Catch up on stories from the past week (and beyond) at the Slashdot story archive


Forgot your password?

Ask Slashdot: Where Can I Find "Nuts and Bolts" Info On Cookies & Tracking Mechanisms? 84

New submitter tanstaaf1 writes: I was thinking about the whole tracking and privacy train-wreck and I'm wondering why specific information on how it is done, and how it can be micromanaged or undone by a decent programmer (at least), isn't vastly more accessible? By searching, I can only find information on how to erase cookies using the browser. Browser level (black box) solutions aren't anywhere near good enough; if it were, the exploits would be few and far between instead everywhere everyday. Read below for the rest of tanstaaf1's question.
On Amazon, I haven't found a likely good book on the topic. There are books on protocols but I'm really only interested in how I can detect and track and block, and erase, and re-write and spoof all the tracking attempts on a case by case basis. Maybe a book on how to write my own tracker — or my own tracking blocker from scratch?

In theory it wouldn't seem to be that hard to uttlerly micromanage your own computer. Here's how I think it could be done:

(1) Have an explicit on/off switch, ideally OS based and trivial to control with a mouse-twitch, which turns internet access on and off as certainly as a mechanical light switch controls lights. Along with this, maybe the whole screen can change color, red-light green-light, to keep the user always aware of incoming or outgoing traffic. I should instant be able to get detailed information on any unexpected write or read request. Think unix "ps" or better. (Actually, a file system which allowed the owner to attached detailed memos and other information would be a nice touch...once litter builds up it quickly gets easy to hide real malware everywhere; that is a common technique used by embezzlers everywhere — create chaos and then hide your exploits within it).
(2) When the browser is started, make it start in a fresh virtual space / sand-box. Then copy into that space any "cookies" or other information I explicitly care to put into that space. I would, for example, put in site specific cookies to allow sites i whitelist to identify me. A good database of all the files in my virtual space, how they got there and what they are used for, would be really nice to see.
(3) As you browse you can block or not block ads and trackers; the add-ons already exist.
(4) When you decide to exit the browsing session, at least, the computer should save important cookies from sites you frequent for later restoration.
(5) The entire virtual space is then shredded and deleted.

This could all be done at a finer grain, I'm sure, but I wanted to lay out an overall strategy — and ask:
(1) What am I missing?
(2) Has this already been done and automated, say, under Linux? (I wouldn't expect Microsoft, Apple, or Google to facilitate this sort of security under their OS systems; foxes guarding the hen house and all that. However, even under Windows and OSX I can install virtualbox...)
(3) Why is it so hard to find the specifics of, step-by-step, how (not why or if) we are being conned and raped and what, specifically, can be done to stop it? Why are we screwing around with all these endless add-ons instead of striking at the root of the problem? Or have I not really identified the root?

I would appreciate any specific feedback on my scheme or, even better, a link or three.
This discussion has been archived. No new comments can be posted.

Ask Slashdot: Where Can I Find "Nuts and Bolts" Info On Cookies & Tracking Mechanisms?

Comments Filter:
  • by QuietLagoon ( 813062 ) on Wednesday October 07, 2015 @07:46PM (#50682735)
    Now that Verizon has hooked up with AOL to share cookie data and personal information [], it sure would be nice if the Verizon stealth cookies could be deletable.
    • Now that Verizon has hooked up with AOL to share cookie data and personal information [], it sure would be nice if the Verizon stealth cookies could be deletable.

      Just a quick question, can the browser insert its own Verizon stealth cookie into the request URL?

      And if that can be done, can it be used to poison the data, or even crash the Verizon tracking system?

      • by tnk1 ( 899206 )

        Probably not. It most likely has some sort of key which it would refer to which you'd have to figure out. The best you'd get is filling their logs with Unhandled Exception errors, which given the way most people code these days, would just be a drop in the bucket for AOL or Verizon.

        • by tnk1 ( 899206 )

          That said... if your goal was to prevent the cookie from being generated in the first place, you might be able to add a shim in there so that the cookie isn't created because it is already there.

          Of course, even then, they're probably have code to regenerate the cookie if presented with a bad cookies.

      • by raymorris ( 2726007 ) on Wednesday October 07, 2015 @08:31PM (#50682981) Journal

        You can easily add your own X-UIDH header. It is likely that Verizon's proxy wouldn't add another if one were already present. It's also possible that the request would be sent on with two (or more) X-UIDH headers. Most programming is sloppy programming, so they probably didn't account for this correctly. It's extremely likely that random strings in the X-UIDH header would confuse the system.

        As I mentioned, most programming is sloppy programming. People keep making the same mistakes. One common mistake is, what if that string that's supposed to be about 16 characters is instead 500,000 characters (500KB)? Or 2MB? Things might break. What if it contains null characters (ascii value 0)? A lot of things break when strings have embedded nulls. Strings that are used to query a database to get a user's information often break when single quotes and semicolons are present.

        That said, it's also likely they use popular off-the-shelf, premade software for the proxy, and it's protected against the most obvious attacks. Their database query routines are probably written by their own programmers, and those programmers probably aren't security experts.

        Obviously, trying to harm their systems could very well be unlawful, even criminal. "I just sent web requests" might be about as convincing to a judge as "I just waved my arms around (while holding a knife)".
        I hope the bad guys don't mess with them too much.

        • You mean that their monetization rights can be trumped by your desire to retain privacy? Oh, wait....

          • You COULD try attacking them (rather than not using their service) and then tell the judge that your attack was to protect your privacy. You could try that.

            You could also try attacking them using a knife to their sysadmin and try telling the judge the same thing.

            I wouldn't recommend either. I just use a different company.

            • The problem here isn't that you get a choice, once you get the cookie; it's not really curable unless you actively get rid of it, and protect yourself actively from swallowing it, when placed on a myriad of sites. We shouldn't really have to do this to protect privacy, but this is what supercookie payloads are about: persistence.

              Microsoft Windows and Mac OSX no longer respect a host file, so you must find other ways of routing their IPs to localhost. It's nasty out there.

        • You are making a mountain of assumptions with absolutely nothing but cheeky speculation
          • Not really. For example, I'm said their system will EITHER add an additional header or it won't. One or the other is true.

            I suppose the "assumption" is that their code isn't fundamentally different from ALL of the tens of millions of lines of code I've reviewed over a decades-ling career. I "assume" that the programmers tried to get their job done. I've looked at the security posture of a LOT of software. In essentially all cases, no -application- code ever sufficiently anticipated all possible types of

    • by Anonymous Coward

      A VPN service should bypass Verizon's cookie injectors.

  • (1) What am I missing? ... nah, too easy.

    how (not why or if) we are being conned and raped

    Never mind. You're missing mental stability.

  • all the specifics have already been arrested.
  • by forevermore ( 582201 ) on Wednesday October 07, 2015 @08:04PM (#50682815) Homepage
    You should be able to find some pretty straightforward documentation on HTTP cookies, flash data storage, HTTP Local Storage, and browser fingerprinting (see [] ). The tracking services aren't doing anything fancy -- they're just sharing that identifier behind the scenes. When you visit website1 they assign an id to your browser (via a cookie, or whatever). When you visit website2, it loads a script from website1 that puts your id somewhere into the DOM that website2's scripts can read and website2 assigns that id to your browser as well. Website3 does the same, and so forth. Then, websites 1 through N share the browsing habits of your id amongst themselves and gain some insight into what your browser is doing.
    • And there's an easy way to stop a lot of it, across all operating systems. A proxy server can scrub headers to only allow cookies from certain sources through, for example, and can do the same for outgoing requests. Privoxy [] is an OLD example of the technology (I was using that thing back in the late 90s). Set up something like that, set up whatever filters you want, tell your browser to use that proxy, and away you go.

    • Also, the correlating behind the scenes that happens when you access multiple websites that use either a CDN or something like

      Everyone hosting their JQuery on Google's servers basically allow Google to correlate visits, and build up a picture of which websites you visit. Combine that with direct access to GMail, Youtube, or Google searches, and they pretty much know what you do at least half the time on the internet.

      You're going to have to wipe everything, including your IP address, in orde

      • You could also mirror the various jquery stuff hosted at on your local machine, served up by a local web server. Then just reference your local ip/localhost as the IP for in your hosts file.

  • by Anonymous Coward on Wednesday October 07, 2015 @08:13PM (#50682875)

    Evercookie is how it is being done.
    UBlock Origin is how to block a ton of stuff.
    Both are open source so you can have a look at it.

    But in case of Verizon, you're talking about tracking on a whole other level.
    And since your MAC or IMEI device number are needed to allow you access on their network, there are no options to spoof that.
    The best you can do is block what they throw at you as a result of that data.
    Adding a VPN would make life for them pretty hard because no server side deep packet inspection can be applied.

  • You can be tracked and identified by a large number of ways. Its not just cookies, its anything you click on, its hidden variables, its the URL, applets, javascript, and even your IP address. Have you heard of a Firefox plugin called Ghostery? Look at all the things it blocks. That will give you more clues about how you are being tracked. Cookies are not in themselves bad. They were designed for developers to cache information so that they could remember what the user was doing when they clicked. Advertiser

    • Ghostery [] is an excellent add-on for Firefox.
    • by Anonymous Coward

      Some sites have gone so far as to track your mouse position and/or keyboard usage (timings/patterns between key presses) to identify you as an individual "anonymous" user.

  • You know something about Linux, and something about virtualization. So you could move forward by setting up a slim VM running Firefox. Maybe one based on a LiveCD, which already controls writes.
    Take a snapshot of that VM (or the LVM volume it resides on).
    Boot the VM, browse a bit.
    Shutdown the VM
    mount the image and it's snapshot
    diff -Bbdir the vm with it's snapshot
    Take some notes.
    Snapshot again, or reset.
    Browse a bit , maybe taking notes this time.
    Rinse and repeat - boot, browse, mount diff, unmount.

  • by btb1 ( 1920414 ) on Wednesday October 07, 2015 @08:14PM (#50682893)
    A good Samaritan did the heaving lifting... []
  • An organization can store information in your browser that can uniquely identify you. Usually this is a session code. It can share this information with whoever they want.

    If you are concern with privacy never type any uniquely identifying information into your browser. Since you don't know what can potentially be uniquely identifying then you should never use cookies. Given that makes the internet practically unusable then use a whitelist. Given that a whitelist is a pain then forget about privacy. Everyone

    • A couple of things; session codes can't be shared, or rather there would be no point in doing so, they're temporary server-side identifiers. Second the internet is fairly useable without cookies, they aren't like javascript. Some sites may use them to store your login details but that's poor programming since your browser should be the only software doing that. In any case browsers like firefox have an option to erase everything when you close it. If you live in the EU you should even see regular notices as

  • Easy (Score:4, Informative)

    by lucm ( 889690 ) on Wednesday October 07, 2015 @08:21PM (#50682927)

    If you are that preoccupied by evil cookies, use Linux Tails like Edward Snowden recommends.

    But really, you overestimate your value for those who allegedly "rape and con" you with cookies. They care about trends and patterns, not about you as a person, so browsing the web in a virtual space that you "shred" afterwards is more of a hobby than a necessity. Modern browsers are well-equipped to provide a decent level of privacy, there's no need to go thinfoil hat over this.

    • They care about trends and patterns, not about you as a person,

      In other news, Google has recently allowed targeted advertisements based on the individual person/e-mail address.

      "You as a person" is rarely worth targeting. But there are a lot of scale issues. It's worth targeting for Google, cause they only have to write that code once. And as time goes on, it gets cheaper and more widespread.

      • Did you happen to checkout the main product that Google has allowed to target advertisements to individuals? []

        It's basically opt-in. The marketing mumbo translation is: "Hey, you! What if I told you you could run your own ads for yourself? Yeah, you can, and it only costs a cent or two an ad."

        I mean... okay so that nets the company running the website on which you've run your own ads a share (80, 60, 40%?) of that, so also: "Hey, you! have you ever wanted to pa
  • The reason is because what you're describing is an enormous amount of hassle and people just don't want to deal with that much complication, unless they're wearing a tinfoil hat. And if they are they probably have already set up a system that resets itself every time it's rebooted. Just learn to stop worrying and love the cookies.
  • Re "erase cookies using the browser"
    Thats really all that can be done to average users by most ad brands legally as the settings and use allow that short or long term access by default. Beyond that and it gets to be equipment interference.
    Lots of apps on different OS will find the super cookies, Local SharedObject .SOL shared cross-browser tracking, flash and other deeper tracking options.
    "Has this already been done and automated" Different browsers have add ons that can do that based on some leve
  • As mentioned by others, cookies are only one mechanism.
    For instance, if you install any wierd fonts on your system - that along with your IP makes your are quite easy to identify. Browsers allow javascipt to query the fonts installed on a system (that feature is really a privacy intrusion bug, IMHO)

  • It is not surprising you didn't find any info on "nuts and bolts" cookies.
    Because while nuts are popular ingredients for cookies, bolts are terrible.

    So I suggest that you replace bolts with chocolate chips, these are much better and you are much more likely to find information about them.

  • No referers. No script. Just plain doc data. Problem solved.

    If you have client-side logic on by default, somene will use it to track you. It's that simple.

    Another approach would be fresh private tabs for every session and perhaps spoofing of plattform data.

    I use Gostery and don't care to much about super-cookies. I use multiple browsers for multiple personas and tasks, which mitigates the problem a little more.

    I don't use facebook and stuff like that, but I'm pretty deep in Googles camp, with my Android dev

Thus spake the master programmer: "When a program is being tested, it is too late to make design changes." -- Geoffrey James, "The Tao of Programming"