and you get a kickback"? Frankly, I find those sorts of agreements more insidious then advertising. With ads, you see a product of possible interest and get the chance to evaluate it. The content provider gets their money regardless. With affiliate programs, I am locked into a choice. What if the affiliate provides lousy service? Do I use them anyway, and support my preferred content-provider? Or do I leave the C.P. out in the cold and use my preferred online store (or whatever)?

voluntary contributions (works for NPR and PBS stations)

Riiiight. Voluntary contributions are never enough. You think NPR and NPTV aren't funded through your tax dollars? There are too many things of possible interest to possibly get supported through donations. No, I don't buy it. Sorry. I want more then two channels worth of National Public Internet.

Supported by advertizing != free

Good point. Touche. However, supported by advertising is also not the same as paying cash.

Harder to measure is the psychological cost of being engulfed the sea of advertizing that encourages the culture of consumption in which we dwell.

Oh, please. I'm not going to crawl into a hole and isolate myself from the rest of the world just because I might fall in with a trend. :-)

Anonymous digital cash is a solved problem.

Very interesting. See my post at #215 for a seperate thread on this.