Evercookies: extremely persistent browser cookies

For discussions about security.
Message
Author
User avatar
Flash
Official Dog Handler
Posts: 13071
Joined: Wed 04 May 2005, 16:04
Location: Arizona USA

#16 Post by Flash »

nooby wrote:
Edit

Sorry I lure us to go off topic. We have to take this by private message instead Okay.
Please don't do that, it makes the forum less useful. Start a new thread for the new topic instead. :)

jpeps
Posts: 3179
Joined: Sat 31 May 2008, 19:00

#17 Post by jpeps »

8-bit wrote:Anyone know if a plugin called Better Privacy works?
http://murga-linux.com/puppy/viewtopic.php?t=60978

calexand
Posts: 75
Joined: Fri 20 Nov 2009, 18:30

#18 Post by calexand »

Hello all,
BleachBit 0.8.1-1 deletes EverCookies on Firefox version 3.6.9 and later, only useful with FF. I installed bleachbit_0.8.1-1_all_ubuntu1004.deb in PuppyStudio2.1 (luci/lupu 5.07) and it works perfectly.
CA

User avatar
Flash
Official Dog Handler
Posts: 13071
Joined: Wed 04 May 2005, 16:04
Location: Arizona USA

#19 Post by Flash »

How do you know it got rid of 'em all?

PaulBx1
Posts: 2312
Joined: Sat 17 Jun 2006, 03:11
Location: Wyoming, USA

#20 Post by PaulBx1 »

evercookie accomplishes this by storing the cookie data in several types of storage mechanisms that are available on the local browser.
Ugh. Some people really need to be dipped in a vat of boiling oil. :x
Wow we have to talk to politicians that there should be laws and filter for such cookies set up on every ISP in a country or that ISP would loose license to have internet access... We have to go together in strong consumer organizations and fight back this total control society we are heading into.
Geez, nooby, if you don't like total control, don't go running to government for every little thing! :roll:
By way of script

delete the flash information
delete all browser .sqlite files
delete all browser cache


I do this a few times a day on a 'hard day browsing'
I don't do anything at all. I just wonder if there is any good for the user in cookies, or if they are all bad. Or if they are nothing much, one way or the other? Every time I have read about them I haven't seen the need for concern, but maybe I'm not paranoid enough? If I go around deleting all my cookies, I wonder what utility from them I would lose, not to mention now having to worry about evercookies?

What's the worst way cookies are abused? I want to know if I should get exercised about them...

User avatar
Lobster
Official Crustacean
Posts: 15522
Joined: Wed 04 May 2005, 06:06
Location: Paradox Realm
Contact:

#21 Post by Lobster »

What's the worst way cookies are abused? I want to know if I should get exercised about them...
Commercial data collection and redirection.

By reading your browser habits you might be redirected by
a specific site to pages they feel more likely to encourage you to spend money.

I should imagine that security agencies also periodically scan and sift browsing habits to see if you are reading 'Jihad for fun and prophet'.
So the latest spook data mining project is probably using cookies and supercookies as part of their arsenal. I have no evidence for this but it would seem sensible.

Does not worry me. Does not need to worry the average Puppy.

Tin-hats are quaking at the possibilities of data collection imaginings . . . :roll:
Puppy Raspup 8.2Final 8)
Puppy Links Page http://www.smokey01.com/bruceb/puppy.html :D

calexand
Posts: 75
Joined: Fri 20 Nov 2009, 18:30

#22 Post by calexand »

@ Flash--I don't know personally. They did (do?) have a demo on their web site regarding such removals.
Have used this, in various versions, for months. Works very well!
CA

User avatar
8-bit
Posts: 3406
Joined: Wed 04 Apr 2007, 03:37
Location: Oregon

#23 Post by 8-bit »

If I make a multisession DVD of Puppy and run it like Flash does and select DO NOT SAVE when I shut down, will those Evercookies disappear as I have not saved the session?
In other words, save downloads to a USB Flash drive or hard drive and nothing else for truly safe browsing.

calexand
Posts: 75
Joined: Fri 20 Nov 2009, 18:30

#24 Post by calexand »

@ Flash--http://bleachbit.sourceforge.net/news/b ... evercookie

This is the site with the EverCookie removal test/example.
Also appears to now work with other browsers (YMMV).
CA

User avatar
Flash
Official Dog Handler
Posts: 13071
Joined: Wed 04 May 2005, 16:04
Location: Arizona USA

#25 Post by Flash »

8-bit wrote:If I make a multisession DVD of Puppy and run it like Flash does and select DO NOT SAVE when I shut down, will those Evercookies disappear as I have not saved the session?
In other words, save downloads to a USB Flash drive or hard drive and nothing else for truly safe browsing.
If you don't save when you shut down, where could the cookie be saved? Conceivably it could be saved on any drive that gets mounted during the session, but that would require a truly awesome level of sophistication on the part of the cookie designers. Why would they bother? I guess the NSA could be monitoring your computing habits with them.

jpeps
Posts: 3179
Joined: Sat 31 May 2008, 19:00

#26 Post by jpeps »

I'm concerned about ANY vulnerability that enables some clown to plant whatever on my computer hoping to enrich themselves. My own approach to a secure environment containing sensitive data consists of a pen drive running a cheapo laptop with no OS or mounted drives, using self-written apps where the data is immediately removed into a remote encrypted file.

basic .mozilla, .macromedia script: kill browser; remove anything added; restore anything changed (alter to suit).

Bruce B

#27 Post by Bruce B »

jpeps wrote:I'm concerned about ANY vulnerability that enables some clown to plant whatever on my computer hoping to enrich themselves. My own approach to a secure environment containing sensitive data consists of a pen drive running a cheapo laptop with no OS or mounted drives, using self-written apps where the data is immediately removed into a remote encrypted file.

basic .mozilla, .macromedia script: kill browser; remove anything added; restore anything changed (alter to suit).
Hi jpeps,

I wish we had two forum sections for our Security section, (1) for Security and (2) for
Privacy

Since time began, websites have been able to write cookies via our browsers. Maybe the
intent was benign, it doesn't matter. There are ways to thwart this behavior and if I can offer
tips about some of the things I've done, please let me know.

In my opinion this is not a security vulnerability, rather a privacy exploit. It is a cookie
which is a tracking device. But It is clearly not a nice cookie. It's the kind of things bad
guys do: stalk us.

Now that we know about it, the power can be back in our hands. If anyone wants help
getting their power back because they don't know how, please write, I'll try and help.

I wish I didn't have to write what I'm about to write, but for the sake of those generally
interested, well, our movements are already being tracked quite effectively. This happens
even without the presence of cookies.

And for those concerned there is a lot we can to about it. Actually, with some work, it is
pretty feasible to be virtually unknown on the Internet.

Kind regards,


Bruce

Bruce B

#28 Post by Bruce B »

PaulBx1 wrote:Every time I have read about them I haven't seen the need for concern, but maybe I'm not paranoid enough?
Paul,

Mostly you are correct. The 'need for concern' is that stalkers are able to track you across
multiple domains. This means basically, they can collect a lot of data on you.

But they collect data an hundreds of millions of web users.

My reason for wanting to mess with their operations is primarily because I don't like
Stalkers, Peeping Toms or someone 'reading over my shoulder'.

I think it boils down to personal preferences or perhaps in my case personal pleasure.
Meaning I enjoy thwarting them.
PaulBx1 wrote:If I go around deleting all my cookies, I wonder what utility from them I
would lose, not to mention now having to worry about evercookies?
My practical approach is focused not so much on deleting cookies, rather on saving
cookies I want to save.

For an example, I have to sign into some sites, so I save those cookies.

Remember that a script associated with an icon takes literally less than a second to run
and clean things up. So it is super easy work.

Albeit writing the script requires some thought.

In all candor, I think your life and online life will be the same regardless of your cookies.
Except, if you start noticing advertisements which seem too close to who you are and your
interests, then, well, someones got you figured.

Best regards,


Bruce

PaulBx1
Posts: 2312
Joined: Sat 17 Jun 2006, 03:11
Location: Wyoming, USA

#29 Post by PaulBx1 »

I'm concerned about ANY vulnerability that enables some clown to plant whatever on my computer hoping to enrich themselves.
Yeah, Heaven forbid that anyone should make a profit. :wink:
Except, if you start noticing advertisements which seem too close to who you are and your interests, then, well, someones got you figured.
I have noticed that, but rarely. But who cares? Someone offers me stuff that I then decline to buy. Happens every time I walk into a grocery store.

It can get to the level of an annoyance. Half my emails are offers to buy reproductive help, which I don't need yet. :) But even that is a 30-second job to throw them away.

It's funny, on other matters I am a privacy fanatic. I hate the proliferation of cameras in public, and am eagerly awaiting the day when people shoot them down with .22 rifles. I hate the banks reporting to the government, and the tracking of credit card transactions, and of phone records. I hate the notion I'm supposed to run everything by some bureaucrats when I want to do something with my property; and I didn't bother to register with the authorities when we decided to homeschool (none of their damn business), and if I carry a gun or not is also nobody's business but my own. But I guess I just look at the Internet as being out in the public. I can see other people, and they can see me. And it's not like my opinions aren't out there, scattered all over the Internet. Everyone who has seen my stuff knows I am an anarchist and that I think the ruling class are a bunch of lowlife scum and parasites. No privacy there...

The thing I don't like about these evercookies is the notion that some outside agency can do things to my computer that I don't know about and don't approve. If they can store cookies in hidden recesses of my OS, they can store kiddie porn there too. It's not a privacy issue so much as an issue of control of your stuff.
My practical approach is focused not so much on deleting cookies, rather on saving cookies I want to save.

For an example, I have to sign into some sites, so I save those cookies.
But, does that work with evercookies? Do they even bother to ask you?

What is the mechanism for saving cookies you want to save? I'm not aware one has that fine a control of it. Maybe I'm missing something.

nooby
Posts: 10369
Joined: Sun 29 Jun 2008, 19:05
Location: SwedenEurope

#30 Post by nooby »

Here is something related.

If you are on an open hot spot say Cafee or Library, some transport station Lobby? or Hotel Lobby or company that allow you to surf on their wireless.

Then there exists now this week an addon to Firefox that allow people to catch the cookies that a lot of sites makes use of.

Facebook

Google log in
Yahoo login

Twitter

and many more.

Just some 30 seconds and they have same username and log in as you just gave and some say it helps to use https and some say that does not protect you.

So we have to look into that one too. It was some guy that released it on a conference this week or week before. Very many have already downloaded the exploit.

So easy that every school kid can use it.

Very sad situation because I bought a computer and a smartphone for to use on such open access points and not that is to no usage almost because they can access all I do using that free program.

It is mention all over the many sites that tells such things.

PCWorld? CNet, BBC, CNN I trust everybody has it.

Both our biggest Tabloids had it today.
I use Google Search on Puppy Forum
not an ideal solution though

jpeps
Posts: 3179
Joined: Sat 31 May 2008, 19:00

#31 Post by jpeps »

PaulBx1 wrote:
I'm concerned about ANY vulnerability that enables some clown to plant whatever on my computer hoping to enrich themselves.
Yeah, Heaven forbid that anyone should make a profit. :wink:
Hi PaulBx1,

Don't get me wrong...I'm in total agreement with you that others should have the right to plant whatever on your computer :)

PaulBx1
Posts: 2312
Joined: Sat 17 Jun 2006, 03:11
Location: Wyoming, USA

#32 Post by PaulBx1 »

Just some 30 seconds and they have same username and log in as you just gave
You shouldn't do anything on an open wifi connection other than, say, check the weather. Anything more than that is asking for trouble. Even logging into a website is not a good idea, unless you don't mind handing your password out to everyone. Email? Forget it.

nooby
Posts: 10369
Joined: Sun 29 Jun 2008, 19:05
Location: SwedenEurope

#33 Post by nooby »

Hahahah Paul you should have told me that one year ago and I had not bought the Acer 10 inch screen Nettop I used now and not the two android smartphones either.


I bought these to use at open spots to check emails and forum entries when me travel.
I use Google Search on Puppy Forum
not an ideal solution though

Jasper

#34 Post by Jasper »

Hi,

For those who are not already aware - Firefox 3.6.12 (with a security fix) is available today if you need it.

My regards

My apology - I have now put this message in a new thread in this section.

User avatar
Flash
Official Dog Handler
Posts: 13071
Joined: Wed 04 May 2005, 16:04
Location: Arizona USA

#35 Post by Flash »

Here's an interview of the creator of the Evercookie, Samy Kamkar. Very instructive.
TechRepublic: What is an Evercookie and why did you develop it?

Samy Kamkar: Evercookie is a Javascript API that allows storing cookie data in a number of different locations when a user visits a web page. Normal sites would typically just store data (such as a session identifier) in something like a cookie.

However, Evercookie not only uses the cookie, but a number of other locations such as Flash cookies, Silverlight isolated storage, and various locations of HTML5 storage. When a user deletes their standard cookies, the other locations remain and are able to rebuild the original cookie.

I built Evercookie as a proof of concept, wanting to show how web sites are able to track users even if they delete standard cookies and LSOs. Evercookie also sheds light on the fact that there are numerous methods for storing cookies locally. Finally, Evercookie acts as a litmus test for users who want to see if they’re protected from web sites that track like this.


TechRepublic: Is the installation process automated or does the user have to initiate it?

Samy Kamkar: No, the client simply visits the web site. There is no indication that persistent data is being set, exactly like a website with standard HTTP cookies.

Post Reply