Forgot your password?
typodupeerror
Government Google Privacy Security

NSA Uses Google Cookies To Pinpoint Targets For Hacking 174

Posted by Soulskill
from the another-day-another-way-to-spy-on-us dept.
Hugh Pickens DOT Com writes "For years, privacy advocates have raised concerns about the use of commercial tracking tools to identify and target consumers with advertisements. The online ad industry has said its practices are innocuous and benefit consumers by serving them ads that are more likely to be of interest to them. Now the Washington Post reports that the NSA secretly piggybacks on the tools that enable Internet advertisers to track consumers, using 'cookies' and location data to pinpoint targets for government hacking and to bolster surveillance. The agency uses a part of a Google-specific tracking mechanism known as the 'PREF' cookie to single out an individual's communications among the sea of Internet data in order to send out software that can hack that person's computer. 'On a macro level, "we need to track everyone everywhere for advertising" translates into "the government being able to track everyone everywhere,"' says Chris Hoofnagle. 'It's hard to avoid.' Documents reviewed by the Post indicate cookie information is among the data NSA can obtain with a Foreign Intelligence Surveillance Act order. Google declined to comment for the article, but chief executive Larry Page joined the leaders of other technology companies earlier this week in calling for an end to bulk collection of user data and for new limits on court-approved surveillance requests."
This discussion has been archived. No new comments can be posted.

NSA Uses Google Cookies To Pinpoint Targets For Hacking

Comments Filter:
  • by Rosco P. Coltrane (209368) on Wednesday December 11, 2013 @06:15AM (#45658935)

    Big data monopolies like Google are the stuff of nightmare for privacy-minded individuals.

    But there's a silver lining to that particular cloud: as the most important player in the field, they're the most visible target for abuse of all kinds. Which means that you have a better chance of dodging the abuse if you simply don't put yourself in the center of the target, by not using any Google product.

    Kind of like when Windows had the lion's share of the OS market, and you could avoid most viruses by running another OS, not because the other OS was more secure, but because virus writers had a better return on investment writing viruses for Windows and left your fringe OS alone.

  • Im just waiting... (Score:5, Interesting)

    by gmuslera (3436) on Wednesday December 11, 2013 @06:39AM (#45659003) Homepage Journal

    till some hacker group uses NSA backdoors to cause mayhem in in US computers. Cookies are more or less harmless, as most of the privacy you lost with them is already lost by some other NSA program. But the NSA (and associated groups) backdoors are a bit more versatile, they are prepared to go into offensive mode [schneier.com], and probably a lot of US citizens have them installed (I don't think it is limited to just Tor [slashdot.org], or social networks [slashdot.org] users).

    And yes, they can cause mayhem in non-US computers, but how you know that it wasn't intended to happen by the NSA or some related company? The bombs are already in place.

  • by erikkemperman (252014) on Wednesday December 11, 2013 @06:40AM (#45659005)

    The EU is right on this one...

    I'm not so sure about that. I am afraid this is one of those deals where the compromise (require the user be presented with an opt-out) turns out to be worse than either of the proposed "pure" alternatives (do not regulate tracking at all, vs disallow all tracking, period).

    Because what happens is a site says: either allow my cookies or I will not, or not fully, serve you. And because the average user is basically an idiot -- as is true for any large group of people, and in many instances of course it includes myself -- they go for it.

    Tracking not reduced for all a but a tiny minority of paranoids and actual baddies, and the ad companies can now say they do it with user's consent.

    This PREF cookie is an especially nasty piece of work, seeing how it rides on the very Safe Browsing system that Google "generously" facilitates to protect against online malware. Check the link in TFS.

  • Self destruct cookie (Score:5, Interesting)

    by pmontra (738736) on Wednesday December 11, 2013 @07:03AM (#45659075) Homepage

    This firefox plugin [mozilla.org] deletes the PREF cookie and all the others as soon as you close a tab. This means that it's created again every time with a different value.

    I went to youtube and got this (I must split the values with spaces because /. complaints about long strings of letters)
    google.com PREF ID=b59d89f696da3efa:FF=0: TM=1386759139:LM=1386759139:S=mRC2qiDMZ3ir_5JK
    google.com NID 67=c1dV2B25sq3P2XdfPrBzGx9yb89H089A9yORn8UeoYGlGbjOUIbHPs03t_7JesDo_7NcnT UlDm90BZEpoSPX9A7FmbYORqBl5WwLmUiCzjreycq2wGE1rAMOSuXlFaZg

    I closed the tab, waited for the cookie destruction message, went to google.com:
    google.com PREF ID=024924c1c44d8beb:U=9b9ed7f900bfc1f0:FF=0: TM=1386758246:LM=1386759139:S=GCtQO6AoyqL-fqze
    google.com NID 67=lPuV792TXm6MLVCnzVYUN-U2Q7B-XRd1d5xCYp7DXjvXvKzEjxtn99DTIbvaFFIg9a8uk2 AmkokD1TaYRnXL3iNA9SrPc1hj3611xY66gObS6pCY4jTTMeQpF6YHLJnn

    Different. Well, mostly different. That LM=1386759139 in both PREF worries me. I should understand what it is for.

  • Noise generation (Score:4, Interesting)

    by wbr1 (2538558) on Wednesday December 11, 2013 @07:44AM (#45659167)
    How about someone develop benign virus that spreads easily, then browses everywhere similar to a spider or crawler and resets it's own cookies (and/or built in creds for various data gathering sites), frequently. With a relatively low CPU and network footprint, a big enough botnet doing just this would make just about all data collection pointless, as the SNR would become problematic.
  • The reality is that Government and Corporations are on the same side and none of them want to get rid of the tracking.

  • by Taco Cowboy (5327) on Wednesday December 11, 2013 @08:20AM (#45659283) Journal

    ... Tracking not reduced for all a but a tiny minority of paranoids and actual baddies ...

    We do need to understand this --- tracking can NOT be totally eliminated.

    Cookie tracking is but one of the various ways they use to track us. The report @ http://truththeory.com/2013/12/10/how-to-see-what-government-agency-is-spying-on-your-phone/ [truththeory.com] tells us about another way (they hack the prepaid phones and track the unique IPs).

    No matter if you are an idiot or a tin-foil hatter, you gotta understand that there is only so much you can do.

    The world we live in a FREE WORLD for the Big Brothers (commercial or otherwise) to do whatever they want with us.

    Even if you only use cash / bitcoin to do purchases, they _still_ can find ways to "understand" you.

    I may sound like a defeatist, I may sound as if I have given up. I am not.

    I am a realist, though.

    No matter what step (or steps) I take to minimize my exposure, they know who I am, where I am, with whom I am, my favorite watering hole, the usual kind of food I take, my regular schedule, and so on...

    In one of my previous posts (some moons ago) I mentioned that we need to keep alert 24/7, and someone replied that if I keep on doing that I'm going to go bonker.

    Perhaps I have already gone bonker, but then, that's what Big Brothers want anyway.

  • by DarkOx (621550) on Wednesday December 11, 2013 @08:21AM (#45659291) Journal

    The most sensible solution is to allow only sessions cookies. I know everyone loves their "keep me logged in button" but simple solution is to have browsers silently convert all cookie requests to session cookies no matter what the server or script asks for.

    This should do be the default, as it breaks very few sites and existing web applications other than you have to logon every time. Users should have to manually go white list domains that are allowed persistent storage.

    Browsers need to stop providing useragents, they need to start sending strings like
    "traditional HTML 5.0 ready browser" or "touchscreen HTML 5.0 browser" instead.

    The default behavior should be to only send a referer header when the request is to a page on the same domain as the one already being displayed.

    As much as I hate to advocate it because its a waste of everyone's network resources, the same approach needs to be applied to document caching. There are to many possibilities for script based timing analysis attacks and server side request analysis that will enable tracking with the cache enabled.

    Implement those changes and you will an WWW that still mostly works without alot of changes to existing sites but is decidedly less trackable.

  • Re:Calling for? (Score:4, Interesting)

    by Desler (1608317) on Wednesday December 11, 2013 @09:14AM (#45659451)

    And this article is amusing in light of the fact that Slashdot has been using Google Analytics and other tools that are feeding this data to Google.

  • by Desler (1608317) on Wednesday December 11, 2013 @09:29AM (#45659529)

    But if these companies didn't have such huge troves of private user data there would be no need to worry about NSLs, etc. They'd have nothing to give over. He's not against bulk collection of data, etc. He's simply against the government competing against him in the data collection realm.

  • by TheGratefulNet (143330) on Wednesday December 11, 2013 @09:51AM (#45659647)

    on mobile, you have to be rooted to run a lot of adblockers and such.

    the first time I ran a non-rooted android phone and saw what everyone else sees on the web, I was kind of shocked. after years of filtering (noscript, etc) at home, I had forgotton how BAD things had gotton on the dirty wide web.

    on systems you can control, its fine. on phones - which a lot are not easily rootable - you have much less control.

The world will end in 5 minutes. Please log out.

Working...