Novell CEO Attacked by Cookie Monster

CitizenC sent us a funny as hell article where Novell CEO Eric Schmidt talks about having his credit card stolen. The funny part is that he blames cookies. Cookies are certainly flawed, but he goes as far as to call them one of the biggest disasters in computers and tell us that they are stored in the wrong place (what, we're gonna keep them on floppy disks?). Finally he (surprise!) plugs Novell's own digital authentication mechanism (aha! The truth comes out). Hit the link to read a little more ranting by me on the subject.

It is a given that cookies are flawed:

• Most systems store them in a readable format on your harddrive. Yeah, that kinda sucks. But if your machine isn't secure, then you've got bigger problems then just your cookies file.
• They are sent in plaintext over the internet. But thats why we have SSL when you need security. Someday all net transmissions will be encrypted anyway. (assuming nobody else from the IETF gets bothered by the FBI)
• Cookies used to be pretty well forced on netscape users, but now most browsers give you an option. And there's always junkbusters for the more paranoid.

It is given that I need state over httpd. I want shopping carts. I want net commerce. I want user preferences on websites I frequent. Maybe you don't want these things, but I do, and I don't think I'm alone on this one. There are a few ways besides cookies to do this.

• Intel would love to use a CPU ID to help us. This has so many problems that I'm just not going to go into it. But it would work.
• Webmasters could create a session and pass it in a URL with each page. This suffers from all of the same problems as cookies, except that the session ID isn't stored on your hardrive. Unless you bookmark it. Ooops. It also has the added benefit of making URLs messy, and being a huge pain in the ass for a webmaster.
• Some sort of third party big brother handling authentication. I'd much rather just have a cookie that I can turn on or off than have a third party take care of it for me. I trust me more than them.

I really thought that the 'Cookies are Evil' was dying down as people realized that while they aren't the best solution, they are as good as we're gonna get any time soon. Then to see someone who ought to know better get out and throw fire ants into the mix to plug his software, well thats just really rubs me the wrong way.

It's like telling people that the water that comes through your pipes has floride in it, so you ought to buy their brand of bottled water instead. You ever see a communist drink water, Mandrake?

Security and Privacy

[Belgand]

One of the greatest problems in this whole arena is that anytime someone stores any bit of information for whatever reason people will get unnecessarily angry. It's a fact of life, albiet a sad one, that many people have become so astoundingly paranoid. If we had slightly more trust then maybe things could start to work, but not until then.

Re:Security and Privacy

[Fastolfe]

There is really no legitimate reason to have cookies in the first place

Are you just totally ignoring what everyone's been saying? Cookies are quite necessary to preserve state information between web site requests and visits.

I personally love the fact that I can re-visit outpost.com and not have to enter my address in every time I want to order something. I like being able to pick out a book or two from Amazon, set them aside, and come back in a week to complete the order. It's all about convenience, and I'm sorry, but outpost.com doesn't spam me, so I don't really see where you get off labelling all cookie users as evil conspirators that want to spam you.

There are quite legitimate uses, and the only real way I can see them being abused has been discussed on Slashdot ad nauseum in that they could possibly be exploited to track your movements between cooperating sites. The only marketing-related way they're being used today is to try and "target" those banner ads that you see to your tastes. The banner ads are still there, mind you, but now they're advertising stuff you're interested in.

Read the "Talkbalk"

[legoboy]

I saw this a few hours ago. I was thinking, "Good god, not the cookies are evil thing again." But no, it turns out that the article is nothing but a shameless plug for a product that this fellow is trying to shill.

The most telling part of the whole tale though, is the ZDNet TalkBalk. When "Larry, Internet Web Designer" can identify it as a joke, you know that even the lowest common denominator can see right through this guy.

I can't help but wonder why even ZDNet would lower their quality control to this level.

------

CC# stolen, or guessed?

[Masem]

There's not enough details in this article to say whether the CC# was stolen, or was guessed at by a random # generator. I know that about a year ago, I was victim to the random # generator fraud that charged $19.95 to my card, enough to rake in money, but not enough to tip ppl off that aren't careful with their statements. Fortunatley, I caught it, called my CC bank, and got the money removed.

The thing with the latter is due to the fact that most CC # checkers check the numbers, and not the expiration date. Thus, pass 10^16 numbers to one of the sites, and you're bound to get some cash. Once they have a number that works, then they're set.

Therefore, he might have been hit with this instead of true CC# stealing (It's really hard to get at cookies although there are some bugs, but require a lot of assumptions on the end user's actions). This only suggests to me that we need to make sure that CC# verification systems are more secure, and ask for the experiation date in addition to all other info. Or even better, add a PGP-like key to CC# info to make it more secure.

I dont trust my computer, but I trust Novell !

[Manifest]

I am paranoid. I dont trust any one. Cookies are bad. Javascripts are yuckkkk .. But I TRUST Novell. They are so carefull people. see they learn from their.. opps their CEO's experience.

I hope they implement "digitalme" soon. My cash is running out. I need a database of credit card numbers.

Manifest

Credit Cards Online

[rodbegbie]

Let's get this straight once and for all.

It is NOT easy to grab a credit card number on-line. Sniffing packets, intercepting e-mails, grabbing cookies, etc. is bloody hard work. Especially since you could spend 5 minutes raking in the bins at your local mall and get 100 numbers.

I am willing to bet $50 that Mr. Schmidt has at some point in the last 6 months handed over his credit card in a restaurant. Doing that is opening up his card number to a wider audience than using it on Amazon.com ever could.

However, it is helluva easy to use a credit card number online, once you have it. Go on, fill in a few forms, and it doesn't matter if you're a 13-year-old boy in Arseville, Tenessee -- you can use that card number from the 70-year-old woman in Alaska who wouldn't know a modem if it bit her on the arse.

Last week, I found a $60 Amazon.com charge on my card which wasn't mine. I don't blame the internet. I don't blame Amazon. I don't blame cookies, SSL, e-mail, or Elvis.

I don't even care that much. So what? I shout a bit, get my $60 back, and carry on like nothing ever happened. No big deal.

This kind of thing has been happening for years on the phone. This is nothing new, except for the sheer volume of fake transactions. But until the card companies make it easier to verify transactions on the fly (see Philip Greenspun's excellent book for a description of how pathetic the whole thing is), it's not going to get better any faster.

Just don't forget to burn your carbons.

rOD.

--

Big problem with cookies

[twit]

The big problem with cookies, I think, is that they're misused. You should maintain state, not useful information, using cookies. They're perfect for stuff like a session ID, a user ID, that kind of thing, which does not need to be kept secure.

Credit card numbers should either be kept in a back-end database, or (preferably) not at all. I'd prefer it happen the latter way. I like net commerce as a bright idea (both generic and in the IBM-branded net.commerce) and have even worked on some commercial sites, but that's part of the problem: you don't want schmoes like me safeguarding your credit card :).

If Novell's CEO is having problems with credit cards kept in cookies, it isn't the fault of the medium but the way it's being used. If anything, we should adopt best practise standards which keep credit card numbers secure and press business software vendors, like IBM or MS, to do the same.

Of course, I suspect that it wasn't the fault of cookies at all; it was a cracked machine or even a shopclerk who swiped his card twice. But that's just my nasty, nasty suspicion.

--

A prediction (?) about smart cards

[dmorin]

A few years ago I did a commercial system for using digital certificates to identify yourself to a web site. It was generally liked as being nice and secure, but hated as being too hard for the consumer to understand. That was before smart cards.

Imagine that, as a web surfer, you have a smart card that identifies you as a web surfer. Personally I am a believer that you should have to identify yourself as adult/child in order to cruise some areas of the web, but that's my personal opinion. But that's not for this thread to discuss. Add to the smart card some sort of bio sensitive way to identify yourself, maybe a thumb, maybe an iris scan. The key being that everything you need (short of the reader hardware) is stored on the card. You can take it with you to any browser (unlike cookies).

Your smart card not only identifies you, it has a profile on you. It can keep your web site preferences, but it can also keep your buying habits, etc. And your age, marital status, and so on. It's here that people scream bloody murder about privacy on the net. But here's my hopeful suggestion : that your profile will come with trust zones. If you're doing anonymous surfing, maybe all the site gets is your age -- or maybe nothing at all. For sites you want to register with long enough to read a story (like NYTimes), you let them have your name but not your profile. And so on. For trusted sites like slashdot you set up preferences. For sites where you are actually a customer of some sort, you let them have your profile (linking in yesterday's discussion about IBM's miniature vegetable commercials).

Wouldn't this be nice? My company has a large number of business units, each with their own web site, and we've worked to setup a shared profile system so that, once you've told us something once, you don't have to tell us again. Wouldn't it be good if this extended to multiple businesses? Don't you think it's a pain in the ass to have to continually identify yourself and set up preferences on every site you want? Wouldn't it be nice to have a mini-profile that you could use to bootstrap your registration to new sites?

My point is that, with a self contained smart card, you can have a level of control over the information that you provide. It's the card that has the brains. A web site couldn't just tell the card "Give me the whole profile". It would have to say "Please validate me as being a trusted site and give me whatever information I am entitled to." And then, in something of an ironic twist, *it* has to identify itself to *you*, and you get to decide what to do next.

Will this happen anytime soon? I wish. I think the reason that digital certificate authentication didn't catch on is that it was too confusing to get the certificates into the browsers, people didn't want to give up their passwords, and the certificates weren't portable. In a world where you have a smart card reader built into your keyboard, these problems seem like they might go away. Nobody thinks twice about having to flash a passport when flying internationally, and they usually only grumble a little bit about being carded at the local bar. Is it really that much of a stretch to think that there'll come a day when you take your webId card out, stick it in the slot, and then periodically answer a question about how much information you want to provide to the web site you just visitd? I don't think it's really all that bad.

I'm curious to know if I'm, like, *way* off on this one. Are people going to flame the hell out of me on this one? Or agree completely?

d

You mean, like Slashdot?

I am not an Anonymous Coward.

I am Bob Washburne rcwash@concentric.net

I am a registered slashdot reader. But Slashdot refuses to accept my password even though I am looking at it on the screen.

I do not accept cookies. They can be harvested by any number of means (just check BugTraq) unless you devote your life to securing your box and don't make any mistakes. Ever. I have other things to spend my life on, so I take reasonable precautions and then refuse all cookies.

Cookies are not necessary. I fill in my Nickname and Passwd on the first screen and it is brought along through the Preview and subsequent screens. This is done without a cookie, so why any cookie at all?

I would be quite willing to enter my passwd each time I make a submission rather than leaving personal information lying around for a rogue marketing-bot to harvest.

That is the whole purpose of a password; to authenticate the action. Storing a password defeats the entire purpose. So why have a password at all if anyone can just walk up to your box and post without it?

I would even rather be mistaken for an Anonymous Coward than subscribe to the urban legend that cookies are safe. Anyone who thinks cookies are harmless obviously doesn't know much about them.

Cookie handling in IBrowse 2

[Stephen+Williams]

One of the Web browsers I use is IBrowse 2 on an Amiga. (I'm aware that I'm encouraging flames by even mentioning the Amiga here, but I'm going to take the chance :-)

IBrowse 2's cookie handling is very good. If you elect to be asked before accepting a cookie, the request that gets popped up give you a number of choices - accept cookie, accept cookie but don't save it, accept all cookies from this server for the rest of the session, reject cookie, reject all cookies from this server for the rest of the session. It's cool because when doubleclick.net (or whoever) sends me a cookie, I can hit "reject all". If Slashdot sends me one, I can safely hit "accept all".

Additionally, IBrowse 2 has a "URL prefs" feature, allowing one to set per-URL preferences, including cookie handling prefs. I can therefore set the brower up to automatically reject all doubleclick.net's cookies without asking, for example (this is a fake example, as I never get anything from doubleclick.net; it's aliased to 127.0.0.1 in my hosts file ;-)

I use Netscape 4.5 at work, and its cookie handling is primitive in comparison. Since IBrowse and Netscape are the only two browsers I use with any frequencey, I don't know how IBrowse's cookie handling features compare with (for example) MSIE's.

-Stephen

Re: are there sites that send cookies with c.c #'s

[CodeShark]

If there are, they'll be dead meat following the first lawsuit which tags them. Even in the initial Netscape spec, they specifically caution against using cookies to do anything much more than identifying a computer to a server, the same way /. knows "who I am" by reading an ID off of the hard drive where I am viewing the pages.

In relation to using personal information on the net (including my e-mail address, you may notice that I did not "anti-spam" my e-mail address here on /. However, I only use that e-mail address in conjunction with a few sites, limiting the number of points from which my personal information can be derived to those sites with privacy policies that are up to spec, saving my regular e-mail address only being given to a much more private and personalized list of people that I am willing to receive information from. That way if there is a security problem, I know where it originated by my email address. Similarly, when I write software that uses cookies, I don't put any personal information in it. All of that type of information can and should only be kept in a back end database, well shielded from crackers, etc. For example, on one e-commerce site I designed, the cookie "knew" who you were, but in order to place a credit card order, you had to validate certain information within an encrypted page, even though the user had already "registered" their information (including the c.c. #) into the database via the web. We also included a fraud detection program designed to stop the c.c. # generators from ever being able to spoof an order. And folks, it just wasn't that hard to do!!

I agree with previous posters. The Novell CEO was trying to sell proprietary software, and claiming to have been attacked by the "poison cookie" monster in order to do so.

Eric Schmidt: BceOFH?

[Effugas]

A user rings

"Do you know why the system is slow?" they ask

"It's probably something to do with..." I look up today's excuse ".. clock speed"

I'm feeling very uncomfortable here. I mean...I've grown up worshipping the BOFH...and now...what doth my eyes detect, but...

A Bastard Chief Executive Operator From Hell?

You know, some strange part of me wants to see this as a complement.

The odds that Mr. Schmidt purchased something from such a fly by night operation that the credit card number was embedded in the cookie so low, that it stretches the imagination beyond repair to consider the idea that that same operation would ever have the technical desire or even knowledge to use Novell's new DigitalMe software!

Of course, he could have just been tricked by a *real* BOFH... "GEEK! HOW DID MY CREDIT CARD NUMBER GET TAKEN!" "Mmmm. Cookie." "I knew those things were trouble!" "Mmm. Oreo. Chips Ahoy. Yum."

Seriously, there's a gigantic amount of irony embedded in Novell proposing that their DigitalMe system would improve consumer privacy. Consider: Most sites that require state don't require your identity, pretty much because it takes time to get somebody to reveal who they are, and attention spans are small. Look how much traffic The New York Times loses from people too lazy to even lie on a form--MTV may have done more for consumer privacy than any other company in history.

Novell's DigitalMe changes that. Assuming the infrastructure is such that any site that wants to do trustable-state transactions(which is really what Schmidt and Novell is trying to sell) actually has enough DigitalMe access to not have to worry about Yet Another Single Point of Failure, DigitalMe lets the user disclose every piece of information the user could possibly expose in the click of a "OK, tell 'em whatever they want to know."

Heh, Novell--Suddenly everyone's finding out a hell of alot more about you!

And the worst part? Unlike that paltry $50 liability had, you'll never know what people are doing with your personal information. I find it interesting that in a place that espouses freedom and individuality so much, people don't own their identities.

Yours Truly,

Dan Kaminsky
DoxPara Research
http://www.doxpara.com

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Banner ad that set cookie

[Dicky]

This, unfortunately, is one of the larger and more worrying misuses of cookies. There are actually a relatively small number of companies online who 'do' banner ads. The large sites (C|net, /., Yahoo, etc.) do their own banners, and smaller sites usually don't have banners, but most medium-sized sites use one of the small number of banner ad agencies.

The problem is that the agency can track you across multiple sites. If you visit www.site1.com, you can only get a cookie which will be sent back to that server, right? WRONG. While you were at www.site1.com, you viewed a banner from ad.doubleclick.net (for example). The problem is that when you visit www.site2.com, which should not be able to 'see' the cookie from www.site1.com, you took another banner from ad.doubleclick.net. This means that Doubleclick can track you between sites, which is a bad thing. I also saw something (this morning, I think, but I can't remember where) saying that companies are sending HTML mail which downloads an image which sets a cookie. The agency then has your e-mail address associated with a cookie, giving them (potentially at least) a lot more information about you. Not a problem for me, of course, since I use Pine for mail :-)

I have no problem at all with certain sites using cookies. I am currently (since earlier on this week) using Junkbuster, and I have it set to allow cookies from Slashdot, LinuxToday, Amazon, and a couple of stock sites. If anyone else wants to send me a cookie, they can ask me and I'll decide on each individual case. At least I have the choice.

Sad to see, really...

[abram_fettig]

This kind of blatant FUD seems like sour grapes to me:

"Maybe my company hasn't proven itself to be a major force in the internet, but that's only because we didnt want to be anyway! The internet runs on BAD TECHNOLOGY! Sure, e-commerce has exploded in the past two years, but everyone buying things on line is a FOOL! How childish of all of you for thinking that you could implement key internet standards without Novell! All you web developers should have been patient enough to wait for us!"

"That's OK though, we forgive you. And what's more, we have lovingly designed a system that will eliminate those pesky security headaches forever. Just sign up for our new INSTA-SECURE service and we'll take care of all your problems! For just a small monthly fee, we'll store all your customer's secure data on OUR server! To sign up, visit our secure site NOW! Just make sure that you enable cookies first..."

Perhaps you think I'm kidding with that last "enable cookies" comment. But I'm not! The following was cut-and-pasted from the shop.novell.com website just moments ago:

Warning
It has been determined that you have disabled cookies in your browser. ShopNovell requires cookies be enabled before you continue. For more information on this subject, please see Store Policies at shop.novell.com/shopnovell/help.html

Re:Oh, not again...

[gorilla]

I personally prefer having my cookies unencrypted. I go in every so often and clean out the ones I don't want. If they were encrypted, then I couldn't do this.