Ask Slashdot: Where Can I Find "Nuts and Bolts" Info On Cookies & Tracking Mechanisms? 84
New submitter tanstaaf1 writes: I was thinking about the whole tracking and privacy train-wreck and I'm wondering why specific information on how it is done, and how it can be micromanaged or undone by a decent programmer (at least), isn't vastly more accessible? By searching, I can only find information on how to erase cookies using the browser. Browser level (black box) solutions aren't anywhere near good enough; if it were, the exploits would be few and far between instead everywhere everyday. Read below for the rest of tanstaaf1's question.
On Amazon, I haven't found a likely good book on the topic. There are books on protocols but I'm really only interested in how I can detect and track and block, and erase, and re-write and spoof all the tracking attempts on a case by case basis. Maybe a book on how to write my own tracker — or my own tracking blocker from scratch?In theory it wouldn't seem to be that hard to uttlerly micromanage your own computer. Here's how I think it could be done:
(1) Have an explicit on/off switch, ideally OS based and trivial to control with a mouse-twitch, which turns internet access on and off as certainly as a mechanical light switch controls lights. Along with this, maybe the whole screen can change color, red-light green-light, to keep the user always aware of incoming or outgoing traffic. I should instant be able to get detailed information on any unexpected write or read request. Think unix "ps" or better. (Actually, a file system which allowed the owner to attached detailed memos and other information would be a nice touch...once litter builds up it quickly gets easy to hide real malware everywhere; that is a common technique used by embezzlers everywhere — create chaos and then hide your exploits within it).
(2) When the browser is started, make it start in a fresh virtual space / sand-box. Then copy into that space any "cookies" or other information I explicitly care to put into that space. I would, for example, put in site specific cookies to allow sites i whitelist to identify me. A good database of all the files in my virtual space, how they got there and what they are used for, would be really nice to see.
(3) As you browse you can block or not block ads and trackers; the add-ons already exist.
(4) When you decide to exit the browsing session, at least, the computer should save important cookies from sites you frequent for later restoration.
(5) The entire virtual space is then shredded and deleted.
This could all be done at a finer grain, I'm sure, but I wanted to lay out an overall strategy — and ask:
(1) What am I missing?
(2) Has this already been done and automated, say, under Linux? (I wouldn't expect Microsoft, Apple, or Google to facilitate this sort of security under their OS systems; foxes guarding the hen house and all that. However, even under Windows and OSX I can install virtualbox...)
(3) Why is it so hard to find the specifics of, step-by-step, how (not why or if) we are being conned and raped and what, specifically, can be done to stop it? Why are we screwing around with all these endless add-ons instead of striking at the root of the problem? Or have I not really identified the root?
I would appreciate any specific feedback on my scheme or, even better, a link or three.
Verizon Stealth cookies are undeletable (Score:3)
Can Verizon Stealth cookies be spoofed? (Score:3)
Now that Verizon has hooked up with AOL to share cookie data and personal information [dslreports.com], it sure would be nice if the Verizon stealth cookies could be deletable.
Just a quick question, can the browser insert its own Verizon stealth cookie into the request URL?
And if that can be done, can it be used to poison the data, or even crash the Verizon tracking system?
Re: (Score:2)
Probably not. It most likely has some sort of key which it would refer to which you'd have to figure out. The best you'd get is filling their logs with Unhandled Exception errors, which given the way most people code these days, would just be a drop in the bucket for AOL or Verizon.
Re: (Score:2)
That said... if your goal was to prevent the cookie from being generated in the first place, you might be able to add a shim in there so that the cookie isn't created because it is already there.
Of course, even then, they're probably have code to regenerate the cookie if presented with a bad cookies.
Re:Can Verizon Stealth (Score:5, Interesting)
You can easily add your own X-UIDH header. It is likely that Verizon's proxy wouldn't add another if one were already present. It's also possible that the request would be sent on with two (or more) X-UIDH headers. Most programming is sloppy programming, so they probably didn't account for this correctly. It's extremely likely that random strings in the X-UIDH header would confuse the system.
As I mentioned, most programming is sloppy programming. People keep making the same mistakes. One common mistake is, what if that string that's supposed to be about 16 characters is instead 500,000 characters (500KB)? Or 2MB? Things might break. What if it contains null characters (ascii value 0)? A lot of things break when strings have embedded nulls. Strings that are used to query a database to get a user's information often break when single quotes and semicolons are present.
That said, it's also likely they use popular off-the-shelf, premade software for the proxy, and it's protected against the most obvious attacks. Their database query routines are probably written by their own programmers, and those programmers probably aren't security experts.
Obviously, trying to harm their systems could very well be unlawful, even criminal. "I just sent web requests" might be about as convincing to a judge as "I just waved my arms around (while holding a knife)".
I hope the bad guys don't mess with them too much.
Re: (Score:2)
You mean that their monetization rights can be trumped by your desire to retain privacy? Oh, wait....
protect your privacy with a knife. Try it (Score:2)
You COULD try attacking them (rather than not using their service) and then tell the judge that your attack was to protect your privacy. You could try that.
You could also try attacking them using a knife to their sysadmin and try telling the judge the same thing.
I wouldn't recommend either. I just use a different company.
Re: (Score:2)
The problem here isn't that you get a choice, once you get the cookie; it's not really curable unless you actively get rid of it, and protect yourself actively from swallowing it, when placed on a myriad of sites. We shouldn't really have to do this to protect privacy, but this is what supercookie payloads are about: persistence.
Microsoft Windows and Mac OSX no longer respect a host file, so you must find other ways of routing their IPs to localhost. It's nasty out there.
Re: (Score:2)
10.5 is now out of long term support for the most part, and subsequent versions past 10.7 ignore the hosts file like a gun control advocate ignores the NRA.
Re: (Score:1)
10.5 is now out of long term support for the most part, and subsequent versions past 10.7 ignore the hosts file
Bullshit...
Totally by coincidence, I tested my Hosts file this morning. I'd used "org" instead of "com" on an URL, and was re-directed to some fake-ass MS "test your system security" page. Took the first part of the "DNS/MiM" domain name, added it to Hosts, reloaded Firefox, retyped the same errant address, and got... No new tab, no "Can't find server," and, of course, no fake assed web page at all. Nothing, as in zero.
Oh, and my Little Snitch network monitor showed zero bytes up or down after I hit Return
It's picky now (Score:2)
It got picky. For one thing, you may need to restart the resolver daemon. Also, if you have IPv6 running, you may need to set an IPv6 address in /etc/hosts as well - even if you never use it.
As others mentioned in this thread, people are using it - it "works", it just got harder.
Re: (Score:2)
Bullshit. I am using the hosts file to test a locally developed MySQL site every day. On 10.10.5 Yosemite
Re: (Score:2)
It works on 10.5. Not on 10.8 and above (non-server editions).
Re: (Score:2)
Not really. it's either one or the other (Score:2)
Not really. For example, I'm said their system will EITHER add an additional header or it won't. One or the other is true.
I suppose the "assumption" is that their code isn't fundamentally different from ALL of the tens of millions of lines of code I've reviewed over a decades-ling career. I "assume" that the programmers tried to get their job done. I've looked at the security posture of a LOT of software. In essentially all cases, no -application- code ever sufficiently anticipated all possible types of
Re: (Score:2)
Browser fingerprinting is where it is at, and there is -no- browser that is resistant to this.
Au contraire. Apple iPhones are as common as houseflies, and as indistinguishable. Because Apple doesn't really let their users change anything about their browser configs, all the non-jailbroken Safari browsers for a given iOS version return the same fingerprint. So if you have one of those phones, you can hide in a very large crowd.
That implies the marketplace could actually use a common browser everyone can rely on to not share these details, but erasing fingerprints also means giving up useful functiona
Fingerprinting is THE issue (Score:2)
What I have been waiting for quite a long time is the extension, or the iCab of sorts, that'll slightly upgrade most of the borwser fingerprint (screensize changed by some pixels, 1% of my fontlist hidden) every 1/4h or so. :(
I truly believe this is not so difficult to prepare, and once it'll be done most of this fingerprinting issue will be over.
The only trouble for the moment is, I'm not a programmer myself
Re: (Score:1)
A VPN service should bypass Verizon's cookie injectors.
What are you missing? (Score:1, Flamebait)
(1) What am I missing? ... nah, too easy.
how (not why or if) we are being conned and raped
Never mind. You're missing mental stability.
Re: (Score:2)
I have no idea why you were modded down. You're absolutely right.
The OP apparently learned just enough to form those ideas and questions, but decided not to continue reading and find out that (more or less) all his proposals are already done.
1. On/off switch for "internet access". There's bunches of ways to do this. Many laptops come with a hardware switch to turn off wifi... that can do the trick. Just about any firewall software could do it, and most have a "panic" mode (including the very naive /etc/rc.d
"Why is it so hard to find the specifics..." (Score:1)
You're making it more complex than it is (Score:5, Informative)
Re: (Score:2)
And there's an easy way to stop a lot of it, across all operating systems. A proxy server can scrub headers to only allow cookies from certain sources through, for example, and can do the same for outgoing requests. Privoxy [privoxy.org] is an OLD example of the technology (I was using that thing back in the late 90s). Set up something like that, set up whatever filters you want, tell your browser to use that proxy, and away you go.
Re: (Score:3)
Also, the correlating behind the scenes that happens when you access multiple websites that use either a CDN or something like ajax.google.com
Everyone hosting their JQuery on Google's servers basically allow Google to correlate visits, and build up a picture of which websites you visit. Combine that with direct access to GMail, Youtube, or Google searches, and they pretty much know what you do at least half the time on the internet.
You're going to have to wipe everything, including your IP address, in orde
Re: (Score:2)
You could also mirror the various jquery stuff hosted at ajax.google.com on your local machine, served up by a local web server. Then just reference your local ip/localhost as the IP for ajax.google.com in your hosts file.
Evercookie & uBlockOrigin (Score:3, Informative)
Evercookie is how it is being done.
UBlock Origin is how to block a ton of stuff.
Both are open source so you can have a look at it.
But in case of Verizon, you're talking about tracking on a whole other level.
And since your MAC or IMEI device number are needed to allow you access on their network, there are no options to spoof that.
The best you can do is block what they throw at you as a result of that data.
Adding a VPN would make life for them pretty hard because no server side deep packet inspection can be applied.
A number of ways... (Score:2)
You can be tracked and identified by a large number of ways. Its not just cookies, its anything you click on, its hidden variables, its the URL, applets, javascript, and even your IP address. Have you heard of a Firefox plugin called Ghostery? Look at all the things it blocks. That will give you more clues about how you are being tracked. Cookies are not in themselves bad. They were designed for developers to cache information so that they could remember what the user was doing when they clicked. Advertiser
Ghostery link (Score:2)
Re: (Score:1)
Some sites have gone so far as to track your mouse position and/or keyboard usage (timings/patterns between key presses) to identify you as an individual "anonymous" user.
building on what you know, snapshot a vm (Score:1)
You know something about Linux, and something about virtualization. So you could move forward by setting up a slim VM running Firefox. Maybe one based on a LiveCD, which already controls writes.
Take a snapshot of that VM (or the LVM volume it resides on).
Boot the VM, browse a bit.
Shutdown the VM
mount the image and it's snapshot
diff -Bbdir the vm with it's snapshot
Take some notes.
Snapshot again, or reset.
Browse a bit , maybe taking notes this time.
Rinse and repeat - boot, browse, mount diff, unmount.
You'
Re: (Score:2)
Also need to change your MAC address each reload...
only if you don't have a router or modem. (or ISP) (Score:2)
Layer 2 addresses don't pass routers, which operate at level 3, so your client media access control address is only visible if you don't have a router.
The outside global address of your modem is of course visible to your ISP. You could change that, but most cable ISPs either require that not change at all (without calling them ) or if it changes it takes an hour or two to reconnect. Since you even with a direct ethernet connection your MAC address is only visible to your ISP, the only reason to change it
Re: only if you don't have a router or modem. (or (Score:1)
Public WiFi, yes. Everybody is your ISP (Score:2)
That's true, for wifi, access points can see your MAC address. I was thinking of home / office internet, where your MAC is only visible to your ISP (who already knows who you are).
safe browsing (Score:3)
Re: (Score:2)
mod parent up! (Score:2)
all is in the title. Too bad I don't have points now...
Simple (Score:2)
An organization can store information in your browser that can uniquely identify you. Usually this is a session code. It can share this information with whoever they want.
If you are concern with privacy never type any uniquely identifying information into your browser. Since you don't know what can potentially be uniquely identifying then you should never use cookies. Given that makes the internet practically unusable then use a whitelist. Given that a whitelist is a pain then forget about privacy. Everyone
Re: (Score:2)
A couple of things; session codes can't be shared, or rather there would be no point in doing so, they're temporary server-side identifiers. Second the internet is fairly useable without cookies, they aren't like javascript. Some sites may use them to store your login details but that's poor programming since your browser should be the only software doing that. In any case browsers like firefox have an option to erase everything when you close it. If you live in the EU you should even see regular notices as
Easy (Score:4, Informative)
If you are that preoccupied by evil cookies, use Linux Tails like Edward Snowden recommends.
But really, you overestimate your value for those who allegedly "rape and con" you with cookies. They care about trends and patterns, not about you as a person, so browsing the web in a virtual space that you "shred" afterwards is more of a hobby than a necessity. Modern browsers are well-equipped to provide a decent level of privacy, there's no need to go thinfoil hat over this.
Re: (Score:2)
In other news, Google has recently allowed targeted advertisements based on the individual person/e-mail address.
"You as a person" is rarely worth targeting. But there are a lot of scale issues. It's worth targeting for Google, cause they only have to write that code once. And as time goes on, it gets cheaper and more widespread.
Re: (Score:2)
I am far more scared of Facebook. But then again, I actually use Google
Re: (Score:1)
In other news, Google has recently allowed targeted advertisements based on the individual person/e-mail address.
[citation needed]
There's an opt-in method: Contributor [google.com]
Re: (Score:1)
https://www.google.com/contributor/welcome/ [google.com]
It's basically opt-in. The marketing mumbo translation is: "Hey, you! What if I told you you could run your own ads for yourself? Yeah, you can, and it only costs a cent or two an ad."
I mean... okay so that nets the company running the website on which you've run your own ads a share (80, 60, 40%?) of that, so also: "Hey, you! have you ever wanted to pa
Why it hasn't been done (Score:2)
Re: (Score:2)
Nom Nom Cookies!
Whats been done (Score:2)
Thats really all that can be done to average users by most ad brands legally as the settings and use allow that short or long term access by default. Beyond that and it gets to be equipment interference.
Lots of apps on different OS will find the super cookies, Local SharedObject
"Has this already been done and automated" Different browsers have add ons that can do that based on some leve
Re: (Score:3)
Except media queries are performed locally within the browser - not on the server. Even if the media query is specified in a link element in the head, the CSS file is still downloaded even if it doesn't fulfill the query requirement.
https://scottjehl.github.io/CS... [github.io]
Fonts (Score:1)
As mentioned by others, cookies are only one mechanism.
For instance, if you install any wierd fonts on your system - that along with your IP makes your are quite easy to identify. Browsers allow javascipt to query the fonts installed on a system (that feature is really a privacy intrusion bug, IMHO)
Re: (Score:2)
Firefox hacks mentions a 20 cookie per client connection limit. That appears to be true today.
It's not a limit, that was a recommendation from the original Netscape Cookie Specification. It's up to the individual browser implementors what limits they place on cookie size, cookies/domain, total cookie counts and even max cookie age. I have seen some web sites in the Top 1000 Alexa site list, for example, spu out over 60 Set-Cookie headers in response to a simple GET / HTTP/1.1 request - and that's just for the source page, not even any of the linked resources.
If you're still browsing mainly HTTP page
Mmmm cookies (Score:2)
It is not surprising you didn't find any info on "nuts and bolts" cookies.
Because while nuts are popular ingredients for cookies, bolts are terrible.
So I suggest that you replace bolts with chocolate chips, these are much better and you are much more likely to find information about them.
Solving the super-cookie problem is easy (Score:2)
No referers. No script. Just plain doc data. Problem solved.
If you have client-side logic on by default, somene will use it to track you. It's that simple.
Another approach would be fresh private tabs for every session and perhaps spoofing of plattform data.
I use Gostery and don't care to much about super-cookies. I use multiple browsers for multiple personas and tasks, which mitigates the problem a little more.
I don't use facebook and stuff like that, but I'm pretty deep in Googles camp, with my Android dev
potential solution (Score:1)