Puppy Linux Discussion Forum Forum Index Puppy Linux Discussion Forum
Puppy HOME page : puppylinux.com
"THE" alternative forum : puppylinux.info
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

The time now is Wed 22 Oct 2014, 17:59
All times are UTC - 4
 Forum index » Off-Topic Area » Security
Evercookies: extremely persistent browser cookies
Post new topic   Reply to topic View previous topic :: View next topic
Page 3 of 4 [50 Posts]   Goto page: Previous 1, 2, 3, 4 Next
Author Message
jpeps

Joined: 31 May 2008
Posts: 3220

PostPosted: Tue 26 Oct 2010, 20:51    Post subject:  

PaulBx1 wrote:
Quote:
I'm concerned about ANY vulnerability that enables some clown to plant whatever on my computer hoping to enrich themselves.


Yeah, Heaven forbid that anyone should make a profit. Wink



Hi PaulBx1,

Don't get me wrong...I'm in total agreement with you that others should have the right to plant whatever on your computer Smile
Back to top
View user's profile Send private message 
PaulBx1

Joined: 16 Jun 2006
Posts: 2308
Location: Wyoming, USA

PostPosted: Wed 27 Oct 2010, 20:49    Post subject:  

Quote:
Just some 30 seconds and they have same username and log in as you just gave


You shouldn't do anything on an open wifi connection other than, say, check the weather. Anything more than that is asking for trouble. Even logging into a website is not a good idea, unless you don't mind handing your password out to everyone. Email? Forget it.
Back to top
View user's profile Send private message 
nooby

Joined: 29 Jun 2008
Posts: 10557
Location: SwedenEurope

PostPosted: Thu 28 Oct 2010, 02:09    Post subject:  

Hahahah Paul you should have told me that one year ago and I had not bought the Acer 10 inch screen Nettop I used now and not the two android smartphones either.


I bought these to use at open spots to check emails and forum entries when me travel.

_________________
I use Google Search on Puppy Forum
not an ideal solution though
Back to top
View user's profile Send private message 
Jasper


Joined: 25 Apr 2010
Posts: 1144
Location: England

PostPosted: Thu 28 Oct 2010, 08:32    Post subject:
Subject description: Firefox 3.6.12 out now
 

Hi,

For those who are not already aware - Firefox 3.6.12 (with a security fix) is available today if you need it.

My regards

My apology - I have now put this message in a new thread in this section.
Back to top
View user's profile Send private message 
Flash
Official Dog Handler


Joined: 04 May 2005
Posts: 11119
Location: Arizona USA

PostPosted: Tue 02 Nov 2010, 23:51    Post subject:  

Here's an interview of the creator of the Evercookie, Samy Kamkar. Very instructive.
Quote:
TechRepublic: What is an Evercookie and why did you develop it?

Samy Kamkar: Evercookie is a Javascript API that allows storing cookie data in a number of different locations when a user visits a web page. Normal sites would typically just store data (such as a session identifier) in something like a cookie.

However, Evercookie not only uses the cookie, but a number of other locations such as Flash cookies, Silverlight isolated storage, and various locations of HTML5 storage. When a user deletes their standard cookies, the other locations remain and are able to rebuild the original cookie.

I built Evercookie as a proof of concept, wanting to show how web sites are able to track users even if they delete standard cookies and LSOs. Evercookie also sheds light on the fact that there are numerous methods for storing cookies locally. Finally, Evercookie acts as a litmus test for users who want to see if they’re protected from web sites that track like this.


TechRepublic: Is the installation process automated or does the user have to initiate it?

Samy Kamkar: No, the client simply visits the web site. There is no indication that persistent data is being set, exactly like a website with standard HTTP cookies.
Back to top
View user's profile Send private message 
jpeps

Joined: 31 May 2008
Posts: 3220

PostPosted: Wed 03 Nov 2010, 02:29    Post subject:  

In short, a challenge to act against the best interests and desires of the owner of the computer; very stupid and at best, bad business.
Back to top
View user's profile Send private message 
nooby

Joined: 29 Jun 2008
Posts: 10557
Location: SwedenEurope

PostPosted: Wed 03 Nov 2010, 04:10    Post subject:  

Hope I am not too naive.

What one need to do then is some program that recognize when an Evercookie is about to be set and that that program just pretend that all works by giving faked confirmation all has been set up and as the evercookie wants it but in reality that sites evercookie is blacklisted in some list so it is not set next time either?

Does it help to do like some told us that they made an ever updated pupsave.

so when one start anew in the morning the pupsave of yesterday get scrapped and the backup are loaded and that way nothing that did happen change that backup?

One store things one want to keep like email and html pages and pics and muic outside of pupsave and only reuse a never write to back up that is reused again and again?

I guess those that use a CD with puppy is like that

for us with frugal they can write anything to our HDD I guess.

One would need a program that looked for evercookies and be able to erase them. .

_________________
I use Google Search on Puppy Forum
not an ideal solution though
Back to top
View user's profile Send private message 
jpeps

Joined: 31 May 2008
Posts: 3220

PostPosted: Wed 03 Nov 2010, 04:19    Post subject:  

Flash wrote:
Here's an interview of the creator of the Evercookie, Samy Kamkar.


Example of accurate targeting when clicking on the above link:

Italian Cookies, Biscotti
Perfect gift, easy online ordering.
Back to top
View user's profile Send private message 
PaulBx1

Joined: 16 Jun 2006
Posts: 2308
Location: Wyoming, USA

PostPosted: Wed 03 Nov 2010, 13:10    Post subject:  

Quote:
In short, a challenge to act against the best interests and desires of the owner of the computer; very stupid and at best, bad business.


Well, I suspect the point was that, if he could develop them, others could and probably have developed them. Better to get the issue out on the table before they have taken over half the world's computers and filled them with garbage.

Sounds like noscript can prevent them. I suppose I ought to try it yet again...
Back to top
View user's profile Send private message 
Bruce B


Joined: 18 May 2005
Posts: 11130
Location: The Peoples Republic of California

PostPosted: Thu 04 Nov 2010, 19:50    Post subject:  

I hope in this post to make the Evercookie seem less fearsome,
more understandable and very easy for us Puppy users to clean up.


- Macromedia Super Cookies

Websites can use your macromedia flash files to track you across multiple
domains. Flash is not a part of your browser and it doesn't have
controls over the data Macromedia stores.

We have control!

/root/.macromedia is the parent directory where the data is stored. If you
don't want to be tracked by the content in those sub-directories, delete
the parent.

Edited to add: it will recreate itself, so the deleting should be part of your
normal keeping things clean routine. The recreating itself means it will make
new directories and store new data. Once deleted the previous data is
history.

I mention the /root/.macromedia directory because it is a portion of the
technology the Evercookie uses

- Silverlight isolated storage

I'm not even using it. To the extent the rest of us are not using it, there is
no Silverlight exploit.

- HTML5 - Various Storage Locations

Don't kill me with fearsome generalities. We are running specific operating
systems and browsers.

The OS here is Puppy Linux. The browser is SeaMonkey. (or whatever the
user or puplet installed)

SeaMonkey stores its cache under the parent directory /root/.mozilla in a
directory called Cache

Every time we empty the Cache we also empty the supposed but
non-existent various HTML5 storage locations.

- Clearing your private data

Google is main sponsor for Mozilla. Need I say more?

Google doesn't seem to believe in deleting data, not in my opinion. Don't
play fool to thinking setting your Mozilla browser really deletes data by using
browser settings.

If we are serious about deleting private data, write a script to delete the
*.sqlite files in the profile directory.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

End of post. The Evercookie is gone as well as a lot of other tracking
information stored on YOUR PERSONAL computer.

~

_________________
New! Puppy Linux Links Page
Back to top
View user's profile Send private message 
PaulBx1

Joined: 16 Jun 2006
Posts: 2308
Location: Wyoming, USA

PostPosted: Thu 04 Nov 2010, 23:10    Post subject:  

Bruce, you mentioned the sqlite files before. I guess I don't understand how you can delete all of them, since that includes (for example) signon.sqlite. I couldn't function without site login information stored in the browser. No way I could remember every login.
Back to top
View user's profile Send private message 
Bruce B


Joined: 18 May 2005
Posts: 11130
Location: The Peoples Republic of California

PostPosted: Thu 04 Nov 2010, 23:50    Post subject:  

PaulBx1 wrote:
Bruce, you mentioned the sqlite files before.
I guess I don't understand how you can delete all of them,
since that includes (for example) signon.sqlite. I couldn't
function without site login information stored in the browser.
No way I could remember every login.


PaulBx1,

I understand exactly what you mean.

For others, deleting the *.sqlite means all the information in
them is gone. But you don't necessarily want to keep
deleting all the information because some of it you want.

I've been learning Windows XP lately, so first I'll explain how
it did it with XP.

1) delete all *.sqlite

2) when the browser starts it will make fresh *.sqlite files

3) go to the trusted sites you regularly visit and enter your
login information

4) after you have done this, shut down the browser.

5) copy all the *.sqlite files (which have basically only
information you do want) to a different directory, such as
one level up

6) make a batch file to delete the *.sqlite files in the profile
directory and copy back the ones which have the login
information you want

~~~~~~~~~~~~~~~

You can use the same basic technique with the Linux bash
script.

~~~~~~~~~~~~~~~

Now I'll offer an experiment for anyone who wants to do
some testing.

In Windows go through step 4 and make the files read-only

In Linux go through step 4 and make the files immutable
using the chattr utility. I don't remember if the operative
switch is -i or +i , I think it is +i, if so the command would
be:

chattr +i *.sqlite

~~~~~~~~~~~~~~~~

I learned to do this in the Netscape days. There was a
period in time where a lot of sites wanted cookies enabled. I
made the cookie file read-only and no site ever balked.

Moreover, it seemed they had the cookie feedback they
wanted, which caused me to suspect the cookie information
existed in some cache even though it was never written to
disk.

~~~~~~~~~~~~~~~~~

In conclusion, the first steps I outlined do work. It requires
a little work to get it setup, but once setup it is a piece of
cake.

The read-only / immutable portion of the post would be
experimental insofar as I haven't tested it. But I think it
stands a good enough chance of working, that its worth a
try.

Bruce

One last thought. The sqlite files are binary. Puppy's strings
utility will display text in these binary files. A hexeditor will
also.

If anyone has some sqlite files that have been in use for a
while, and you want to see the contents, you'll get an idea
of kind of personal data they contain.

Also, and very importantly, they were mentioned as a
storage point for the topic of discussion: Evercookies

~

_________________
New! Puppy Linux Links Page
Back to top
View user's profile Send private message 
droope


Joined: 31 Jul 2008
Posts: 814
Location: Uruguay, Mercedes

PostPosted: Fri 05 Nov 2010, 12:51    Post subject:  

Hiya Smile

Cookies are no way evil...

or harmful...


Just information being stored. Smile

Aaanyway, noscript + blocking flash kills evercookies. Smile

Regards,
Droope

_________________
What seems hard is actually easy, while what looks like impossible is in fact hard.

“Hard things take time to do. Impossible things take a little longer.” –Percy Cerutty

Mi blog (Spanish)
Back to top
View user's profile Send private message 
Bruce B


Joined: 18 May 2005
Posts: 11130
Location: The Peoples Republic of California

PostPosted: Sun 07 Nov 2010, 00:15    Post subject:  

droope wrote:
Hiya :)

Cookies are no way evil...

or harmful...


Just information being stored. :)


Cookies are tracking devices.

People's main consideration about them would be 'privacy related', which is
why I'd much rather this forum had a section for Privacy and another for
Security.

I like Trackers in cyberspace about as much as I do Stalkers and Peeping
Toms in the real world. Which is not at all.

droope wrote:
Aaanyway, noscript + blocking flash kills evercookies. :)


The Evercookie uses JavaScript APIs do to it's dirty work. So, if JavaScript
is turned off one wouldn't get this kind of cookie.

But turning it off wouldn't delete the cookie if it existed. It would prevent it
from being used.

_________________
New! Puppy Linux Links Page
Back to top
View user's profile Send private message 
nooby

Joined: 29 Jun 2008
Posts: 10557
Location: SwedenEurope

PostPosted: Sun 07 Nov 2010, 02:58    Post subject:  

And if one turn of java then many sites refuse to let one make a comment or write in their forum or to read the text until one allow at least the major Ad provider to show their ad and then one see the text one look for.

So it is not easy. I try to use NoScript in FireFox but Opera and Chrome have their own Ad blockers and those are too difficult for me to learn how to use.

So I am kind of locked to use FireFox and as far as I know they have no addon yet for an EverCookie?

But are EverCookie being used now on many sites? First I thought that almost every big site used them and now I rad that it is only a concept a guy showed off and almost none use them but that in the future maybe a lot of sites would?

_________________
I use Google Search on Puppy Forum
not an ideal solution though
Back to top
View user's profile Send private message 
Display posts from previous:   Sort by:   
Page 3 of 4 [50 Posts]   Goto page: Previous 1, 2, 3, 4 Next
Post new topic   Reply to topic View previous topic :: View next topic
 Forum index » Off-Topic Area » Security
Jump to:  

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group
[ Time: 0.0968s ][ Queries: 12 (0.0047s) ][ GZIP on ]