Slashdot Mirror
Cookies are Security Hole in HTML Email
Richard Smith
just keeps uncovering security holes. Today it's the
Email Cookie Leak.
By reading mail, you unknowingly register your email address in someone's database, and accept their cookie. Next time you browse their site, or a site they have banner ads or other GIFs on, you are essentially broadcasting your email address while you surf. As Smith points out, just wait until
banner-ad companies
start taking advantage of this. I repeat the suggestion I made in October: browsers (and all clients that speak HTTP) should reject cookies not sent with the page.
how many more reasons do you need?
Need a Catering Connection
Yes. I was also surprised when I realized that Java and JavaScript are automatically set to be useable in email as the default under Netscape mail... I turned that off promptly. Java execution in Netscape 4.7 seems to core an awful lot... which is really annoying.
In any case, I run everything through my junkbuster proxy, which makes me feel happy and secure... I recommend junkbuster to anyone and everyone who values their privacy and hates banner advertisements... especially the ones on slashdot. ;)
You'll eat it and you'll like it.
I have my cookies ln -s'd to /dev/null. But why are the colors all slime looking?
From what I understand from the context of this bug, you can have a cookie be sent as a result of reading an HTML-encoded e-mail, right? Well, there's one problem I have with this. The only way for the cookie to be sent to a banner-ad company - who supposedly has a cookie on your computer - would be for them to spam you, and we all know how bad spamming is. Sure, an ad company could start to throw something like this together, but it would only be a matter of time before the FTC got wind of it and started shutting people down.
If the e-mail was sent as a response to registering for software, or perhaps subscribing to some advertising-paid mailing list, then I suppose that would be legal. Even then, though, what good would linking the cookie to their e-mail address do but to promote more spam?
There's no way anyone could economically prosper off of this bug, and if they do, it's illegal because of the spam factor, and won't appeal to reputable companies, who the advertising companies are targeting for money. Microsoft and Netscape should probably get this hole looked at, though, just in case something destructive could come from it.
It isn't too suprising that something like this happened.
Browsers do warn you about sending information. Should they also warn about opening Emails? Perhaps a browser should check the email for cookies before opening. If it finds one, then it could warn you that this could be a security risk.
Lets hope to god that those banner companies don't get in on this. They probably will, unless the Better Business Bureau or the Department of Commerce does something (if they even can) We can always hope. (or start writing to them)
-Chompster
Unexpected Kernel Trap at 101010
Don't Panic!
This isn't a redundant post; I just set my threshold to 6.
This has prompted me to switch my Outlook98 settings to put Email in the 'Restricted Sites' Zone. I would suggest anyone else using Outlook/Outlook Express do the same. You can still enjoy the safe features of HTML Email (however pointless they may be) and be protected from most of the recent Outlook Exploits at the same time.
;-) I don't see a need for HTML Email, but I assume the 36 million people (99.9% lamers, unless they read /. of course) demand backgrounds and the ability to send emails to their friends with big, underlined annoying text. Tthat's my opinion on the matter anywhoo.
I have been using plain text email for years and I see no reason to switch to HTML Email. I have outlook to send HTML Mail automatically, unless I'm replying to someone who sent mail to me in plain text. This way, basically all I'm using HTML Email for is to tell how sophificated the software of the reciepent/sender is
Honestly. They could have been collecting marketting information for a long time before this was discovered.
Anybody here work for one of the ad companies and know if the banners collect cookies?
-*-*-*- I'm a little segfault short and stout
this is my handle, this is my spout!
I'm a little segfault, short and stout.
I have yet to find any problems with reading mail in pine or mail (mailx to some people). My favourite way is actually 'cat /var/spool/mail/`whoami` | less' - unless you have c^Hch^H^ha^H^ar^Hr you can't even make something bold there, let alone leave cookies :)
:)
0 m^[[40m^^[[12;2]^[[2J^[[1;1H^[[30m^[[40m ^[[12;3]^[[2J^[[1;1H^[[30m^[[40m^[[12;4]^[[2J^[[1; 1H^[[30m^[[40m^[[12;5]^[[2J^[[1;1H^[[30m ^[[40m^[[12;6]^[[2J^[[1;1H^[[30m^[[40m[[31m^[[5m^[ [20;20HMAILX IS NO SAFER THEN NETSCAPE MAIL!!^[[K^G" in a message and open it with mailx or cat, (on a linux console). (Replace ^[ with \x1B or \33 or however else you want to put ESCape there, and ^G with control-G. All other ^ are the property of their respective control characters. :))
Anyhow, the point is that reading mail with special effects is proving to be more costly then its worth to those of us who value our privacy, and the general security of our email.
Though - ANSI bombs are possible in mailx
include "^[[10;1999]^[[11;1999]^G^[[12;1]^[[2J^[[1;1H^[[3
Don't^H^H^H^H try this at home!
OFTC: By the community, for the community
Is it possible that cookie info is stored in multiple places on modern browsers? It seems as though netscape is making backups. Anybody got a decent URL for cleaning out the cookie jar?
Why even let your web browser know what your email address is? Its not necessary ... most people dont even use their web browsers to send mail anyways(unless ie and outlook are so joined together ... possibly)
Erik
I think if the banner ad folks want to stay in business, they stay away from cookies. Otherwize it's a quick one way trip to bankruptcy.
---
Another non-functioning site was "uncertainty.microsoft.com." The purpose of that site was not known. -- MSNBC 10-26-1999 on MS crack
--
# Canmephians for a better Linux Kernel
$Stalag99{"URL"}="http://stalag99.net";
First of all, note that there is nothing "groundbreaking" in this discovery. All this happens only if you are unlucky enough to have your email address in the hands of spammers, which is already as bad as it gets.
What can you do to prevent such abuse? Several things: Turn off HTML enabling for your email clients (you may or may not have a choice depending on the client). Restrict (or disallow) cookies in your web browser. Use something like Junk Buster.
Sreeram.
Connection: Keep-Alive
User-Agent: Mozilla/4.7 [en] (Win98; I)
Host: www.mybannerads.com
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png
Accept-Encoding: gzip
Accept-Language: en
Accept-Charset: iso-8859-1,*,utf-8
Cookie: id=c643640a
Both the Email address and cookie value is included in the Outlook and Messenger GET requests. When the GET request is processed by the MyBannerAds server. It first extracts the customer id number from the cookie and looks it up its database of "anonymous" profiles of Web surfers. Once it has located the profile, it then extracts the Email address from the URL query string, turning a once "anonymous" profile into an "identified" profile.
So where does MyBannerAds get the Email addresses in first place to send out a message which includes the SYNC.GIF file? The answer is quite simple, they "rent" the Email addresses. Or more specifically, the rent space in junk Email messages that are already being sent out. The IMG tags typically take less than 100 bytes, so they can easily be embedded in messages that are part of any Email ad campaign that is using HTML Email messages. /privacy/wbfaq.htm
Another interesting discusion about HTML Email and cookies can be found @: http://www.tiac.net/users/smiths
Netscape doesn't know my email address. java and javascript are disabled. And whenever anything blinks at me, I check the url and feed something to junkbuster to prevent it from happening again (sorry, hemos--yours blink, too :)
I'm glad we live in a world where Slashdot's YRO keeps us vigilant against the supposedly harmful effects of Internet society. I mean, if you think about it, there are many more Internet technologies that can, when used improperly, cause security violations on your system.
In this case, browsers simply need to be setup to function as individual components. The web browser should not have access to the same mechanisms as an e-mail client. HTML e-mail is different from loading a web page and should be treated as such. Cookies are not a part of HTML; they are a part of HTTP! The browsers shouldn't confuse the two. This isn't a problem with the implementations of cookies, this is a problem with the implementation of HTML e-mail and the web browser.
And the idea that loading cookies from only that page is ludicrous. The whole idea is to be able to give an entire site access to information so that you can do things on different pages with similar information without having to repeatedly ask for that information. There's nothing in the HTTP specification that makes this harmful. Someone simply didn't implement the specification properly so now clients can share cookie files, leading to a possible hidden exchange of data between them.
If you read the article, you'll find that you're still at risk with Outlook in 'Restricted Sites' Zone.
You mean, people use non-dedicated email programs for reading mail? Bleech. Why would I give up my pine/eudora/balsa/whatever single-purpose mail client and have to deal with all the nasty side effects? Not to mention loosing all the cool mail-specific features that are optimized for the mail client, instead of just sort of being "thrown in" to match the functionality?
-Chris
Okay. So what we need is a proxy that ties in with the email software.
So.. when someone spams you.. fine.. they spammed you. Your email software simply finds out the valid URLs for the cookie, and blocks them. Who wants to give business to spammers anyway?
Also.. on another note, this makes it hard for the spammer to hide, like they do these days.. using temporary accounts, etc....
They would be eaten alive and sued like mad.
The point is, when they spam you, they add your email address in the message on their end. Sending an email to journey@jps.net? Your image callout would be "foo.gif?journey@jps.net". It won't matter if your browser thinks you're president@whitehouse.gov.
Added fun: if you receive mail at multiple addresses, they can relate all those email addresses to the same cookie set. Including emails you might receive through anonymizing systems, e.g. they'd know that "862139@anon.penet.fi"[1] was the same user as "journey@jps.net".
-Peter
[1] RIP
Old trick on how to automatically reject any cookies and avoid being bugged by pages requesting to put cookies:
1. cd ~/.netscape
2. rm cookies
3. touch cookies
4. chmod a-w cookies
If I had mod points today, I'd toss you some.
Very good point.
It's not the HTML that's the problem, it's the access to HTTP that is.
Educating users on how to secure their mail and how to use a virus scanner is a no go area when it comes to stuff like this (thus speaks a Bob of 2 years experience before anyone asks...). I mean we can *suggest* it to them but "that's your job, isn't it??". End rant.. :-)
Securing a server against HTML mail would spark outrage and nice letters from lawyers of course but on my own server.... worth looking into methinks (more a case of hatred towards HTML mail than paranoia). An "Ask Slashdot" in the making? Perhaps.
Suggestion to the people who develop e-mail clients (hello Washington University in my case) - can we have some sort of filter that just says "it's HTML mail, good bye *zap!*"
Enough rambling from me... 3 posts today, I'm beginning to feel like a bus company...
*bounces off merrily*
The article discussed using a HTTP request for a gif to send your email address to the web server. Then the server would set a cookie on your system. With Outlook in the "Restricted' zone, cookies are disabled (unless you messed with the settings) and thus, a cookie would not be set(unless there's another bug somewhere I don't know about). When you later visit the site that spammed you, there is no cookie because outlook didn't save it.
I send all my spam to spamrecycle@chooseyourmail.com; which is inherently a huge mistake, but I hope they're doing something constructive with the info...
No there is a reason I use cat file | less rather then less file; here goes...
/var/spool/mail/`whoami`, then it shows up in in user userlisting 'w' what you are doing. If you use cat | less, you go to end of the file then go back it shows up as - ?, which affords more privacy.
when you use less
OFTC: By the community, for the community
I'm not sure how this really qualifies as a security risk. After reading the /. summary I figured out exactally what was done. I thought this kind of thing was common place... Anyways, the point is not to let some fsckin spammer get your email address!!! Besides, can you imagine what a pain in the rear it would be if we restricted what could be passed over the http protocol and recieve a cookie with... What would stop somebody from doing the same thing with frames tied to a cgi script? Come on. I'm sure some email clients will even accept frames... One last thing, instead of everybody in the world not allowing cookies to be set, why don't you just delete cookies upon login or reboot or something. The only way info about you is really gunna matter is if a lot of it is gathered, enough to link some guy clicking on stuff with what goes on in your head. But if you just delete your cookies daily, no bastards can track you around the net and you will still be able to use sites that maintain state with cookies. Better yet, just write a little script that edits your cookies file and removes all of the sites that you haven't approved every time you login...
I remember about a week after reading the "cookies are bad" article here at Slashdot having an ad on the front page prompt me for a cookie. And I thought to myself, "Why the hell did Our Eternal Sysops decide to let this ad be served?"
No matter.
peace
Philip Greenspun, da man of open-source cool-ass online communities says, in an absolutely brilliant chapter on user tracking:
-Stephen van Egmond svanegmond@home.comI'm just wondering, since some newsreaders also seem to be able to understand HTML - would this then be a problem in usenet newsgroups too?
Obviously they wouldn't be able to get your email address, but take the situation where while surfing you're given a non-unique cookie which contains a unique number inside it (possibly from a banner ad on the page). In the usenet groups is a message which contains the hidden gif that requests the contents of this cookie. Your unique number goes back to the company, the company matches that up with their database, and voila, instant profile of not only your web-browsing habits, your e-mail address, but your newsgroup access as well.
Kwil
That Jesus Christ guy is getting some terrible lag... it took him 3 days to respawn! -NJ CoolBreeze
Anyone out there have a script to use as a mail pre-processor? I'd like to remove all cookies and references to HTML tags even before the message hits the mailbox.
On a side note, I've had great luck using grep to filter out cookies after Netscape exits. (Needed for people that refuse to use a proxy like Junkbuster.)
Here's my (quick and dirty) cookie filter;
mv cookies cookies.old
cat cookies.old | grep -v doubleclick.com > cookies
It's easy to add on new sites, but I'm looking into using the Junkbuster lists to perform the same tasks.
The same basic script could be used to strip out all lines with HTML pointing to a banner add - even if no other HTML is removed.
Don't read HTML email. What's the point anyway?
/slashes/ and *asterisks*?
:)
Who needs bold when you have CAPS?
Who needs italics when you have
Who needs underline when you have _underscore_?
Personally, if I get HTML formatted email from someone I don't know I trash it immediately. If someone is dumb enough to use that garbage for email then I wont read it.
My email client of choice is Mailsmith (sorry, Mac only). It is the most comprehensive client I have found... and it doesn't have any bloat on it like HTML email (THANK GOODNESS). It also lets you do queries (grep if you want to) of your email database. Also has other cool things like text manipulation, assignable key commands, and full AppleScript integration that other mail clients don't have. All this, and Bare Bones Software has the best customer support in the world.
Beats the hell out of Microsoft Outlook Express that most of my friends use. Blech!
Too bad Apple killed Claris Emailer, it was kinda cool too.
Pine is still my favorite command-line email program. No need to worry about HTML email with that one either
Ben
... is that email was designed with plaintext in view. If you want HTML, please go to a Website. Email has never been designed to be some lame, contorted "sub-Website" that runs on HTML!!!! The problem is that people have this bells-and-whistles mentality: "Oh, it will be so cool if my email has HTML formatting! Oh, it will be so cool if my email can contain inline images! Oh it will be so cool if my email can contain JavaScript animations! Oh it will be so cool if my email can run cool programs on my computer automagically! Oh it will be so NOT cool when my email can format my hard drive!"
Email with HTML is just disgusting. Especially the way it's currently done by the lame mailers that allow it: a plaintext version in the body of the email, plus an *attachment* with the HTML-ized version of the plaintext. Or worse with this annoying featurism trend, you have MS-TNEF attachments containing who knows what. I mean, WTF?!?! Talk about bloat. No wonder network bandwidth is always so congested. What's the f***ing problem with plaintext email anyways?!
Those people who really want this kind of sick featurism should seriously consider designing a NEW protocol, NOT EMAIL, that transports this kind of crap. And I think I know what that is, too. Automatically send a ZIP file containing HTML, GIFs, JavaScript, the whole ball of crap, and the User Agent on the other end automatically decompress the ZIP, run the browser to view it.
Alright, enough of this rant. But I just can't emphasize enough that featurism always leads to crappy implementations which in turn introduces all kinds of problems, like security holes, because the original protocol was never designed to support this kinds of "features".
mikre he sophia he tou Mikrosophou.
If you're implying that cookies are bad, I don't
see anything to back it up, unless your definition of "bad" is that some advertisers know what pages
you like to read. They don't know anything else
about you, except what you GIVE them. That's what
cookies do... they store information that you have
already given the server.
-thomas
well then, I'll just have to take that award back!
Looks like elm is still safe, for the foreseeable future. :P
---
pb Reply or e-mail rather than vaguely moderate.
pb Reply or e-mail; don't vaguely moderate.
But, if this worked, I could allow cookies to be initially accepted, which is far more convenient than clicking on half a dozen yes/no boxes every time I want to log in to a web site. Since I'd be able to see when cookies appear and where they originate from, I could also catch the troublemakers as they appear and just delete them on the spot.
Would it be possible to write a program to do this (Windoze or Linux)? I know that the cookie file, despite the warning that it shouldn't be edited, is a pretty simple text file with one line per cookie, and it's not too hard to sift out some obvious offenders after you're done browsing. I don't suppose it's that easy to modify cookies while you're actually browsing stuff though. Having notice of this info while browsing would be far more convenient though, and would save you the trouble of figuring out where a cookie came from that just has an IP address for its origin. (Not that that's terribly difficult, but its just a bit more of a bother.) If a web browser could be made with this feature built-in, it shouldn't be a problem at all to code and I would be eternally grateful (hint hint Mozilla!).
You know what to do with the HELLO. ...
Help create an open-source world
If you still want HTML formatted emails and you want to avoid this problem, you can turn off images and those GET requests containing your email address will not be made.
I also edit my cookies file every so often, and delete all those nasty banner cookies.
I happen to work for one of the more ethical of banner ad networks (not that that says much about the people who run it, but...), and not all of them gather such information in this way. We actually began using a third party whom _we_PAID_ for to offer _for_free_ to the sites we worked with the option of adding a demographics poll on their site, just so we could use _that_ information and not get all evil and snoop on people. We do use cookies, but they are used for the sole purpose of keeping one person from seeing the same banner on one site over and over again. And we NEVER sell information about viewers. IF the company that I worked for did, I'd quit.
I should point out, that if anyone reading this honestly thinks that "if the banner ad folks want to stay in business, they stay away from cookies", think again me boy-o.
Let me ask you something. Don't you think that advertisers will pay through the teeth to have the information which can be gleaned through cookies? And don't you think, that if some agency was able to pay the sites they worked with in the range of $20-$50 CPM (cost per thousand views) since they charged through the teeth, that web site owners would be _throwing_ themselves at that banner network?
Face it buddy, for every webmaster who has a problem with cookies and won't work with an advertiser who uses them, there are 20 who will. You may have a problem with them, but I promise you that if I asked 50 site owners if I could use cookies that tracked viewers AND I would pay them for every 1000 impressions even $20, a hell of a lot more than half of them would say Yes without batting an eye.
"BOTH Spammers and Banner ad providers get nailed because people connected with who gathered the ads". Get nailed for _what_? Selling email addresses that they have gathered from the banners? When was that illegal? As long as I, as the ad agency or webmaster state in my privacy statement that it could happen, what's going to happen? If that is the case, than I'm afraid that The Wall Street Journal, Utne Reader, High Times, and quite a few other major and varied periodicals will be out of business in short order, according to someone as wise and worldly as yourself. The information is for sale to the highest bidder, and as far as consumer information goes there is no laws stopping someone from selling an email list. It's the people who do the spamming that could break the laws.
Sorry, buddy. But I'm afraid that it is only going to get worse before it get's better, and that all the technology which are used to "enhance user experiences" will be used for such purposes.
Check this scenario:
So now, any time (unless you clean your cookies or whatever) that you visit me.com you will send a cookie to my server and my server will know that you are you@you.com
See... I don't know why this is a big deal. It is actually pretty easy to implement.
You can easily kill banner ad cookies by going
into Netscape's preferences and check off the
option that says to only send cookies back to the
originating server.
And/or turn off HTML rendering in your email client.
Not that target spam is any different to me than
untargeted spam. This article seems like another
attempt to give cookies a bad name.
-thomas
HTML Email itself is a security risk. ALL browsers have security holes, and these holes have included things as serious as the ability to read arbitrary files, delete system files, and other nasties. I have seen the code for a page that will delete kernel32.dll on a Windows box running IE4.x or 5.x (given that the user has permissions on the file if you're running under NT) [code kiddies, don't ask for this, if you really want it, check out the bugtraq archives, Gregori Guninski is a genius], and Netscape has flaws that are just as bad [Netscape seems to have quite a bit more flaws than IE, I'm sad to say, which makes me an IE man]. In an effort to make browsers do more, there is a lot of the systems functionality integrated into the browsing experience, and with that exist ways to exploit those functionalities in nasty ways.
This cookies thing is just a drop in the bucket. If you still use HTML enabled email, you're asking for someone to drop you a bomb. If you really like a Microsoft mail client and you want to continue to be able to see HTML mail, make sure you put it in restricted zone! (it's in options) This won't totally protect you, unless you have "Internet Zone" security as high as it goes, because all it takes is for someone to drop an iframe in the email source (yes it's totally possible), and that iframe is a pointer to a page that whams you.
Slay a dragon... over lunch!
You know, that's /really/ evil. I believe I shall post to alt.religion.scientology warning about this, because that's just the kinda trick the scienos would pull...
I will concede that there are many useful features of using a POP/IMAP client like Outlook or Communicator for reading email and newsgroups, but it seems that more security vulnerabilities and privacy concerns are brought to light with these programs daily. If you value your privacy and desire (relative) security, use a UNIX shell client such as elm, pine, mutt, etc. These can do most, if not all, of the things that a complex POP/IMAP client can. And what they can't do isn't worth doing, in my opinion.
...
Or, if you're a serious masochist, you can even use Emacs to read your email
Here is a mainstream press article on it from then - http://www.idg.net/crd_sites_9-46489.html .
At the time both NS and MS said they would fix it. I guess they didn't...
Benjamin Franz
It's more of a privacy hole than a security hole (in the context that you used 'security').
People being able to acquire personal information and monitor your browsing habits without you knowing it doesn't increase the risk of them stealing your important files or sabotaging your network, it simply allows companies to violate Your Rights Online.
Is it really a secret that you *gasp* read your e-mail? I think you sort of gave it away when you told people that you had an e-mail address. I knew without seeing it in 'w' that you were cat'ing /var/spool/mail at sometime or another.
I have control over stuff at home, no problem.
Proper dedicated email programs and nice plain text email, the way things were meant to be.
But at work, well, I'm not the admin. The admin has swallowed MS line(s) in full and now there's a blinkin' Exchange Server and Outlook as client on Win95 (also not my choice, but my work demands alas, something with DOS at the bottom and so..).
So, while I can do all the right things to make Outlook as secure as Outlook can get, is there a way to use a Real Email program (well, damnnear anything but Outlook would be nice!) without having access to all the admin stuff? Or am I screwed and have to put with the official crap?
(Nevermind whether or not I should, I wanna know what can be done, dadgummit).
Seems to me that what's needed is for some enterprising individual with the right skillset (and more time than me) to write up a script (and then share it around widely) that will silently pass mail unless triggered by one of these Web Bug hooks (part of an established mail filter might do just fine).
On finding one, it should issue somewhere more than ten GETs (a hundred or more would be nice if you've got the bandwidth, we're talking about HTTP GETs here, not mailings) to that site, each time with a different cookie value, none of them the one that was sent.
If enough of us do this, the pool should be poisoned nicely. When they get wise to it, we'll have to advance to cronning the additional GETs.
We might also add it into a signature-file generator for any outgoing HTML mail, especially replies.
Maybe we can't help tying a ribbon around the tree with the pot of gold at the bottom of it, but we can tie a ribbon to every other tree as well.
No, you miss the point.
Yes, it's fairly innocent, and cookies have been given a bad rap...
The issue at hand is:
1) I can send out tons of spam that uses this 'feature' to place a cookie on everyone's machine. I can also ensure that this 'cookie' contains their email address, because I *know* their email address.
2) Now, whenever this person visits my site, it sends me their email address.
It's an underhanded way of making sure that you *do* get the email addresses of visitors to your site. Yes, you could say you already have them.. but now you know when that particular person visits your site, and it's that much easier to track them down.
As for saying that HTML can generate HTTP hits.. no.. that is patently false.
HTML specifies the markup language, not the mechanism used to fetch objects. WHat the previous post said was that you can have HTML without HTTP, and he's entirely correct. What about pages that are on your HD? They dont' use *any* http to mark up a page with lots of graphics...
So what he's saying is that the security model of the html renderer for the mua should not permit access to HTTP facilities. IF there are embedded images, they should be contained as attachments, and referenced as such.
In windows, there is a nice app called Cookie Pal that does this. To use it, you have to enable the alert message boxes for cookies in your web browser (netscape and IE both do this). Cookie Pal intercepts these dialog boxes and accepts or rejects for you base on settings you choose. Very nice. I would recomend it.
A proxy could do this (I don't know if any [such as junkbusters] already do).
It kind of brings up an interesting idea though. Banner adverts fund sites right? So what if ISPs, perhaps an especially "popular" one like AOL decided to start intercepting the requests for the banner ads and substituted their own? (Apparently there are already "in-line" caches out there that are invisible to the client.) What would be the legal ramifications? Rich
Do any of the standard server-based spam filters filter for this sort of stuff? I would have thought that things like IMG tags, especially with GET variables attached and/or 1x1 size, would be a dead giveaway when trying to identify spam.
-- open source? sounds like the real book --
Let's stick to reporting things that haven't happened yet. Just reprint those press releases-- that way you're bound to remain on the cutting edge of things to come.
This reporting and investigating things that have already occurred really doesn't suit the information age. What possible benefit is there to bringing up current abuses and malfeasence? There is far too much malfeasence yet to come that we need to hastily and fretfully anticipate!
I don't need large brains to have a good time.
Is the following correct??
Its not just that an email client can parse html that will result in a future website visit reveal cookie info sent via email, but the browser Im surfing with has to be the same browser i read the email with? So my browser shouldnt know what Eudora (which does not launch a browser but just *parses* the email) knows.
/to email, remove the naughty symbol.
In a related story published in April on Wired, the use of redirect hyperlinks to track email by Deja is described.
Deja is basically tracking your creation of an email response to an article on their site.
According to the article:
"Deja News could also record -- and log -- the use of the link, the IP address of the sender, and the addressee's email [address]."
The ACLU has some rather pithy comments on Deja's practices in this area, including the possibility that Deja is in violation of the Electronics Communications Privacy Act by intercepting these transactions.
Not to worry though, Deja is a member of TrustE.
I guess this note will never meet the sight of most of the /.ers, but I had to bring this up because I found it an inherent flaw in Moderation in /.
/. Moderation Method (TM) ??
Do you remember the discussion about CEO of Novell and his apparent stolen credit card numbers ?? Well I had posted this story as reply number 37. Furthermore an AC had actually replied with the same link as used in this story.No moderator seems to have found it fit to give any extra points. But now, a whole new discussion with 90 replies seem to have started.
Hm.. A failure of
... "follow me" the wise man said, but he walked behind
Heres a simple but lethal solution to cause massive headaches for web site advertisers (which I personally don't have a problem with): Build a tool which clicks, or emulates clicking, on every single add that appears on every web page you visit as you visit. You don't actually view the add, the resultant page is sent to /dev/null. This will work because companies rely on accurate stats of the adds viewed, the number visited, etc. If all that information is totally wrong then it will cause a lot of problems. Its easy to work out who hasn't viewed - but its a different ball game to work out who has. When every add has been clicked by everyone then who is actually following up for real???? -- sg
The pro-cookie lot is a vocal one. They protest over and over that cookies are safe and harmless. Meanwhile we are tracked by banner ads. We are h4x0r3d. We are sent cookies that shall "only" be sent back to *.co.uk because 'merkins, thinking with their arse, made stupid assumptions about what constitutes a domain. Does bloody hell have to surface before we realise that cookies are Satan's spawn and that they should be disabled and sites requiring then boycotted? What more has to go wrong before pro-cookie zealots will change their opinion?
How hard would it be to set up the email clents with a REJECT button, causing compliant mail servers to send a daemon error saying user does not exist or even "Your mail has been REJECTED by the recipient" ?
I think it would be a BITCHIN spam killer...
Cobratek
DONT TREAD ON ME MOÎΩN ÎABÃ
Even more reason to use Freedom from Zero-Knowledge at www.zeroknowledge.com. The
product is not out yet, it's in beta testing stage. It supports you having multiple anonymous
pseudonyms, works at the IP layer (I think) and filters all identifying information that it can find from your packets and ties them in with the pseudonym you select. Cookies go into separate cookie jars for each pseudonym. Quite cool.
I have a beta evaluation copy: haven't used
it too much, though it does slow down surfing a bit over a 56K modem connection.
Yumpee
AC
If you are running a pop mail account, why are you using outlook for your mail? Because it was free and given to you? There is no free ride. Every thing comes with a price tag - your privicy.
I have Eudora as my mail client and so far have not a cookie problem. If you are concerned about this problem, get a e-mail client other than outlook. Problem is that you will have spend money. This will not work with your free e-mail services like hotmail or yahoo and there kind.
You get what you pays for!
First read the article.
Then read this post, and if you still can't figure it out, this one.
Now, any more questions? (Sheesh!)
Sounds like this is probably the best option possible, until a web browser actually offers the features I described built-in. I'll have to actually drop hints to the Mozilla team. ;)
You know what to do with the HELLO. ...
Help create an open-source world
Will setting netscape to only accept cookies going back to the originating server prevent this?
pine reads html mail and shows it as text, so images aren't autonatically requested.
Contrary to the popular belief, there indeed is no God.
I meant that I don't see why it is suddenly such a big deal. It has been possible (and not all that difficult) since the dawn of HTML email. Nothing has changed.
Something I haven't seen anyone else mention (but then I browse at Score 2 :o) ), is that this does more than allows spammers to build up a profile of you and tie it to your email address. It also proves that the address is valid.
No longer will they have to rely on people following their "unsubscribe" instructions; merely reading the email will be enough to confirm that there is someone/something on the other end of the address they bought/harvested. They can then add the address to their list of confirmed active accounts - a pretty valuable thing to have, especially if you're in the business of selling addresses...
Tim
It's official. Most of you are morons.
Oh, no! Are you saying that people might use this to just show me computer-related ads instead of ads for fake Viagra clones?!? The horror!
All-in-all, this sounds pretty harmless... I don't really care if someone who already has my email address (to send the email in the first place) turns around and uses a cookie to get my email address. Yawn.
you pulled up their file as spam.gif?billg@microsoft.com spam.gif?janetreno@doj.gov spam.gif?wkennard@fcc.gov etc... plus of course the various spam cops type addresses which I cant remember at the moment
I remember reading a .sig file a while ago that said:
/. reader. Credit where credit is due.)
;) (No flames please about the real legacy reasons that it's 7 bit, I know.)
"There is a special place in hell reserved for people who use html email."
(Sorry, I can't remember who it was, but I believe it was a
My sentiment exactly. I read everything in a shell with pine. Ain't no cookies going anywhere there... unless I missed something? Of course thats the personal mail. At work, I'm forced to use Outlook, but I am behind a firewall.
Email is text... and maybe attached files. It you want to imply bold, * * it.
No damn font changes, inline pics, none of that crap, that's why it's 7 bit.
The purpose of email is to convey information. Text does that just fine for me. If you send me html formatted messages, pine can't read them, I'm not going to go to the trouble to save and view them, and you have failed to convey your message... so sorry. Now I find out that it's a nice security benefit as well. I always knew I was on the right track.
It's sorta like web pages that are all filled up with Java and the like, I can't see them in lynx, so I can't get your content. Again, sorry, but you have lost a visitor.
Russ
War is Peace. Freedom is Slavery. Ignorance is Strength. - George Orwell or George Bush?
The 'problem' stems directly from the fact that only a limited number of people have the ability to post original stories. Maybe anyone with a certain moderation score should be able to do that.
This thread is really about misuse of cookies, but the problem would be less severe if cookies were used less often in the first place. I wonder if they're being used as a universal panacea in areas where they're not really necessary.
What are the viable alternatives to cookies, at least for some applications? Are there any good web resources that discuss this kind of thing and offer means of avoiding cookie-based solutions?
"The question of whether machines can think is no more interesting than [] whether submarines can swim" - Dijkstra
I Don't feel any less secure or violated about anything, Mr. Richard Smith needs to quit whining. Anyone who uses cookies should know that they aren't the most secured way of sending information, but OH WELL!. I don't give a crap if everyone gets my e-mail address, nor do I care about target advertising! If you don't want your info to be seen, then don't enable cookies! simple as that.
"I repeat the suggestion I made in October: browsers (and all clients that speak HTTP) should reject cookies not sent with the page." silly jamie, you are so naive. 2 points: 1. you are the brick-throwing jackass who lives in a glass house. as I read through your lame editorial I noticed that the banner at the top of the page came from focalink.com A COMPANY THAT RELIES ON COOKIES TO HELP TARGET ADS! EGADS! 2. wait until you are a public company. then you will answer to your advertisers, not the slashdot community. your advertisers get added functionality from 3rd party cookie spaces so you will allow them to set and use those cookies as they please. otherwise you will start turning away at least a small percentage of your potential revenue. Trust me, the board of directories for a public company does not like to turn away $$. When companies misuse private information, the web community goes insane (and for good reason). Witness Real's recent blunders. Privacy on the net should be self-regulating. And good-hearted hackers should watch companies who leverage cookies like bloody hawks. But Netscape and IE shouldn't unilaterally decide what is best for the web community by crippling their software in the way you propose.
With images on banner ad people can just put their ads on various sites and track you as you go from site to site. They even know what search terms you put on your search engine.c om/result_front;kw=test;cat=stext
e code=12345
:).
Search on altavista for test and look at the banner:
http://ad.doubleclick.net/ad/altavista.digital.
Trivial to do with email as well.
e.g. ad.doubleclick.net/trackninstallcookie.cgi&spamme
The spammeecode can be linked to a record in the database which stores- who spammed, spammed with what, spammed when etc.
Doesn't affect me coz I surf with images, java,javascript off, and I use Eudora light 3.x -
Have a nice day,
Link.
p.s. Just coz I know how to do stuff doesn't mean I do it ok?
You are worried about preserving your anonymity? How long do you think you that is going to last when every dwelling in the world has a IP address instead of a phone number? When you pay for your cable on a per/show basis? When counterfeiting technology requires a move to a cashless society? Where every service comes with a price that you pay with your identity attached? Your privacy will be GONE within your lifetime.
If you use Netscape to browse and read mail under some variety of Unix, including Linux, you can greatly reduce this problem by following the two-step configuration instructions at
@Man's Ad Blocking Page.
It will also block banner ads. The server list is updated almost daily.
@Man
IOW, you must already have visited that site and have gotten your cookie in order for this to work!
And you really should've paid attention to that great sign above all porn portals which reads: "Abandon all hope, ye who enter here!".
There's a few simple methods that can destroy cookies as a marketing tool. Remember that your advertising banner web site cookie is unique to you, and that the ad banner site relies on this uniqueness to track your movements. For example, doubleclick.net's cookie has an expiration date of about 2038, effectively forever. Clearly, they want to use this cookie to track you indefinitely.
So you muddy the waters.
You can do as I do, and remove all suspicious cookies from your cookies.txt file about once a week. ID cookies belonging to doubleclick.net are good ones to delete, as it permanently destroys your doubleclick ID.
But what I would really like to see would be a web site where you anonymise yourself by trading your ad banner ID cookies with other people on the net at random. You might use software to upload your ID cookies for ad banner sites, and then get back other cookies at random that were originally issued to someone else. Bingo, you're now anonymous. If you do this often, then soon the ID cookies would be useless as a tracking mechanism.
--
The only thing necessary for the triumph of evil is for good men to do nothing. - Edmund Burke
If you break a story on a major security hole that most people don't know about on a weekend, most people are still not going to know about it.
I realize that this is not your intent, but, keep in mind that this is one of the oldest tricks in the book at newspapers like the New York Times. When there's an unfavorable story about the Clinton Administration, quite often the Times waits until Saturday, when no one is reading the paper, to break it.
You got 150 posts on this topic, but, I suggest you would have gotten a lot more on Monday. More importantly, lots more people would have assessed their exposure to the potential risks.
--
Dave Aiello
-- Dave Aiello
You bring up an interesting point about alternatives to Cookies. My view on the matter is that HTTP looks kinda like this:
Connect-Get-Disconnect
Untill that changes, cookies will be used as a way of maintaining state over multiple connections. With HTTP 1.1 in broad deployment, it's going to a be an incrimental change rather than a radicle one.
The best proposition on the table right now is RFC2109 (at:http://www.w3.org/Protocols/rfc2109/rfc 2109)
Also there's more about HTTP at:http://www.w3.org/Protocols/Specs.html#RFC
The implication for the spammers that want to implement this is that they have to contruct a separate email for everyone. Without that, the bandwith they spend for sending someone a spam is only they space it takes for their address. Now they spend the same amount of bandwith as the receivers, as they have to send their email (with some clever formatting to identify the receiver) separately for each receiver.
Actually, they don't have a MacOS port. Instead Junkbuster suggests using LinuxPPC.
A far simpler solution is turn off image loading and scripting in your email client. In Eudora it's two easy clicks in the Settings menu. The only bad thing is that images are enabled by default.
I think the major deal is that cookies should only be held within a specific user agent's environment. The fact that the e-mail client in question *shares* the same environment with the web browser is perhaps what should be corrected.
As far as I'm concerned, access to HTTP services from within an e-mail message should be a settable option. If you need access to images in an e-mail, attach them like normal file attachments and reference them with <a href="file://attachment1.gif">. If HTTP must be used, put each e-mail message in its own "sand box" so that state information (such as a cookie) is never shared between e-mail messages or between e-mail messages and web sites as browsed through a typical browser.