Un-killable 'Evercookie' Killed ... Sometimes
186
Trailrunner7 writes "The persistent method that security researcher Samy Kamkar introduced last week for storing tracking data on a user's machine, known as the 'Evercookie,' is even more worrisome when used on mobile devices, according to another researcher's analysis. The Evercookie is a simple method for forcing a user's machine to retain browser cookies by storing the data in a number of different locations. The method also has the ability to recreate deleted cookies if it finds that the user has removed them. Created by Kamkar as a demonstration of a way that sites could use to persistently track users even after they clear their browser cookies, the Evercookie has drawn the attention of a number of other researchers who have spent some time looking for methods to defeat it. A researcher in South Africa took a look at the way the the Evercookie works on both Safari on the desktop and on mobile devices, and found that it can be undone in some circumstances. However, he also found that the mobile version of Safari fares far worse in its handling of the Evercookie than the standard version does."
Re:Evercookie is clever (Score:3, Interesting)
Malware is executable software. The evercookie isn't software, it's a simple marker.
Why Safari (Score:3, Interesting)
Evercookie = Nevercookie (Score:4, Interesting)
With Adblock plus, NoScript and BetterPrivacy Firefox addons I had to whitelist the domain before "Evercookie" would even work. And even then as soon as I revoked permissions for everything except NoScript the only bit that stuck was the cache image "cookie". Considering there are already addons to prevent normal cookies and flash cookies it would take all of a day, after this method for "eternal cookies" appeared in the wild, for an addon to be released that blocked it.
The only message from this and previous articles is "most people are stupid and don't follow basic steps to maintain their security and privacy".
Re:Evercookie is clever (Score:2, Interesting)
Oh please. There are plenty of malicious sites that do unwanted things to your computer that don't leave an executable. It doesn't have to be "executable software" to be malware.
Re:Evercookie is clever (Score:4, Interesting)
Just put it in the ToS for the site that you use "advanced measures to track banned users." Presto, now you're not being underhanded about it, which is really the critical difference between malware and other forms of software.
Re:Evercookie is clever (Score:4, Interesting)
If we on Slashdot start calling cookies "malware" then it's no different than when ordinary computer users don't know the difference between a virus and a trojan.
Next thing you know we have teachers who think Linux is a Windows program and that no computer can run without a Microsoft OS.
Re:Why Safari (Score:3, Interesting)
Frankly, I never trusted Google's ability to vet Apple's (Webkit) code for security holes... And I just don't trust Apple.
And what the hell is "HTML5 database storage"--and why would I want to give any app persistent storage? Seems like a great way to store malware...
Killing the evercookie is easy (Score:1, Interesting)
Just boot up a VM, with the user's home account created in ramdisk upon bootup. The rest of the system is read-only (ala diskless linux).
The evercookie is cleared upon each bootup.
Re:Evercookie = Nevercookie (Score:2, Interesting)
Because from what you just described as necessary to keep out these Evercookies, this isn't "basic steps". This is advanced knowledge of how cookies and browser technology work and interact. Four different browser specific addons should not be required to maintain privacy, and that is the point. People aren't stupid, they just don't know. Arrogance about it won't help.
Why I dont run my browser as me anymore (Score:4, Interesting)
Its reasons like this and others I no longer run my browser under my own user account. I have a separate account I run the browser as, actually two there is one I use just to access my bank, and give it permissions on my X server. It has no group memberships that will let it do anything other than read access to system binaries and libraries, basically its only a member of users. I than give my own user account permission to run the browser as the other user with sudo.
This way I can delete the entire home directory from time to time, or anytime I suspect something fishy has happened.
Re:Evercookie is clever (Score:1, Interesting)
Ever heard of coLinux? (http://www.colinux.org/)
Wine brings Windows user space to Linux, but coLinux brings the Linux kernel into Windows
If you are stuck at work with a Windows box there is nothing better than to have good old Linux running as a service and having all the goodies native. (take a look at the http://www.andlinux.org/ distro for a smooth start)
Oh, BTW, all of this just to say that coLinux it is actually "a Windows program and that no computer can run without a Microsoft OS" (32bit versions only for now...)