Bruce Schneier
Schneier on Security
A blog covering security and security technology.
« Friday Squid Blogging: Squid and Owl | Main | Movie-Plot Threat Alert: Robot Suicide Bombers »
August 17, 2009
Flash Cookies
Flash has the equivalent of cookies, and they're hard to delete:
Unlike traditional browser cookies, Flash cookies are relatively unknown to web users, and they are not controlled through the cookie privacy controls in a browser. That means even if a user thinks they have cleared their computer of tracking objects, they most likely have not.What’s even sneakier?
Several services even use the surreptitious data storage to reinstate traditional cookies that a user deleted, which is called 're-spawning' in homage to video games where zombies come back to life even after being "killed," the report found. So even if a user gets rid of a website’s tracking cookie, that cookie’s unique ID will be assigned back to a new cookie again using the Flash data as the "backup."
Posted on August 17, 2009 at 6:36 AM • 77 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Paul Renault • August 17, 2009 7:11 AM
Just in case some readers don't read the whole article all the way to the bottom:
"Update: 8/11/2009 - This story was updated to include more statistics on Flash cookies and to note that Wired.com uses one."
Oh, the irony...
Jeff Johnson • August 17, 2009 7:16 AM
The Firefox extension "BetterPrivacy" has an easy way to control and delete Flash cookies. You can also easily setup a job in Task Scheduler on Windows or cron on Unix to clean them out regularly.
Roxanne • August 17, 2009 7:25 AM
I love this quote at the end: “We have the president, the pope and the queen of England using us,” Hooman told Wired.com in an interview a few weeks ago. “If they can trust us, then you can.”
Meanwhile, how do we scrub this memory area?
Andrew Simpson • August 17, 2009 7:26 AM
There's an interesting Firefox addon called Ghostery that shows which tracking cookies are used on each site you visit.
A Nonny Bunny • August 17, 2009 7:34 AM
Just say no to flash.
No-script and flashblock probably help me avoid a lot of those things. Not that I'm too worried about being tracked.
If you play flash-games which allow you to save your progress, you can edit the cookies with a sol-editor to cheat ;)
Roy • August 17, 2009 7:35 AM
These are 'local shared objects' and have the extension '.sol'.
Once you have removed them, change the permissions of that directory to read-and-execute-only, so that nobody can write to them again.
clvrmnky • August 17, 2009 7:48 AM
Wow. I don't go to porn sites. I really just don't. I sure have a lot of .sol files related to porn sites. Must be those pop-ups that yu get occasionally.
I also have some related to things I do frequent, like PayPal. I deleted them all just for fun.
Pete Austin • August 17, 2009 8:23 AM
Use of cookies in this way appears to be illegal in the UK, because of the second point below, from the PDF "Guidance on the Privacy and Electronic Communications (EC Directive) Regulations 2003"
http://www.ico.gov.uk/upload/documents/library/...
"Cookies or similar devices must not be used unless the subscriber or user of the relevant terminal equipment:
* is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and
* is given the opportunity to refuse the storage of, or access to, that information."
Bum • August 17, 2009 8:31 AM
> No-script and flashblock probably help me avoid a lot of those things.
Don't be so sure and check everything manually. It's some obscure registry key in Windows, but on Linux/Unix it's stored in ~/.macromedia directory.
Pete Austin • August 17, 2009 8:33 AM
From the Wired article, "Clearspring CEO Hooman Radfar [says they have] the queen of England using us", so he is doing business over here.
Anyone know how to file a complaint? Is this only allowed if you're directly affected?
Marc B. • August 17, 2009 8:43 AM
Flash cookies can be deleted at this website: http://www.macromedia.com/support/documentation/...
There the existing cookies are displayed and can be deleted with one mouse click.
Psuedo • August 17, 2009 9:23 AM
Under Linux, something akin to the following and run at login can be used as a partial solution (at your own risk, YMMV etc, etc):
#!/bin/bash
DEBUG="/bin/echo "
#DEBUG=""
RM="/bin/rm"
SHRED="/usr/bin/shred"
FIND="/usr/bin/find"
function shred_dir {
DIR="${1}"
nice ${FIND} "${DIR}" -type f -exec ${DEBUG}${SHRED} -n3 -fzu {} +
nice ${DEBUG}rm -rf "${DIR}"
}
shred_dir "${HOME}/.macromedia"
shred_dir "${HOME}/.adobe"
cha cha cha • August 17, 2009 9:28 AM
Marc B:
thanks for that link, but the applet is pretty insulting. really, FOUR LINES in the listbox? FOUR LINES.
Psuedo • August 17, 2009 9:34 AM
And in my above post, change rm to ${RM} in the function.
Silly me!
merkelcellcancer • August 17, 2009 9:52 AM
I have been using Better Privacy for some time, it is updated frequently as FireFox is updated. Excellent addon, nothing complicated. Much better than anything Macromedia would offer.
Shane • August 17, 2009 9:55 AM
I really don't think that this is all that hairy of an issue for people in the know, as I'm sure most people reading this blog know how to keep their machines fairly clean in terms of garbage data in known locations, but your average user isn't going to write/instate a cron script, install a Firefox plug-in (or sadly, even use Firefox in the first place), or find some online tool to help them delete the data.
I think that's where the real issue lies. It's probably considered an upwards learning curve just to get your average user to clear out their cache/cookies on a regular basis via the very obvious browser options, let alone a set of new stored data that isn't included in those options.
"No-script and flashblock probably help me avoid a lot of those things."
Certainly good for instances where heightened security is necessary on a particular machine, but what a sad exclusion of some very wonderful parts of the web browsing experience. I, for one, don't think the answer to avoiding / correcting these issues lies in regressing back to ARPnet (ok, obviously an exaggeration, but still). Poor web development and browser/implementation vulnerabilities aside, I think JavaScript and Flash are both great, and have certainly done wonders for the web, however insecure and slow they may be in many instances. But that's a trade-off, for sure, if you don't mind killing convenience for a little bit more security. Although I'd say simply *not using IE is already a huge leap in that direction, anything more can start (imho) to seem like inch-worming it towards an unreachable goal (invulnerability).
However, that's certainly just my opinion. I've never really had too many issues on the web, honestly. I can count on one hand the number of viruses I've had on any of my machines over the last 15 years, and I know with 100% certainty that every one of them came from downloading via P2P in the old days (haha, remember Hotline?). Sure, the occasional malware cookie here and there, but nothing drastic to be sure.
I think, aside from not using IE, the best thing anyone can do to keep their machines safe(r) from harm is to simply be a little smarter about where they are pointing their web browser.
(To be clear: I'm not saying FF is somehow invincible, not in the least, but of the choices out there for many folks, there is really no question in my mind as to which to use.)
Pete Austin • August 17, 2009 9:57 AM
@Marc B.
English version of your link to delete Flash cookies.
For other languages, replace the "/en/" by e.g. "/fr/".
bob • August 17, 2009 10:00 AM
Has anybody extracted the control app to a standalone local executable so that I dont have to go give a copy of everything on my PC to adobe in order to control this behavior?
merkelcellcancer • August 17, 2009 10:03 AM
For PC users with Microsoft OS, there is always the consideration that some data can not be easily removed, i.e., index.dat, *.tmp, and *.ie5 type files, unless you find a bit of software to unlock the data status.
Before a quick scrub (see list below) I search for and unlock these files with Unlocker.
http://ccollomb.free.fr/unlocker/
Then I run (licensed copies BTW and not scammy versions as some will complain about):
PurgeFox
PurgeIE Pro
CCleaner
EasyCleaner
Evidence Elminator
Each has its specific approach and areas of best use.
Finally, run PowerToolsLite...
merkelcellcancer • August 17, 2009 10:09 AM
You may as well add this to your list of Firefox addons for personal cookie issues.
This Firefox add-on sets a number of permanent, generic, non personally identifiable opt-out cookies in the browser, which will prevent 90 different online advertising networks from subjecting users to behavioral advertising (and in some cases, will stop the networks from being able to track users' web browsing habits too).
Why should I use TACO?
A large number of advertising companies now track users' browsing across the web, in order to profile them, and then serve them highly targeted advertising. This so called behavioral advertising is a threat to the average user's privacy.
An industry group, The Network Advertising Initiative, provides an easy way for users to opt-out of the tracking performed by its 40 or so member companies. Consumers can visit a single web page, and then easily set opt-out web cookies for all of the NAI members advertising networks. However, there are many other advertising firms who are not part of the NAI, and so consumers are currently expected to visit the websites of each of these 50 or so other companies in order to opt-out.
In addition to the issue of users having to visit 50+ different websites to opt-out, another major problem with the current approach that the moment a user clears his or her cookies, they also lose the opt-out cookies. Regularly clearing browser cookies, or better, setting the browser to erase them all at the end of a session, is a recommended practice. Unfortunately, by doing this, users are then required to re-visit the various advertising opt-out Web sites page each time they start browsing the web. This is obviously not a reasonable thing to expect. .....
HJohn • August 17, 2009 10:09 AM
@Shane at August 17, 2009 9:55 AM: "but your average user isn't going to write/instate a cron script, install a Firefox plug-in (or sadly, even use Firefox in the first place), or find some online tool to help them delete the data."
_________
Good post.
One issue I see as problematic is that users, when setting up flash (or anything else for that matter) are simply never made aware that they are being tracked. Even a user who takes the time to set up IE or FF or any browser securely may simply not know this. I also believe Flash is just one example of a bigger problem.
Of course, simply disclosing to the users doesn't always help. They are so bogged down with warnings and huge agreements they just click "OK" "Accept" "Next" ETC habitually.
The way I would set things up would be to make the most secure, least intrusive and tracking, option the default. When someone used a function, I would prompt them if they want thing tracked for convenience and make the default response No. Then again, it's not as simple as that and they are driven by dollars and usability in many ways. Yet, it seems if you're going to sell someone a gun, it is probably best if the safety is on by default when it leaves the shop.
Scott B. • August 17, 2009 10:15 AM
I've been using BetterPrivacy and I thought it was effective in removing flash cookies. Then I visited the Macromedia site mentioned by previous posters and found several dozen flash cookies still on my system. Wish I hadn't been so quick to delete them so I could try to figure out what the heck is going on.
chas • August 17, 2009 10:18 AM
I don't use flash, partly for this reason (regsvr32 /u Flash10b.ocx). Adobe seems not to care much about users and does not give them control of their own environment. Once when annoyed by flash ads, I emailed adobe support to find out how to stop the popup ads from coming up in my browser. Their response was that if you just say "yes, install Flash" then the popups will stop. That's when I de-registered it from my computer.
UID • August 17, 2009 10:22 AM
@Scott B.
If you open your SYS folder manually, you will probably find that what the Flash site lists as cookies are actually empty folders.
Shane • August 17, 2009 10:22 AM
@HJohn
Agreed, for sure. I like the gun shop metaphor, haha, I've always been the type to wonder how any weapons are ever actually sold legitimately, considering the fact that once you have it in hand... ;)
@Miramon
"flashblock for firefox is your friend."
Actually, after reading up on it (admittedly I had no idea what it was when I posted save for a rash assumption), I have to say it looks like a great plug-in. I wasn't aware you were able to still view flash content on a case-by-case basis. Surely it makes 99% of the big sites out there far less annoying, Wired drives me insane with their page-hogging modal flash ads.
Steve (UK) • August 17, 2009 10:37 AM
Hi,
I discovered this creepy stuff sometime last year.
My fix/workaround (on *nix) is to make the nasty macromedia directory unusable by all users.
e.g.
chmod 000 ~/.macromedia/Flash_Player/*
giving:
ll ~/.macromedia/Flash_Player/
total 16
drwx------ 4 steve steve 4096 2009-01-11 20:03 ./
drwx------ 3 steve steve 4096 2009-01-11 20:03 ../
d--------- 3 steve steve 4096 2009-01-11 20:03 macromedia.com/
d--------- 3 steve steve 4096 2009-01-11 20:03 #SharedObjects/
I've not noticed any problems resulting from this and no process can create items in the folder.
If anyone knows whether those sneaky macromedia guys have their own workaround which makes me insecure again please let me know :-)
Steve.
A Nonny Bunny • August 17, 2009 10:42 AM
@shane
> "No-script and flashblock probably help me avoid a lot of those things."
>
> Certainly good for instances where heightened security is necessary on a
> particular machine, but what a sad exclusion of some very wonderful parts
> of the web browsing experience.
Both those plugins allow you to permit scripts/flash for particular sites. They just ensure that they don't run automatically for every site you happen to come across. So, for instance, flashblock hasn't prevented me from enjoying youtube at all. I have been saved the annoyance of a lot of popups and other nuisance though.
But I can agree with you that it may not be worth it for your average user. The first few days on no-script were a bit of an adjustment for me as well.
Shane • August 17, 2009 10:49 AM
@A Nonny Bunny
"Both those plugins allow you to permit scripts/flash for particular sites."
Yea, haha, I figured that out not long after my post :)
They seem like handy plug-ins for sure, but I can completely understand the No-script plug-in taking some adjustment.
As for the average user, just getting them to use Firefox alone seems a daunting task. A majority of the IT staff where I work still argues the point to death, for no other reason than being victims of the M$ lock-in-brain-washing. It's truly sad, and absurd.
Joe Buck • August 17, 2009 11:29 AM
I recommend the use of the Firefox Flashblock extension. It replaces Flash objects with a button you can click to view them. That way, you can see embedded YouTube videos if you choose to, but you don't see Flash ads, and since they don't start up, they can't install any local shared objects ("Flash cookies").
Roy • August 17, 2009 12:25 PM
It is wise to occasionally look for surprises on your computer, the things you knew nothing about. On *nix machines, the following will show you all files addressed in the last 24 hours.
find ~ -mtime 0 2>/dev/null | less
Chris • August 17, 2009 12:26 PM
It seems that Microsoft's Silverlight has something in what they call Isolated Storage... Have a glance at the article by Mike Snow which talks about it...
mojo • August 17, 2009 12:58 PM
Firefox needs a simple option to delete these objects in the same way as cookies.
The devs would probably argue that it's not a FF issue, but FF is where action needs to happen.
BF Skinner • August 17, 2009 1:17 PM
Sans newsbites carried this today http://www.sans.org/newsletters/newsbites/...
and then pescator said something interesting "Palm was just outed for the Palm Pre secretly sending location information back to Palm. Hiding behind opt-out language buried in eensy beensy type in voluminous end user licensing agreements is a great way to anger your customers."
HJohn • August 17, 2009 1:17 PM
I use CCleaner to clear out lots of tracking and other residual date. I'll have to do some checking later and see if it removes flash date as well.
HJohn • August 17, 2009 2:36 PM
I think many people may not realize how serious it is.
In many ways, I see it as the virtual equivalent of dumpster diving or taping together a shredded document. It is deliberately ignorning a data owners deliberate deletion of data by an entity that has no business doing so.
Further, a lot of users do not grasp the gravity. I hear all the time people saying things like "I don't do anything I'm ashamed of" and "I don't have anything to hide." That's all well and good, but the fact remains that off handed remarks we have made and careless things we have done can come back and be taken out of context to use against us in something completely unrelated.
You stumble accross the wrong website, it happens. Yet, if it is a dubious site, it could be used against you in court if it is not deleted. You post a throwaway comment somewhere about your wife, and then she dies in car accident--your throw away comment is now motive.
You accidentally go to an adult site and then you land in divorce court--you are then considered scum. and it hurts your settlement and custody/visitation arrangements.
Some of these things may seem far fetched, but a lot of problems today seemed far fetched in their infancy.
Perhaps some of the examples I've cited cannot happen today becaues flash cookies do not deal in that info. Well, not yet--do you really think, if there is a way to bypass your controls and get your usage history, some entity who may benefit won't expand to include it?
This is a bigger deal than most think. If users delete information from their computer, it is not up to a third party to undelete it.
richrumble • August 17, 2009 2:51 PM
You can use FF, but you don't need any extension or additional software, open FF 3.1 or greater, ctrl+shift+p to Start Privacy Browsing. There is also an ext for switching between the two: https://addons.mozilla.org/en-US/firefox/addon/9517 (a little mask appears on the bottom right of FF to toggle on an off)
-rich
HJohn • August 17, 2009 2:58 PM
@richrumble: "You can use FF, but you don't need any extension or additional software, open FF 3.1 or greater, ctrl+shift+p to Start Privacy Browsing. There is also an ext for switching between the two: https://addons.mozilla.org/en-US/firefox/addon/9517 (a little mask appears on the bottom right of FF to toggle on an off)
-rich"
_______________
Good to know. IE also has InPrivate browsing, though I'm not to familiar with it.
Problem with these settings also is that most users aren't aware of them and don't understand them. They set up their browsing to delete everything on exit and think they are good. Little do they know...
Imagine if they made a gun where you can turn on the safety and remove all the bullets. Yet, even with the safety on and an empty chamber, it can recreate a bullet from residual metal and fire... you just don't know it.
Setting the safety and removing the bullets should keep a gun from firing. Likewise, clearing your data and setting it to keep it clear should do exactly what you tell it to.
anna • August 17, 2009 3:17 PM
I deleted all the flash cookies, and then gave 504 permissions for the folders it creates on my Mac (no write to anyone - and no execute for all).
All flash sites perform still correctly. But no cookie can be created.
@HJohn
Actually, removing the bullets alone should prevent a gun from firing.
Analogies between software and real-world objects are like guns: you might think you know how to use them safely, until one goes off when you thought it wasn't loaded.
Angus S-F • August 17, 2009 3:24 PM
I use BetterPrivacy, great add-on. Note that even with BetterPrivacy you need to manually select the option which deletes these directories or they will be left behind, leaving 'proof' that you have been somewhere before.
In Windows XP, the following lines saved to a batch file will kill Flash Cookies AND the litter of directories that Adobe's worthless 'cleanup' tool leaves behind:
======================
:: nuke any existing cookies and subdirectories
rd /q/s "%APPDATA%\Macromedia\Flash Player\#SharedObjects\"
md "%APPDATA%\Macromedia\Flash Player\#SharedObjects\"
rd /q/s "%APPDATA%\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys"
md "%APPDATA%\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys"
======================
Save these files to "KillFlashCookies.cmd" and add a "scheduled task" to nuke them regularly.
Shane • August 17, 2009 3:53 PM
@Psuedo, Steve, anna, and Angus
All good solutions, but again I would stress that this is relatively a non-issue for anyone with a fair amount of knowledge about their machines who knows that Flash is setting these 'cookies'.
For the average user the issue lies not only in their lack of knowledge on how to correct and/or defend against the problem, but also that the problem exists in the first place.
I find it quite dubious that these files are not stored where all other cached browsing information is stored. That's really what kills me. There seems to be no legitimate reason that these .sol files couldn't have been stored in the same location as the browser stores the .swf's themselves, thereby allowing them to be removed with the rest of the cache via the browser's own privacy/storage options.
Seems M$'s Silverlight pulls the same type of backdoor shenanigans, though you'd be hard pressed to get me to download any type of Microsoft Flash clone.
HJohn • August 17, 2009 4:02 PM
@Shane: For the average user the issue lies not only in their lack of knowledge on how to correct and/or defend against the problem, but also that the problem exists in the first place.
_______________
Good post, again. Problem is, as you said, average users don't know all this, and shouldn't be expected to. The companies are playing on their lack of knowledge.
Perhaps better than my gun analogy would be a car analogy. People shouldn't need to know how cars function inside and out to use them safely. A car, when functioning properly, should do what it is told to do, and how this happens in the back ground shouldn't matter to the user. If a driver hits the brakes, it shouldn't cause the airbag to deploy, and if it does the user shouldn't be told that it is because they didn't check under the hood first.
PrivacyTrainedProgrammer • August 17, 2009 4:04 PM
HTTP & Flash cookies are the tip of the iceberg. It is very easy to track users across visits using a variety of channels over HTTP. There's nothing that users or browser plugin writers can do to stop this since these side channels are built into HTTP.
One way to do this is with the ETag. Your website has a logo image that is a legitimate image (not a 1x1 clear GIF). Your web server sets the ETag on this to a unique value for every new user. Every time the user visits the site the browser sends the If-None-Match header along with the ETag. Voila, you've assigned the browser a unique ID that it kindly repeats back to you.
The ETag is just one simple way to do this. There are many opportunities to track users.
Shane • August 17, 2009 4:40 PM
@PrivacyTrainedProgrammer
Not that it isn't a noteworthy issue, but Etags are stored with the cache, hence easily removable via the browser itself. Not only that, the only way to actually track anyone and be even somewhat reasonably assured it's the same user is by testing on IP within short time-frames, which doesn't amount to a great deal of tracking information should a user close the browser or spend any longer than 30 seconds to a minute viewing a page.
As for things like appended GET variables via Javascript, using referer headers, et al, etc, etc... obviously it's difficult to defend against these types of tracking, but generally speaking these are far less of an issue because they are not persistent files stored on your machine, hence the tracking may persist throughout the browsing session (at best, also: not to be confused with 'browser' session), and the idea that the IP address of the user is a unique identifier is fundamentally flawed in and of itself, thereby (at the very least) skewing whatever types of information the tracking site is looking for in the first place, most likely to its own detriment.
Shane • August 17, 2009 4:47 PM
Also, I just wanted to add:
It's really every website's right to track what its visitors are doing throughout their 'stay', I don't see the harm in that, I do it myself with sites that I have built, to varying degrees (none of which are malicious).
Persistant tracking of a user's browsing history outside of the site itself, dubious storage tactics, as well as the respawning of cookies that were explicitly removed are really what make this issue more problematic, at least to me.
Jeremy • August 17, 2009 5:27 PM
On a distant tangential note, was anyone else bugged by that explanation of the term "re-spawn"?
In my experience, respawning refers to any entity (but usually a player) re-entering the game after death (or other elimination). Often in games without even a hint of zombism in the mechanics or backstory. It doesn't even apply in cases where the body just gets back up, you have to have a new body formed in a location that is not specifically the place where you died (usually some sort of "home" location).
If zombies have a UNIQUE ability in the game to come back after "death", that might be called "regeneration" or "reanimation" or "resurrection", but I can't think of any game I've ever played in which it was called "respawning."
PaulJ • August 17, 2009 5:47 PM
The Adobe Flash Player Settings Manager is sad excuse for a 'manager'. You can delete all cookies or one cookie at a time. No multi-select, no continuous scroll. And it is dog slow...
On an old Mac iBook G4 with more than 700(!) Flash cookies items, it took more than 4 minutes to open the Manager page, and I was interrupted four times by an alert indicating there was a slow running script that I might want to cancel....
As noted by others, the ultimate solution was to rm -rfd the appropriate directories and then set permissions read only.
Godel • August 17, 2009 5:53 PM
Windows Secrets newsletters had a few articles on this, unfortunately in the paid version.
They recommend going to the control panel at the flash website and setting the amount of storage allowed for LSOs on your computer to zero.
The address is http://www.macromedia.com/support/documentation/...
Note: this web page is the actual control panel! The setting that you want is the second tab from the left. Also, I think you may lose these settings every time you upgrade or reinstall flash player.
BTW, I think I read that Better Privacy only wipes flash cookies stored AFTER it was installed unless you choose otherwise.
Mark • August 17, 2009 6:25 PM
There are so much undesirable content no today's web that it's almost impossible keep some level me productivity without AdBlock, NoScript, and FlashBlock. It's a case of too much noise for less signal.
Moe • August 17, 2009 6:50 PM
Yeah, I set the LSO size for Flash cookies to zero ages ago, via that settings manager someone linked to above.
I'm kind of surprised that people are just now rediscovering this, but I guess that reminders are good to have.
Oh, and Flashblock also helps. I haven't seen non-text ads in ages now.
""
No-script and flashblock probably help me avoid a lot of those things."
Certainly good for instances where heightened security is necessary on a particular machine, but what a sad exclusion of some very wonderful parts of the web browsing experience.
""
NoScript has a decent setting that allows scripting from the site/domain you're visiting but nothing linked off it; Allow google and yahoo API collections and you now have 95% of anything worth running while avoiding several attack vectors. It's not perfect, but it's a lot closer to the 80/20 point on the practicality scale.
Clive Robinson • August 17, 2009 8:44 PM
@ PrivacyTrainedProgrammer,
"There's nothing that users or browser plugin writers can do to stop this since these side channels are built into HTTP."
Actualy originaly they where not.
The story behind HTTP and "state" information and it's abuse is an object lesson in why security and privercy are hard in a rapidly developing field of endevor.
Originaly HTTP was designed as a simple "read only non interactive" technology for resorce limited servers and browsers (the electronic analog of a University refrence library).
This ment that there was no "state information" kept in either the browser or server about what a user was doing or had done, who they where and what they where specificaly allowed to do.
The upshot of this was that what could be achived in the way of a "user experiance" was to put it bluntly more primative than "Ug the caveman's rock paintings".
Like most things to augment HTTP "state" was an "after thought that got bolted on". That resulted from people "bending the existing protocol" to get things done and it being seen as desirable (remember history of GET and POST?). The classic example being CGI (if people even remember this) at the server end.
CGI required for most things that state information be kept. Cookies came about as a result of library type services needing users to log in (back in the early 90's). One model used was to "grant tickets" from a ticket server (sort of based very aproximatly on Kerberos ideas).
People then bent the "cookies" protocols further.
And so it went on.
The need to pay these "protocol bending developers" and the "Dot Com Bubble" gave rise to the "need to make money".
The only two income models that appeared relevant at the time where the "subscription model" and the "broadcast advertising" model.
Due to the dynamics of the web it appeared that the subscription model was only relevent to a niche market of "information holders" (publishers) and they where very set in their ways...
Which left the "Broadcast advertising" model as the only viable option for most web services.
The Broadcast advertising model in turn was based on the "Newspaper advertising" model. Both of which dictate the charges you can levey for an advert is based on "circulation figures".
As people are now uncomfortably aware the web is not actually based on the "broadcast model" at all, each access to a web page can be logged and due to the needs of access control "state information" is required to be kept to "improve the user experiance".
And this is the problem "developers bending standards" is not the secure way to develop a protocol it is in effect "legitamising abuse".
Whilst protocol abuse is an agnostic process in that it can be for good or bad, you get both as the "done deal" unless you plan accordingly well ahead.
Unfortunatly whilst the user wants the good stuff (CGI... ...Web2 etc) the people supplying the money want the bad stuff (your personal details) to sell to the largest industry in the world (Marketing).
Marketing in it's many guises has a long and quite nasty history of explotation the individual.
Those modern Marketing Execs "shooting their cuffs" have inherated the mantal with little change from those who started it as part of practicing the second oldest proffession in the world (that of comitting monetary and political exploitation of deity worshipers, the oldest proffesion is of course the "King Game" or "Protection racket").
As has often been noted,
Those that do not learn histories lessons are cursed to re-live them.
sitaram • August 17, 2009 11:16 PM
I symlinked them to /dev/null long ago; haven't see any side effects, but then I don't do a lot of flash so YMMV:
$ ls -al |grep null
lrwxrwxrwx 1 ff ff 9 2009-08-18 09:38 .adobe -> /dev/null
lrwxrwxrwx 1 ff ff 9 2008-10-17 15:37 .macromedia -> /dev/null
Frienley • August 18, 2009 12:48 AM
Glary Utilities is a program that is mainly built for cleaning temporary files of both Windows and common programs.Remember to backup when prompted by Glary Utilities. In fact, you should be doing this when using any form of registry cleansing program.Good luck!
BF Skinner • August 18, 2009 6:37 AM
Old school is to create a black list at layer3 and redirect bad domains to loopback.
Any call on your client comes from the servers html code making a call to a domain right? That domain ip has to be resolved for. Once your browser resolves the address and goes and finds the site. (not sure about serverside includes
Edit hosts add a line for BS sites.
127.0.0.1 adsite.com
127.0.0.1 doubleclick.com
...etc
When each webpage attempts to direct your browser to these ads...you get a 404 box. No connection to the ad site. Ugly but your page will load faster (for dialup folks)
Trouble is with the length of the list, creating it, updatinging it. You will need to set it to read only but you should've done that already. Your AV may flag it as compromised if it's sophisticated.
There are people who keep updated lists of addresses...but you'll want to review them - your definition of spam may vary.
http://www.mvps.org/winhelp2002/hosts.txt
someonewhocares.org/hosts/
Roger • August 18, 2009 8:01 AM
@Jeremy:
> On a distant tangential note, was anyone else bugged by that explanation of the term "re-spawn"?
No. No one else was bugged by that.
HJohn • August 18, 2009 9:00 AM
@Shane: It's really every website's right to track what its visitors are doing throughout their 'stay', I don't see the harm in that, I do it myself with sites that I have built, to varying degrees (none of which are malicious).
____________
Absolutely.
Adam Katz • August 18, 2009 9:36 AM
This is a simple cron entry:
0 * * * * rm -rf ~/.macromedia ~/.adobe 2>/dev/null
One of the above posts goes into the preposterousness of using shred ... if the malicious intruder has enough access to your machine that you need to justify using shred, you're in far more trouble than shred can fix. See also my more thorough post on this exact issue at http://slashdot.org/comments.pl?...
Todd Sweeney • August 18, 2009 10:04 AM
Eh. I've lived without Flash for a long time now. Of course, I can't watch videos of some moron setting himself on fire. Gosh, I guess I'm not getting the "full internet experience".
Carlos • August 19, 2009 3:54 AM
Used NTFS security to deny myself access to %appdata%\Macromedia\Flash Player\#SharedObjects and %appdata%\Macromedia\Flash Player\macromedia.com
Should work.
wap-tek.tk • August 19, 2009 4:15 AM
@echo WAP-Tek's flushflash.bat
@echo i am not resposible for you IGNORING WARNINGs,,
@echo LEARN TO HACK OR FAIL!
@echo WAP-Tek.tk
@echo .
@echo WARNING read the contents of this "program" and edit it NOW
@echo .
@echo This file MUST be customized for you systems folder structure or
@echo it WILL erase your system files by accident !!!
@echo .
@echo this is not guarenteed to work but
@echo for a "safer" alternative you can block flash cookie creation,,
@echo .
@echo you can put a dummy file FOR each folder that shows sol files in it
@echo place dummy files named after the sub-directorys listed as having
@echo sol files , flash will fail to save anything because
@echo it cannot understand that a file is not a directory
@echo .
@ECHO press [Ctrl] [C] to stop this NOW !!
@echo .
@echo or
@pause
@cd "C:\WINDOWS\Application Data\Macromedia\Flash Player"
@dir /a
@ECHO press [Ctrl] [C] to stop this NOW or
@echo .
@echo or
@pause
@deltree /Y *.*
@cd "C:\WINDOWS\Application Data\Adobe\Flash Player\AssetCache"
@dir /a
@ECHO press [Ctrl] [C] to stop this NOW or
@ECHO .
@echo or
@pause
@deltree /Y *.*
@cls
@exit
Somewhat Anonymous • August 19, 2009 6:01 PM
The above script is broken. It works ok if you start it anywhere on the C: drive.
If you start it on any other drive (say D:) the cd command will change the current directory for the C: drive, but will not change the current drive to C:.
As a result, if you start the script in, say, D:\, it will wipe out the entire D drive.
The cd command is different in Windows than Linux...
Somewhat Anonymous • August 19, 2009 6:04 PM
Isn't it funny how, for any seemingly trivial problem, at least one person seems to post a script that wipes out the root file system? :)
HumHo • August 19, 2009 8:32 PM
Flash cookies - is that what schneier.com uses to keep out people they have banned from commenting here?
Would be interesting to know how they ban people from a site that does not require login?
Come out clean;-)
another Anonymous • August 20, 2009 9:29 AM
I'm using OS X Leopard where i repeatedly found the Flash plugin to ignore the settings i made over and over again (this behaviour was consistent over several versions of the plugin), just imagine that! (Sorry, no desire to check on windows)
So, you can go with the solution Roy pointed out above, to restrict the write permissions to the folder where Flash saves the local shared objects.
But then consider that a lot of sites ban people from using their Flash content or they cripple functionality when FlashCookies and/or 3rd party content is disabled. (not talking about big 'applications' here, one example is the music player on myspace)
This gives you an impression how valuable your identity might be to those services.
Flash Cookies are so *massive* a problem, i can't believe Adobe is getting away with it like they do.
uk visa • August 23, 2009 4:20 AM
Thank you Andrew Simpson - Ghostery provides some very interesting info.
Arthur • August 23, 2009 4:27 PM
I don't see the problem with flash cookies. In Windows, just use a simple script that deletes the entire folder %APPDATA%\Macromedia. I've yet to find any downside to deleting that folder frequently.
While you're at it, if you're using IE, delete its UserData folder too (path varies with IE version and Windows release - can be %USERPROFILE%\Userdata or %APPDATA%\Microsoft\Internet Explorer\UserData).
noflash • August 25, 2009 5:10 AM
After deleting cookies and setting ghostery to not allow any tracking marketing sites and also not allowing cookies a wonderful side affect was not having very many adverts on any websites!
Shane wrote: "...average user isn't going to write/instate a cron script, install a Firefox plug-in (or sadly, even use Firefox in the first place), or find some online tool to help them delete the data.
I think that's where the real issue lies. It's probably considered an upwards learning curve just to get your average user to clear out their cache/cookies on a regular basis via the very obvious browser options"
No. The problem is that such cookies _can_ be created anyway - by default. _That_ is the problem.
"I've never really had too many issues on the web, honestly. I can count on one hand the number of viruses I've had on any of my machines over the last 15 years"
You do know, that there's not one virusscanner which detects every virus? But, more importantly: although _you_ didn't had too many issues, you had some. And you're probably one of the top 1% computer-knowledgable people. So, 99% gets into more trouble than you. Again, this tells us that it's the problem that such flash cookies _can_ be created in the first place anyway - the problem is not the user. The problem is that the software companies can get away with all that rubbish and those ridicilous unsecure defaults.
Tom T. • September 15, 2009 12:05 AM
I started this simple Flash Cookie Remover as a 0.5k Windows batch file, but never took it past beta. I still use it every time I leave a site at which I've allowed Flash in NoScript. Neat, clean, and simple.
Anyone is welcome to continue or fork it, although attribution as per the Creative Commons license would be in order.
http://forums.informaction.com/viewtopic.php?...
WinkY tHe ClowN • January 8, 2010 1:01 AM
Documents and Settings\Administrator\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys
Send sys to desktop (create shortcut).
next
Documents and Settings\Administrator\Application Data\Macromedia\Flash Player\#SharedObjects\
The folder after #SharedObjects
Will have a name like
PSUMQPGM
Send to Desktop (create shortcut).
Drag the shortcuts to taskbar.
Delete contents of these folders frequently and dont forget to defragment after you take out the garbage. Cause thats what this adobe program is. Garbage. A multimillion dollar software company cant create a utility to run locally on your machine ?
Welcome to the new look of surveillance.
Dwight Stegall • October 29, 2010 7:53 AM
Flash Cookies are not evil if you know how to control them. I have uninstalled Opera and Safari because they don't allow you to do the following.
View my post here.
Rick Sykes • October 4, 2011 1:57 PM
Another (admittedly draconian) approach to protecting your privacy is to use either a live CD image or a virtual machine image for web surfing. (If you use the virtual machine approach, create a snapshot of a "vanilla install" with no customization. Then always boot a pristine copy of the snapshot.) The idea is that you can surf with all protocols (Flash, PDFs, and etc.) available, but since your filesystem is generic, there's nothing to distinguish you from a fresh install. On each reboot, all state information goes away.
I use a Linux distribution, so my browser is Firefox. I use the NoScript plugin to disallow most scripts. I use TOR to prevent traffic analysis, but configured to allow scripts to run (normally a no-no).
So far, it's worked fairly well...
James M • October 16, 2011 7:57 AM
Linux users using the open-source Adobe Flash alternative Gnash should be aware that it uses a different location to store the Flash cookies. Look in
~/.gnash/SharedObjects
thus • March 2, 2013 3:13 PM
Can a dvd burning program embed flash cookies in the files I burned, and does a pdf file contains flash cookies?
And if the answer is yes, how do I clean a file?
Subscribe to comments on this entry
Post a comment
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.
|
| Subscribe |
Subscribe via Kindle |
| Blog Menu |
SearchPowered by DuckDuckGoBlog Home Page
Archives by Date2013 J F M A M
Tags  |
| Latest Book |
more books by Bruce Schneier |
Comments