Schneier on Security
A blog covering security and security technology.
« Interview with Me |
| Search Redirection and the Illicit Online Prescription Drug Trade »
August 15, 2011
New, Undeletable, Web Cookie
A couple of weeks ago Wired reported the discovery of a new, undeletable, web cookie:
Researchers at U.C. Berkeley have discovered that some of the net’s most popular sites are using a tracking service that can’t be evaded -- even when users block cookies, turn off storage in Flash, or use browsers’ “incognito” functions.
The Wired article was very short on specifics, so I waited until one of the researchers -- Ashkan Soltani -- wrote up more details. He finally did, in a quite technical essay:
Posted on August 15, 2011 at 4:48 AM
• 74 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
How is this different from what the Evercookie does?
It was being used live in the wild when it was discovered. Evercookie was a proof of concept.
There, fixed. Web seems a little sluggish, though. Wait a minute:
Roger, don't forget to disable all cookies and disable all plugins and use ad blocker for good measure. The first two things make for a pretty awful browsing experience though.
I think part of the issue is that browsers are not providing reasonable defaults for persistent stuff and the tools for removing / managing cookies are lousy too.
Flash also has execrable management tools. At least 10.3 now sports a proper UI instead of that postage stamp GUI hosted on adobe.com but it's still not enough.
I think by default ALL 3rd party cookies / flash objects should be prohibited, no local storage for anything without consent, no etags for 3rd party / iframe requests, opt out should default to on, cookies / flash objects should auto expire after a few days and only explicit user intervention (e.g. bookmarking a site or maintain a whitelist) alters this behaviour. And minimize all the unique points of information that browsers leak that might allow reattachment of cookies - screen res, use agent string, installed fonts / plugins. comments etc.
It's a tough call so perhaps the vice needs to be tightened gradually to allow sites to adjust. But if people are secure by default the reasons for pulling this crap would diminish.
I have set Firefox to clear all history when I close Firefox, including cookies, cache, etc. The only exception is saved passwords which should be hidden behind a master password.
That is, under the Privacy tab -> "Clear history when Firefox closes" (ticked) -> Settings -> Tick everything except Saved Passwords.
There are plugins for dealing with Flash cookies, eg, Better Privacy and TrackerBlock.
So do I understand correctly that this method will subvert even this setup?
Sounds like someone has done a lot of work and effort to make MY browser do what I explicitly told it NOT to do.
Isn't that the definition of computer crime?
Does this Evercookie subvert Torbutton's protection against tracking?
So if you disable cache in your browser the tracking via ETags shouldn't occur right? Or does the browser still do some level of caching which would cause the ETag to sent with the request?
So how do we get rid of it?
I have chmod'd (in Ubuntu) /home/"me"/.macromedia and /home/"me"/.adobe, so that no LSO's are stored. Strangely, Flash seems to work well enough despite, and yet I see nothing in any of the subfolders.
Better Privacy is convenient, but I prefer to do what I can myself. I strongly suspect NoScript is also very helpful.
Regarding chromium, I notice in /home/"me"/.cache/chromium/default that a lot of stuff remains even after deleting "everything, from the beginning of time". Because of this, I primarily use Mozilla.
Does Kissmetrics subvert such efforts?
Would using the Modify Headers FF addon and altering the ETag header help ? It appears to send modified value on GETs and the Web server returns the same value. Does this mean each GET request implies the ETag is not cached ?
Time to start browsing in a clean virtual machine every time I browse.
It's wrong to say these are "undeletable". Because the value to send for the etag is stored in your browser cache, you clearing your cache should remove this information.
Seems like this tracker only has one use case - remembering identity in between user sessions when cookies and flash storage might get cleared. So opting to wipe the browser cache on browser close (or say, every 2 hours) should make this almost entirely useless, right?
It seems to me a plug in to restrict and alter these response headers would be transparent to the user and fatal to the cookie. One option would be to restrict the value to multiples of 5min and clip values to the last hour.
OTOH all that would do would be to force the site to spread there data across more URLs. At that (this?) point we have an arms race.
To be blunt, this is a case of legitimate sites using browser exploits to track users who have taken the trouble to say that they don't want to be monitored.
A technical fix is necessary, but stronger legal privacy protections are far more appropriate because an arms race between major online companies and browser vendors of somewhat dubious loyalties is not something the users will ever win.
Right now you can detect these crooks because of the static ETag, but that's just because the concept is in its infancy (add a salt and you have seemingly random ETags for every request).
How do you propose even identifying sites that may violate your privacy and apply that legal framework you propose: ETags have a perfectly valid use 90% of the time.
Curmudgeon has a point. I would suspect that with respect to european users this could be a pretty clear violation of privacy law.
Hmmm. I wonder if instead of trying to delete these cookies, we instead make the data useless by randomly overwriting the data. Drown them with useless data.
This reminds me of a service I wanted to set up: aggregated emails. Basically, you sign up with the service, and give the service an email addy to forward to. Whenever you don't trust a site, but think the email may be useful, you ask the service to spawn a new email address which forwards to your real one. You use this until the site loses your trust by spamming you. You then delete that one email addy.
It has the advantage of being able to tell which site is responsible for selling your information, because the addy they sent to is traceable!
It's already been done, and works great: Spamgourmet
Wouldn't it be better for any legislation to ban tracking of users who have requested no tracking (or whatever opt-in / opt-out approach is preferred), rather than trying to ban new tracking techniques as they are developed, in some sort of legal whack-a-mole game? Legislate the behavious, not the tool?
They could also ban automated recreating of tracking information where a user has chosen to remove it.
No need for special evercookie / kissmetric / flash cookie / TommorowTrak laws.
The current EU cookie rules to some extent miss the point, and are more a useless burden to site developers than a boost to user privacy.
"Log off - that cookies shit makes me nervous."
- Tony Soprano
I think solutions like SandboxIE, which tommy often mentions, might be immune to these. The reason is that the sandbox doesn't allow persistent changes to the system by a sandboxed application. The user has to manually allow something out. The "undeletable" cookies should be wiped upon exit. Browser VM's with persistence disabled do the same thing.
A few quick comments:
- This technique has been written about quite a bit and we cite the 2003 reference in our paper along with Evercookie. Until recently however, I had never seen it 'in the wild' on a major site, specially on one in the Top100 (I could be wrong though?). Furthermore, it's worth pointing out that the cache issue isn't limited to ETags since other cache-metadata (such as the 'If-Modified-Since' header) may pose similar problems.
- Calling it 'undeletable' is definitely a bit exaggerated since clearing the cache AND deleting all other forms of storage (HTML5, Flash, etc) would technically delete identifiers between sessions (i.e you'll generate a new cookie_id). There are still services such as Convertro that aim to link this new cookie to a past cookie once there's a conversion but that's a different matter.
- However, within the same session, you're still able to be tracked across domains (i.e as shown here. In order to mitigate tracking within the same session (i.e going to Hulu, then going to Spotify within the same browser instance), you'll have to disable all local storage (i.e disk.cache/dom/etc) or use something like RequestPolicy to strip ETag headers. I haven't verified but SafeCache might help by silo'ing the cache (although connections to a common third party, such as http://i.kissmetrics.com might make it vulnerable). I haven't tested with TOR button.
- Finally, while the technical means are somewhat interesting, in my opinion the key take-away stems from the fact that services likes these are using practically every known method to circumvent user attempts to protect their privacy (Cookies, Flash Cookies, HTML5, Cache Cookies/Etags...) creating a perpetual game of privacy 'whack-a-mole'.
This is yet another example of the continued arms-race that consumers are engaged in when trying to protect their privacy online since advertisers are incentivized to come up with more pervasive tracking mechanisms unless there are policy restrictions prevent it. For example, see the recent EpicMedia CSS history sniffing and device fingerprinting as other datapoints.
One of the main motivations for creating a signaling mechanism such as 'Do Not Track' was to break out of this technical arms race (i.e No evercookie / kissmetric / flash cookie / TommorowTrak) and just create a universal opt-out mechanisms that allow consumers to express their preferences with regards to tracking. The actual policy enforcement then needs to be created but at least we no longer have this end-run around technical mechanisms.
Thanks again for the lively discussion. Looking forward to more.
Well, I quickly gathered these snippets as they are still fresh in my mind:
> "If I don't know I'm being screwed, then I'm not unhappy"
Can someone prove me wrong, I have a feeling a lot of business attitudes follow this presupposition to sell us cr*p.
"You're controlling someone's machine, you don't want them to know what you're doing"
"Are we being turned into docile slaves, controlled by corporate electrodes that keep us on the hedonic treadmill?"
Here's an example of a dishonest transaction if I ever came across one!
"There's no security. Suck it up." -- Timeless. What an awesome meme :)
"Computers do control very well, but have no concept of trust." -- I believe control flows from trust. What are your thoughts? Wishing you a speedy recovery.
Your essay "The value of (respecting my) Privacy" I will be printing out today and hang up in the IS department. Im thinking that for every stance taken, there's bound to be an opposite. Do you know of one essay called: "The business value of subverting Privacy"?
Here's to hoping US privacy laws will be implemented sooner rather than later. Level the playing field......
O, and tommy and @all: How can we apply defensive lying here? Let's feed it garbled data and be dishonest. ;)
Long live the dishonest minority! :P
Winter: Never let your browser save passwords. In one study of a botnet's collected credentials database, sixty percent of the passwords found came from a browser - either IE or Firefox.
Of course, I tend to reuse passwords on most sites, so in my case it doesn't matter! :-)
I'm mostly really unconcerned about my browsing habits being tracked by anyone. What exactly is anyone going to do with that information against me? I'm quite sure if the FBI checked all my browsing habits, they would instantly put me on some sort of "watch list". But since I'm an ex-Federal felon, I assume they already have.
So who cares? Aside from general paranoia, what does it matter if some marketing company knows your browsing habits?
@ Nick P.:
Thanks for saving me the trouble of reprinting my comment the first time Bruce blogged this. Yes, this attack is defeated by proper config and use of Sandboxie.
I drop the final caps, because originally it was intended for IE (hence the name), back in the days when IE was the overwhelming majority. Anyone remember those days?... and want readers to know that it works for *any* browser, any app, any file, folder, external drive (optical, that flash drive you found in the parking lot and want to search for the art gall- I mean, "owner info").
"Time to start browsing in a clean virtual machine every time I browse.".
That's pretty much what Sandboxie achieves, in effect, at least as regards the browser.
"I strongly suspect NoScript is also very helpful."
My comment at the original thread mentioned that scripting seemed to be an integral part of KISSmetrics -- guess I should have written the article instead of waiting for Ashkan Soltani to do it, LOL -- but I thought that my previous comment effectively provided means to defeat the attack, having looked at the details myself. Yes, *everyone* should use NoScript, for this and for a million other reasons.
DISCLAIMER: I've mentioned Sandboxie a number of times on this blog, because I personally have used it for years, with good results. I have no connection, personal or financial, with Sandboxie or its developer. There are other sandboxing solutions, and also full virtual-machine solutions. Investigate each before choosing one. I cannot be held responsible for any consequences of your use of Sandboxie, especially because I don't control the product or how you configure or use it.
Best Practice, IMHO: In the Configurations menu, "Automatic Clean-Up" > check "Automatically delete contents of Sandbox" (each time it's closed). Then close and re-open the sandboxed browser frequently, and *absolutely* before *and* after doing sensitive browsing, like online banking.
You'll be prompted if there's a download in there that you forgot about, and want to get outside of the Sandbox (to your real desktop) before it's deleted. Check "Enable immediate recovery" for your default download location.
You can configure it to allow bookmarks, cookie preferences, NoScript whitelist/blacklist, etc. to be written through to the hard drive. Otherwise, these would be lost every time the sbox was emptied.
All of the advice others gave about configuring Firefox for max privacy anyway (clear cache, disable offline storage, no third-party cookies, etc.) should also be followed, and *never* store passwords in any Web-facing application. Look in the upper left of this page and click "Password Safe". ;)
@ Richard Steven Hack:
"So who cares? Aside from general paranoia, what does it matter if some marketing company knows your browsing habits?"
For those of us who aren't ex-felons, Federal or otherwise, we find this tracking just as offensive as if we were being tailed 24/7 by a team of detectives or agents. (You probably are anyway, lol - j/k; you know I respect your opinions.) Or by a marketer who follows me through the mall, looking over my shoulder, and writing down everything I buy or look at - what type of clothing, what color, (male or female underwear, LOL), where I visit and whom I see, -- enough. Out of all the people here, I'd expect that our own dedicated anarchist would resent continual snooping and dossier-building on someone who is suspected of no crime, but just for marketing purposes.
Bruce's essay on why privacy is a fundamental human need, which I've bookmarked from five years ago:
This is no lie: Bruce's cookies are so good they are cakes.
If you listen or look at the transcripts to the security now podcast they discussed it in episode #312, listener feedback #123.
Afterthought to my comment @ 5:58 pm today,
"Bruce's essay on why privacy is a fundamental human need, which I've bookmarked from five years ago:
This issue of "If you're not doing anything wrong, why do you need privacy" seems to come up regularly and frequently. Any chance that you could post a permanent link to it, under its own title, in the left-hand navigation pane here, along with Books, Essays, News, etc.? It could be a first-read resource for those who dredge up the same old arguments, and an easy link to refute them.
I think it's important enough, and distinctive enough, to deserve a prominent link here. Thanks.
I'm curious: if KISSmetrics could persist tracking tokens like that, why recreate the cookie(s) in the first place?
As a side note, it seems that the consistent cookie re-creation was the smoke from the fire that gave them away.
@ Christopher Wood
And seven years ago, some company made a piece of software that prevented this and most other exploits from harming the system. It's called Sandboxie. :) And checking their website shows it does more today than just sandboxing web applications: it contains entire installs for easy roll-back & protects arbitrary applications while allowing user-authorized data to get through. Next best thing to RAM-based, browsing VM's. And cheaper than Norton. ;)
"Here's an example of a dishonest transaction if I ever came across one! ... O, and tommy and @all: How can we apply defensive lying here? Let's feed it garbled data and be dishonest. ;)"
Which is dishonest? The company tracking the user, or the user who deletes the tracking material in between sessions?
Some have pointed out that some of these technologies may have legitimate uses. So rather than feed garbled material, just deleting it before going somewhere else prevents the tracking.
FWIW, I use the RequestPolicy add-on to firefox.
It gives you control, on a per-site basis, of which sites can pull data from other sites. For example, on this very page, I see an attempt to inline something, probably a little "badge" from eff.org. I could choose to allow just schneier.com to pull stuff from eff.org or I could let any website do it, or leave it at the default where no website can pull data from eff.org.
This is more functional than BetterPrivacy which only blocks known trackers. By default, RequestPolicy blocks all 3rd party references, including unknown trackers.
The company making undeletable tracking cookies is dishonest as wiping cookies does not delete them. False sense of privacy.
Ah you're right too much effort to garble the data and make their systems not work as intended. Better to just put all the energy in (samdboxie) to help keep a system clean that really should keep itself clean eh.....? ;)
Yeah, that'll work, since the 0.017% of people who are sufficiently paranoid about their privacy to actually bother to clear their cookies nonetheless never bother to also clear their cache at the same time. It's not like the major web browsers' "clear private information" features do both at once by default, or anything.
They are, of course, trying this because browser profiling doesn't really work in practice, because small details about the user's browser profile change every time a browser plugin or add-on gets updated or an OS security update gets installed or the user sneezes.
> browsers are not providing
> reasonable defaults for persistent stuff
Defaults are for people who don't care.
The option does exist to throw everything out whenever you close your browser. All you have to do is turn it on.
Admittedly, it would be nice to have the option to limit max cookie lifetime to some number of hours, for those of us who tend to leave our browser window open for months at a time. You can always use the "clear private information" feature from time to time, though.
Lynx browser in TAILS LiveCD? That shouldn't leave any traces. :)
Instead of deleting or preventing cookies, how about writing over them so that the information that was previously stored in them is now corrupt. Would that work?
As a former developer for a business, I see it from both sides. I get the need for "privacy" but I think people don't realize the symbiotic relationship between businesses and customers.
*If* (and I know this is an if, but there are businesses that do it) a business gives the customer advantages for allowing their businesses to run more efficiently and cost effectively, then it can pass that down to the customer.
Those that want to bypass that, it's all well and good and I understand it (I do it for some).
Then again, I correlate everything back to the prisoner problem and the golden rule (not Scrooge McDucks version either). I know, naive and idealistic.
I'm not a huge fan of Safari, but I have to admit that when it comes to security, they really have a lot of advantages.
evercookie already demoed this a year ago and admitted that the only browser where evercookie doesn't persist is Safari where you turn all persistence off.
Yep. If-None-Match is a horrible idea from a privacy standpoint. This _can_ be fixed browser-side if you're willing to accept an additional round trip in case of an invalid cache.
Instead of doing a GET with If-None-Match, you issue a HEAD and compare the ETag on the browser side, then issue a separate GET for the resource if there's a mismatch.
Unless I haven't had enough coffee yet, this stops transmitting uniquely identifiable IDs to the server.
What does it mean, KISSmetrics **was** exploiting the browser cache... does this mean they have stopped this practice now? Please elaborate/investigate and let us non-experts know what you find out!
Tommy: "Out of all the people here, I'd expect that our own dedicated anarchist would resent continual snooping and dossier-building on someone who is suspected of no crime, but just for marketing purposes."
As a "free-market anarchist", I resent government more than I do business. Which doesn't mean I support corporations (versus "companies") which are creatures of the state.
"Bruce's essay on why privacy is a fundamental human need"
Privacy, yes. Worrying about some company trying to find out what you're interested in so they can make you offers, not so much. I really can't get concerned about it when the NSA is siphoning up everyone's phone calls and emails (and blog posts) and checking them for keywords and then the FBI slaps a five pound GPS tracker on your car because you're fond of peace.
The fact that the NSA is probably sucking up all these marketing databases of your browsing habits as well is just icing on that cake.
OTOH, that said, I suspect there are easier and more logical ways for companies to find out what you're interested in than mucking around with browser cookies.
I think the whole "tracking the user" thing is a hold-over from the days of putting special codes on magazine ads to figure out which of your ads were effective. With the Internet, there are a slew of more effective ways to motivate customers and potential customers. So it's down to lack of imagination for those companies resorting to tracking.
Re Sandboxie: Nice for Windows users - doesn't work on Linux. The only relevant Linux capability I find in a Google search are "Linux Containers" - LXC - which are clearly not even remotely close to the ease of use of Sandboxie (although clearly useful for Linux experts.) I'd rather resort to full virtualization than mess with them.
However, I just found this which looks interesting:
It's a bash script that uses core Linux utilities like chroot to sandbox an application. Has a default profile for Firefox. Command line but looks reasonably easy to use. I'd check it out if one is a Linux user who wants something remotely similar to Sandboxie.
And just found out that blocking Google cookies makes even the basic google.com website unreachable.
How about someone writing a plugin that constantly sends cookie information to a central clearinghouse which then sends back replacement cookie information from random people. Kind of like swapping merchant affinity cards with strangers.
Or it sends back identical information to all participating browsers which makes it look like as soon as people find the malware they then switch to the originating site's largest competitor.
http://www.googlesharing.net/ does this for google search. There are a few people (including myself) thinking about trying to implement this more broadly.
Feel free to email about potential collaborations on this type of stuff. I'm always interested in new projects.
@ RSH & sandboxing discussion
Unfortunately, Richard has a point. There aren't many options on Linux & nothing quite like Sandboxie. However, I did dig up some things for people to try. For most of these, an experienced user will have to be the first one in. Then, they could write a guide for novice users to follow.
This will be the easiest solution for most people. Install a virtualization app, create a VM with safe settings, install a minimal RAM-based Linux, install Firefox/plugins, and create a script to turn on or off a shared folder. The VM will only be given permissions to access its own folder & the shared folder.
I'm not beginning to suggest the user try to create a comprehensive SELinux policy for web surfing. There's a few opportunities here. The first is a package & command that automatically sandboxes firefox, along with a workaround for flash. There's some usability issues, but it does access control & auto-wipe.
Dan Walsh posted a very usable policy for Firefox back in Fedora 8. Check out his blog more because he's posted many excellent uses & policies for SELinux.
Dan Walsh also talks about sVirt, which combines KVM & SELinux. SELinux has also been used with Xen on another site. Tresys Fortress & the General Dynamic's [inappropriately named] "High Assurance Platform" combine RHEL, SELinux, VMWare and some custom stuff to isolate a number of partitions in an easy-to-use fashion. (I think the HAP was about $1000 or so, with Fortress being cheaper at the time.)
Like SELinux, Tomoyo is a Mandatory Access Control scheme for Linux. The key difference is that, like AppArmor, it tries to watch the system to learn how each piece of software behaves & automatically generate a system policy. It then enforces that system policy. Might be helpful here, might not. It's available for free from NTT Corporation.
Solutions like Linux Virtual Server, OpenVZ, and Solaris Containers provide restricted environments that are easy to set up, require no complex full virtualization stuff, & have solid performance.
Green Hills, Lynuxworks, and VxWorks all supposedly have secure browsing solutions that build on their MILS platforms. I know INTEGRITY Global Security has a COTS one, as I had its brochure at one point. Truly concerned users might also buy a cheap PC dedicated to web surfing & use a cross-domain device to send files, bookmarks, etc. to the main device after or during use. (One company even makes "one-way" ethernet, which is REALLY cheap.) If one is using a desktop, it's even easier: a KVM switch, VIA ARTIGO PC running RAM-based Linux, & cross-over cable solve the problem for around $400 with excellent usability (experienced users needed for setup).
So, the point is that there are numerous solutions for Linux. Some are free, some are expensive, some are simple & some require expert care to set up. But there's something out there for everyone.
whether I'm on a watch list or not, I'd like to not reveal what I browse.
Consider this -- I'm an inventor by trade. That means I look at *everything* I possibly can. Some of that is, well, unsavory. Does that mean I'm "that sort"? Nope. But not long ago, a man's browsing history was used as evidence to help get a murder conviction. The guy probably wasn't innocent, but...next guy might be. He'd browsed "how to kill your wife" and showed up with a dead wife sometime thereafter. Bingo.
Also, and still as an inventor, targeted ads miss a big point. Sure, I buy some things more than others, but how did I find them in the first place?
The untargeted ads, that's one way. If I only get ads for the junk I buy already -- where's that next invention coming from if I can't see what's new out there and figure out what other implications of it there might be?
And still as an inventor -- looking at what I browse might give a competitor an advantage of knowing where I'm heading...
I could go on almost indefinitely. As a gunsmith, browsing gun related topics is sometimes going to take you to most unsavory sites - you might hit the back button quick, but you still visited that vigilante hate group -- better hope they commit no crimes near you, eh?
An item of interest.
I downloaded the i.js file from the kissmetrics site - referenced in todays TheRegister article.
My FFox saved it as a web document (2748 byte .htm) and not a .js file (?).
Within it's contents is the name of the defunct company who last owned my workstation.
That matters, because this is a different harddrive w/ a fresh load of a different OS.
Old OS=Server2k3. The IDE harddrive was tossed.
New OS=Win7Pro on a SCSI 320U drive.
This system was tracked after the equivalent of a drive wipe.
Out of curiosity;
I also d/l'd the same i.js link from a new virtual XP system (same ver of FFox)
I received a 39 byte i.js file. It read...
if(typeof(_kmil) == 'function')_kmil();
I haven't figured out what to make of all this yet.
It certainly brings up more questions than answers.
"Or by a marketer who follows me through the mall, looking over my shoulder, and writing down everything I buy or look at - what type of clothing, what color,"
Oh, how I wish they would, then maybe some of the few products I actually like would continue to be available next year?
Paul, the point is they didn't ask you if it is ok to follow you around. So legally, this unwanted behaviour be considered stalking. Perhaps we should be talking big lawsuits and damages in dollars.....any lawyers here? ^^
Doug: There may be circumstances where one's browsing history becomes a concern in a criminal investigation. That's not really a concern for the general population. What are the odds? Several million to one, I would guess.
Much more likely is that one's porn browsing habits might be exposed to people from whom you'd like to conceal them. You know, the site with the old cripples dressed in vinyl? :-)
This is still a minor concern for most people because it just doesn't happen that often. The companies are collecting this stuff for either: 1) some overall consumer product interest they can match with third party demographic databases to decide on marketing campaigns, or 2) to target their visitors with specific ads, or at worst 3) spam.
Only in the latter case is it likely some porn ad will show up in your email - and everyone gets those anyway.
Really, in 99.9999 percent of the cases, no one cares because no one is going to ever be affected by this, at least not in ways they can't deal with.
What one should be concerned about is the government spying. And if you deal with that effectively, the corporate nonsense will take care of itself.
What is more likely? That you get in trouble because the government spotted you cussing out the government in an email or a blog post, or because you visited some company Web site like, say, Paladin Press? Although I'm sure the government monitors sites like Paladin, I suspect in most cases if someone gets in legal trouble, it's not because they associated on the Internet with the wrong company site and its cookies. And certainly not with a porn site or any legitimate corporate site.
I repeat - this is 99 percent paranoia and one percent actual risk.
That said, a cookie which cannot be removed is essentially spyware and should be treated as such. And I assume someone will develop a detector for these things and a way to get rid of them. Not just because they're corporate spyware but because the same technology might be usable by more malicious hackers. That's a real risk.
"And just found out that blocking Google cookies makes even the basic google.com website unreachable."
As this writer has said before,
@ Richard, Doug, all others on the privacy issue:
I like to watch a certain medical TV show. Let's say that the patient of the week has AIDS. The show is known to have occasional medical inaccuracies. (can't be bothered to get it all correct)
So I search for "AIDS", to check the facts.
A few months later, no one will hire me, rent me an apartment, get within 100m of me....
Paranoia? I think not, given how promiscuously (lol) these data get shared *and collated* per user.
One woman sued DoubleClick (since bought by Google), and upon subpoena, found that they had the equivalent of 968 pages of singe-spaced, typed info about her and her personal, medical, drinking, loving, etc. habits. Sorry, waaay too creepy for me.
@ Helland Keller (lol):
To get the complete list of KISS(myarse) scripts, I had to remove Kissm from my blocking Hosts file temporarily, then go to their site, temp-allow their scripting in NoScript, then use a Firefox add-on called JSView, which will display a menu of scripts running, and by r-click, show the full source URL. Then you can open any script as a text-format document.
It would take weeks to search them all, but here are a few interesting lines from one whose source was
(URL sanitized, and only the part after the last / and before the .js extension showed in the menu)
if (navigator.userAgent.match(/(MSIE [7,8,9])|(Firefox\/[3,4,5])|(Opera\/)|Safari|Chrome/i) && !navigator.userAgent.match(/(phone|mobile)/i)
I'm sure someone with tons of time on their hands could go through all of the many scripts there and find lots of smoking guns.
FWIW, I like the JSView add-on (no personal connection to it.)
Simple solution: I just blocked the kissmetrics.com domain in my ADSL router/modem config.
Now everything in my house (wifi or otherwise) is no longer trackable to kissmetrics.
"@ Helland Keller (lol):"
yeah, i liked that too lol.
"Simple solution: I just blocked the kissmetrics.com domain in my ADSL router/modem config."
Oh, great! You blocked a symptom of the problem. For around $20, they can beat that solution at all sites & require every person using your defensive technique to reconfigure their router. Hmm, $20-30 a day for 365 days seems like an affordable way to one-up your solution. Nah, that's not good enough. We must use browser techniques that prevent persistence of data users didn't explicitly want. Otherwise, many more tactics will come that are all based on persistence.
I had posted this method about user tracking using the browser cache in 2006 including a demo:
How is this new?
@ Helland Keller,
"That matters, because this is a different harddrive w/ a fresh load of a different OS"
On the assumption it was realy a clean install that did not bring in past files such as browser history or email addresses or software keys, then there is a couple of hardware options.
The first is inbuilt unique numbers such as your network card Ethernet MAC address, much work on these numbers was done by the likes of MicroSoft to stop pirated installs of their OS and other software. Even CPU chips have serial numbers and the like in them these days hidden away in "semi-mutable" WORM and Flash memory.
The reason for semi-mutable memory in chips is often the same as why the BIOS memory chips on your motherboard are also Flash memory :- UPDATES.
That is the cost of product recall is immense, if you go and look up the cost to Intel of the divide bug it far outweighed the manufacturing cost of new chips. Thus the solution of building in semi-mutable memory allows for the equivalent of "software updates" or patches for the hardware.
A similar idea (FPGA's) came about because "Mask ROM Programing" and "Custom chip production" was way way to expensive for small hardware runs so in the early 1980's it was quite common to see "Progamable And array Logic" (PAL) chips on hardware designs replacing traditional TTL/CMOS chips used as "glue logic". The PAL in turn gave way to "Field Programable" logic, that instead of having an array of fusable links had EPROM or EEPROM that could be changed without the use of a soldering iron or screwdriver. The likes of Cisco use large numbers of FPGA's in their high end routers and switches partly because it gets the design to market much much faster, but also because any problems found later can be easily configured out.
Whilst having Flash and Programable Logic chips makes life easier for the manufacturer, and thus supposadly cheaper for the customer it is also a significant security risk in two ways.
The first is due to "rapid development" it is now accepted that "field upgrades" are a primary requirment and that it should be possible for customers to "instal patches". Thus if a user can change the contents of the semi-mutable memory from a file then so can malware. Although some manufactures have used PK to "sign" firmware code updates most have not, and of those that have one or two have had their short PKs reverse engineered or stolen (Texas Instruments calculators and Stuxnet being an example of each)
The second security problem with semi-mutable memory in the hardware is that of "fingerprinting" that is hardware engineers on having to have put semi-mutable memory in their designs tend to be over generous on the alocation "just to be safe" and then to keep managment of their backs fill it up with "audit/test" information thus providing the rich supply of unique or semi-unigue numbers that enable the likes of Microsofts "tied to hardware licencing" to work and the likes of "snoopware" to track the hardware in use.
NaCl is essentially a binary sandbox. Qt is ported to it. Let's build a Qt based browser INSIDE NaCl (because Qt makes it easier), then make a modified NaCl runtime that stores NOTHING in between sessions, and then let people use that as a secure browser.
Would that work well? AFAIK it would. It's cross platform too (PNaCl will make it possible to run the binaries om ARM too).
@ Richard Steven Hack,
"This is still a minor concern for most people because it just doesn't happen that often"
As tommy noted these people collect anything and everything they can which is very creepy in of it's self. They used to just sell this raw info but that is not nearly profitable enough, they now refine it.
Now there are many and varied ways of refining the raw information and most produce incorect assumptions at best.
One well known and much hated system is peoples "credit rating" used to decide if you are good for "credit". ranging from a mortgauge to such minor things as a monthly mobile phone package. One way uses known past credit history but is expensive to use for small credit items, so somebody came up with the idea of "credit scoring" where you are asked a bunch of questions and these are compared to "norms" if you match you get the credit if not you get the brush off. The problem is a significant percentage of the population who are carefull with their money and would be a good risk cannot get credit by either method. So they are effectivly punished and excluded from some asspects of society because of this.
Now lets look at shop loyalty schemes and those discount vouchers they print out with your till recipt. In some places they are printed out randomly in others they are based on your previous shopping habits.
Now if you chat to store managers you will quickly find out many of those "special offers" they lose money on (effectivly they are breaking the law by selling below cost but that's another matter) and the offer is made not to shift old stock but as an enticment.
Now these same managers will tell you about "shopping Barnacls" these are those people who specialise in buying "below price" by actually using these special offers to full extent. Store managers consider them to be lower life forms than dung beetle grubs, and want to not just eliminate them but activly punish them...
And this is a problem because they can blight your life in many ways (including damaging your credit rating)
One such blight is not forfilling orders, that is they take an order and then deliberatly put one or more items on "back order" not because they cannot forfil your order but in order to annoy you so you go and shop somewhere else in future.
Another is with phone lines, your number(s) are stored in their DB and when you are flagged as a barnacle you then get automaticaly directed to staff known to be poor performers (incompetant or rude etc), thus a double win for managers. The unwanted customer gets rubbed up the wrong way, and the staff member fails to meet target yet again so either leaves or their contract does not get renewed etc.
There are a whole load of other discriminatory ploys activly used by companies, but to do this to their benifit they need to know more and more about you.
And the people most discriminated against are the ones who "have not", and the effect of the discriminatory activity is to widen the gulf between those who are seen as "having" and those seen as "not".
Have a look at,
And figure how these can be used to discriminate against you.
Now lets look at stupid legislation whereby looking for knowledge is used against you, just like various religions used to burn you as a heritic or excommunicate you to drive you from society.
Like Doug C, I'm also a person who needs to have a very wide knowledge of what is going on in many many fields of endevor some of which are realy quite questionable to people who don't think "hinky".
One of the definitions of "renaissance man" is a polymath from the greek "polymathies" meaning "having learned much". But why "renaissance" well if you look at those first "renaissance men you will find the likes of , Leon Battista Alberti and Leonardo da Vinci. They were widely read men of what we now call science who knowingly went against the doctrins and laws of the time to achive the knowledge from one field of endevor to push forwards the boundaries of other fields of endevor, and in the process broke the strangle hold that religion had on European society and so moved us forward into an age of enlightenment.
Thus aside from the historic period a "Renaissance man" is recognizabley different from other polymaths (such as Roger Bacon) in that the considered "all arts" to be open to investigation not just those "permited by authority".
How does that translate to today and modern "stupid legislation" well...
What if you want to work out how to stop an IED from exploding in the way a terrorist or other has designed it to do?
It can with the current funding floating around be a very profitable line of endevor. However you need to know a lot about how those deploying IED's designed it to find the weaknesses and commanalities that allow you an effective negation vector. This requires the research and storing of large amounts of not just IED data but the resources aims and objectives of those building IED's.
This sort of reasearch and collation of data and knowledge about methods motivation and resources of those breaking the law is likewise required with nearly every other area of security.
However it is now effectivly illegal in the UK and many other places to seak out such knowledge and amass or collate it into a usefull form to carry out research or engineering.
Whilst actually not illegal to be in possession of such information it is one of those "anti-terror" targets whereby guilt by association is alledged and confirmed by the holding of such knowledge unless you can show a "good and proper reason" for holding it.
In this respect it's a bit like the old law of "proceading in a public place equiped to commit a crime", which we see a modern version of with "knife law" in the UK.
That is an "officer" of the law and or court decides only "in their unsubstatiated opinion" that your intent, without you actually having done anything others such as a jury of your peers would consider wrong. You are said by a person to be "going equiped to commit a crime" not actually to have committed a crime and be convicted as though you have commited a crime simply because "in their opinion" you were.
Many photographers are only to aware of the "war on photography" practiced in the name of "anti-terror" legislation.
I recently suffered this mindless stupidity recently in that I had a tool kit on me in a public place, part of which was a small bladed knife with a "supposadly" (in the officers opinion) locking blade on it I use as part of my proffessional equipment "to practice a trade" (electrical/electronic equipment installation and repair).
Now it is quite lawfull "to practice a trade" under EU legislation and it is actually a serious offence for people including those in authority to prevent "a person legal or natural of the European Union" carying out such a lawfull trade by confiscating tools or preventing freedom of travel (with the tools) to carry out the trade.
However the Metropolitan Police Service thinks otherwise for "Kiss 4r5e" politicaly motivated reasons that enable them to hide their own serious failings. And as a result I'm currently arguing my way through their bureaucratic nonsense as to "why they are right" even though they have broken the law and I have not. As they view for legally unsupportable political reasons and failings my lawfully purchased, lawfully owned, lawfully used lawfully carried tool "of my trade" as a "weapon" that they are going to unlawfully take from my possession and keep/destroy without going through any lawfull process, just one of threats and intimidation...
And the reason this small bladed knife is such a concern when others with much larger blades are not?
Belive it or not it's a safety feature...
The UK government wants to ban all knives from being purchased owned or used because somebody might stab somebody with it, it is a position supported by ACPO (the unelected "boys club" of senior police officers) because due to their failings knife crime is rising in the UK.
Well the public out cry about such nonsence caused an initial political compramise in that it's legal to carry a small bladed knife provided the blade is not fixed or lock in place. But this rules out simple pocket knives such as the "Swiss army Knife" because it has a "mechanical locking mechanisum" so the outcry continued. So they appeared to compramised a bit and came up with the far more dangerous and harmfull "in an officers opinion" reasoning. That is if an officer decides it's a locking blade then the knife is illegal, unless it is used as part of a trade, which the officer can "in their opinion" decide is not the case if they chose to.
Now anyone who knows anything about knives will know that a locking blade is a requirment for the safe use of a knife. The only apparent exception being the so called "cut throat razor" where the design is such the blade is effectivly fixed to a small handle but the protective cover swings fairly freely so is actually illegal as it's a fixed blade knife with handle with an attached safety case.
Speaking of razors, under the UK legislation even a plastic "safety shaving razor" would be clasiffied as illegal because even that iny blade is fixed into the frame attached to a handle...
This sort of "stupid legislation" actually does considerably more harm than good. First off it means you have to carry an unsafe knife if you want to carry one, or face the risk of an "officer" deciding it's "not for trade" and therefor must be for crime with a long prison sentance.
Secondly it stops people learning to use knives safely, thus people stop using them which in the long term causes a very valuable tool to become not used and thus society as a whole suffers immesurably as a result. Put simply tool use defines us as a species it's what we do better than any other creature and it is what has alowed us to become the societal creatures we have become rather than just "part of the food chain".
This "in an officers opinion" style legislation is extreamly harmfull to society as it engenders fear and oppression and ceeds the direction of society into harmfull culdesacs for politicaly motivated individuals with self agrandisment as their reason for existance or proffit.
Thus any method of restricting peoples behaviour by collecting data on them that might at some point in an "officers opinion" make them guilty of "thought crime" makes society as a whole weak fearfull and prey to easy coersion.
Clive: While I'm fully aware of the knife issue - we have similar problems in the US over bladed weapons, although generally folders are legal depending on blade length - but not in certain buildings such as a Federal building or school (at least in California, I looked this up recently when I was considering a knife purchase - as an ex-felon I need to know this stuff to stay out of jail) - none of this is relevant to the corporate tracking cookies issue.
Going up one level to the issue of possession of information which might cause one to be accused of "not being an upstanding citizen" (read: slave), once again for the average citizen this hardly ever applies - simply because they are slaves and never look for "off brand" information (with the single exception of porn.)
And secondly, as I said above, hardly ANY corporate tracking is done with this intention and the sole real issue is the siphoning up of these databases by law enforcement.
But since law enforcement is doing this ANYWAY in more significant privacy areas as emails, phone conversations, and even your presence in public places via street cameras, I fail to see how the desire of corporate America to see what Web sites you've been to which fall within their product placement interests is really all that ADDITIONALLY serious that it occupies so much more attention.
The real issue is precisely what you point out: the existence of "thought crime". By complaining about normally irrelevant corporate customer tracking, you're focusing on just one tool which, I repeat, for 99.9999 percent of the population simply isn't a threat. It's a threat only to people like US who burrow into "thought crime" territory.
Tommy: "So I search for "AIDS", to check the facts. A few months later, no one will hire me, rent me an apartment, get within 100m of me...."
Really, that is a serious overreaction. Cite a case. Cite ten thousand cases. It's still a drop in the bucket that won't apply to nine nine percent of the population. I assert that even citing a dozen - or a hundred - other equivalent scenarios still won't amount to anything for the bulk of the population. Most people simply will never see this problem.
Now in CREDIT REPORTING, this is an issue. You can easily be denied an apartment rental if some wrong stuff ends up on a credit report. I've had this happen to me. But I doubt any of this normal corporate cookie tracking ends up in an actionable credit report.
"Paranoia? I think not, given how promiscuously (lol) these data get shared *and collated* per user. One woman sued DoubleClick (since bought by Google), and upon subpoena, found that they had the equivalent of 968 pages of singe-spaced, typed info about her and her personal, medical, drinking, loving, etc. habits. Sorry, waaay too creepy for me."
The issue is not what or how much data is collated, but how it is used against one. And in this respect, I repeat, 99.9999 of the population will never have a problem any where close to that.
My guess is in the DoubleClick case you cite, those 968 pages were simply a list of a profligate Web surfer's URLs which would be easy to do and completely irrelevant. Because you can't compile 968 pages on most people short of Angelina Jolie without throwing in a ton of irrelevant garbage.
If anything, DoubleClick was a victim of information overload if they had that much info on one person. Again, unless that person was being singled out, her data was simply dumped into some aggregate figures via data mining and was thus useless in pinpointing her for any real actionable problem.
And even then, the question remains: what harm did she actually experience from those 968 pages?
Creepy? Sure. But that's an emotional reaction you choose to make. I don't. I couldn't care less what random corporations know about me. I'd be far more concerned about the government tracking my Web searches. Except I know that I'm such small potatoes - like, again, over 99 percent of the population - that the government can't and won't waste any effort tracking me. At least, not until I actually do something that makes me a threat - which again doesn't apply to over ninety five percent of the population.
The one place where this sort of tracking might affect some people is the no-fly list. Since we don't know how people get on that list, I wouldn't be surprised if some people end up there because of some sort of bulk surveillance of emails, blog posts, phone calls, etc.
But even then, I REALLY doubt anyone winds up there because the Feds found some corporate tracking cookie that says they visited "Bad Guys.com"...
Yes, this issue is paranoia. Or a simple distaste of being watched - even when the watcher can't tell you from Adam in the real world which is the situation at hand.
Knowing a lot of random data about someone is the same as knowing nothing about that person until you can make sense of it. As others have pointed out, with all this data companies such as Google STILL can't present ads that get my attention! It's just too hard a problem.
If you're someone who might be in danger of being tracked or actually hunted by the government, then having this information out there is a threat. If you go on the run, knowing this stuff can help people find you unless you know enough to change your habits.
If you're not, it's not.
Unless, if course, it falls into the hands of a hacker who can use it to compromise a system or identity theft. :-) I'm surprised no one has mentioned that as the most obvious risk today of corporate tracking.
But even there, random information might be good for ancillary ID, but primarily what an identity thief is looking for is specific credential data - and that is everywhere and usually entered voluntarily and not by siphoning up tracking cookies. So once again, this sort of thing is not really a threat to the bulk of the population when the real issue is how your SSN is effectively a National ID.
And there's this reality:
53% of mobile users happy to hand over location data for discounts
Lately, mobile device users seem to be more aware than ever of privacy issues tied to sharing their location. But what do consumers love more than keeping a handle on their own privacy? Discounts. According to a report from mobile engagement firm JiWire, more than half of all consumers are willing to exchange their mobile location data for content that is relevant to them at the moment, such as coupons, promotions, directions, and product information.
Additional Meme: There is no privacy. Suck it up.
@ Richard Steven Hack,
"The real issue is precisely what you point out: the existence of "thought crime"."
Yes but what is "thought crime", put simply it's somebody looking to convict somebody for reasons of an agenda. It does not matter if a crime has been commited as long as the political impression is given that one has.
For instance today on the UK BBC news and Russian RT news channels they have stories running about two people in the UK jailed for four years for aledgadly insighting a riot via facebook.
The thing is there was not a riot and people interviewed who had knowledge of this tiny (supposadly private) facebook group indicated that what they had posted was clearly sarcasm/humour and no way an attempt to start a riot. If what has been said on these news channels is true then justice has not been served by the action of the court, mearly a kowtow to political preasure which has backfired.
"By complaining about normally irrelevant corporate customer tracking, you're focusing on just one tool which, repeat, for 99.9999 percent of the population simply isn't a threat."
But is it 99.9999 percent? are you talking about the number of randomly selected scapegoat "examples of justice being seen to be done" or the people who are available for random selection as "examples"?
Arguably the US has no home grown muslim terrorists but any muslim or person who looks like a muslim is a target to become an "example" in some way, and US muslims are only to aware of this in the way they are treated by other US citizens and the authorities. Some dare not fly to see relatives abroad for the fear of what might happen to them others nolonger use the Internet or even read forign newspapers from the fear of the impression it might give.
But it is not just religion or foreigners that are being targeted, it is becoming clear that the US Government has for whatever reason decided that "ECO-awarness" is a threat to corperations and the politicos they "pay off" via lobbying. They appear to belive that ECO-awarness is a threat like no other before it and they have thus decided to brand any ECO-actavist a terrorist and some have made it onto the FBI "most wanted" list for crimes that are considerably less than plain old fashioned arsonists of which the US has many.
Already judges have had their "pumps primed" and any civil disobediance or minor criminal activity involving "ECO" activities are receiving unrealisticaly harsh sentancing. And sometimes being imprisoned for lengthy terms without being charged or convicted. Those that have been convicted then find themselved being moved to one of two special federal "Communications Managment Units" that have been described as "baby gitmos in the US heartland".
In one case of a civil protestor the prosecuter baldly stated to the court that a defendant was a terrorist because ECO and anarchist literature had been found in their possession. Which appeared to be a refrence to accademic information they possessed in books and web downloads...
Now you might count that in as part of,
"It's a threat only to people like US who burrow into "thought crime" territory."
But the point is, what many people might do about any number of things today may not be regarded today as illegal, questionable or abnormal. But tomorow for want of a new "enemy within" be treated as terrorist activities by politicos looking to bolster their flaging ratings and federal and other agents willingly hopping onto the bandwagon to improve their position.
The US saw this with the Joe McCarthy "Anti-American" hearings and anti-communist campaign in the decade following the late 1940's, which ostensably were used to remove any opposition to Republican sponsoring companies and organisations. And many Americans who lived through it's effects think it is happening all over again...
The problem with "witch hunts" is anybody can be accused of being a witch, and evidence will be found to prove they are a witch, irrespective of if it is even possible to be a witch. You might only burn one person in a million but potentialy anybody in society can be accused.
France saw this with the revolution anybody could be denounced without evidence and be treated to that short climb to Dr Guillotine's humane execution device, just to ensure the revolution was seen to be being kept pure...
Clilve: All very good points about society in general.
But I submit rather removed from the probability of MOST PEOPLE being affected by them SPECIFICALLY as a result of corporate cookie tracking. Which is the point I'm making.
And the other point I'm making is that if and when this sort of thing does happen to enough people to become a real issue for the average citizen, it will be presaged and potentiated by the much more serious privacy violations committed by governments - not by corporate surveillance of people's browsing habits.
When someone like DoubleClick comes along and lists 900 pages of your browsing habits once you're in court for some "thought crime", the only reasonable response is: "So what?" You're ALREADY in trouble and anything you say can and will be used against you because that's what "thought crime" is all about - perception, not reality.
And you can't win that game - ever - if you're in the victim's position.
So worrying about how much your browsing habits contributed to that victim posture is focusing on the wrong thing completely.
If one is that worried about this sort of scenario, then one's only recourse is to simply stop doing anything that might be even remotely considered "thought crime".
And that means you're a victim already. The minute you clear your browser cache because of this sort of paranoia, they have your ass.
"And that means you're a victim already. The minute you clear your browser cache because of this sort of paranoia, they have your ass."
Don't take it too far out of context. In the majority of cases, you want to clear your browser cache when your twelve year old cousin comes over and uses your computer...
And panicking about governments tracking you is imho the same kind of paranoia as panicking about corporations tailing you 24x7. I do side with tommy and Clive here, and consider such unwanted behaviour unjust and an invasion of privacy.
I just can't help but liking your meme(s). :o)
I suppose they are true in that if you don't know or don't care, there's no security (or privacy). But we do care...that's the difference.
1. A simple "clear cache" deals with it
2. Safari doesn't send "if-none-match" which renders this technique useless on safari (and probably iOS)
Vles: "In the majority of cases, you want to clear your browser cache when your twelve year old cousin comes over and uses your computer..."
Of course. I meant clearing your cache when you do a Google search, for example. Actually, after some kid uses your machine, a wipe and reinstall might be indicated...unless you're on Linux... :-)
"And panicking about governments tracking you is imho the same kind of paranoia as panicking about corporations tailing you 24x7."
Panicking, yes. Noting who does more of it isn't. The government is much more of an actual threat since they have the guns, and McDonald's doesn't.
"I do side with tommy and Clive here, and consider such unwanted behaviour unjust and an invasion of privacy."
Never said it wasn't. Just saying it's not a comparable threat as other forms.
"I just can't help but liking your meme(s). :o)
I suppose they are true in that if you don't know or don't care, there's no security (or privacy). But we do care...that's the difference."
No, they're true whether you care or not. That's the point. It's how you deal with it that differentiates "us" from "them". "We" haz better security (and privacy) than "them" - but we still can't haz "security" or "privacy".
Once again, the only way to have "security" is to meet the following conditions:
1) No one knows who you are.
2) No one knows where you are.
3) No one knows your motivations or purpose.
4) You are mobile.
5) You have overwhelming local firepower.
Anyone who doesn't meet those conditions who thinks he has security or privacy is just lucky he hasn't run into the circumstances to prove him wrong...yet.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.