dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
25989

Link Logger
MVM
join:2001-03-29
Calgary, AB

1 recommendation

Link Logger

MVM

How 'bad' are spyware cookies??

It is somewhat my belief that the issue of spyware cookies is vastly overblown, but of course I could be wrong so hopefully this is the start of a thread which will educate myself and others on the evils of spyware cookies, and how much information can be collected by them and how 'dangerous' this information could be.

So using a description of cookies posted on Microsoft's site written by Kim Komando, lets start this thread.

---------------------
Know good cookies from bad cookies. These little text files have a bad reputation. But much of that is based on ignorance. Cookies actually perform valuable services. For instance, they can shoot you right into a site so you don't have to enter your password.

Here's how cookies work: Say you visit the ABC Book Co. You buy a book. The company downloads a text file to your computer, which includes an ID number. That's a cookie.

Two weeks later, you go back to the ABC Books site. First thing, your browser checks for an ABC cookie. It finds it, and sends it to ABC's computer.

When the ABC site opens, it says "Welcome back, Joe!" How does it know? The ABC Book Co. has the information about the sale two weeks ago in its database. It matches the ID number in the cookie to the sale information, and customizes the page for you.

When you next make a purchase, you won't have to enter your credit-card number or address. That will already be filled in. Again, that came from the database, and was enabled by the cookie.

That is all very convenient. But there are less desirable cookies, too. They're called tracking cookies. Say you visit the XYZ Brain Surgery site. There's a banner ad there. It is linked to an advertising services company. It downloads a cookie. The cookie says, "This person visited XYZ Brain Surgery."

Next, you go to a heart transplant site. The banner ad there is associated with the same advertising company. The browser sends the cookie to the banner ad. The ad adds a notation that you visited the heart transplant site.

Over time, the tracking cookie builds a profile of your interests. The advertising services company sells this information. That's why you start getting advertising for medical equipment.
---------------------

OK so evil spyware cookie company knows I visit sites like this, how bad is that and what other information do they have (and how do they get it which might be a more important question)?

Blake

pieter arntz
join:2002-02-26
Netherlands

pieter arntz

Member

Since agreeing with you will hardly make it a discussion, here is a completely different opinion:
»www.pcmag.com/article2/0 ··· 9,00.asp

Quote for those that don't like the cookies from PC Magazine.
quote:
But let's go further and ban cookies too. Cookies are those small files that Web sites store on your computer for their convenience. I never even liked the idea of cookies. Why should some Web site be storing its data on my machine? While a cookie is kind of handy when you want to store a password, this can be done other ways without the alien Web site looking at my files. Whose idea was this anyway? Cookies are like those marks that hoboes used to make on picket fences during the depression in the 1930s. They were marks to tell other hoboes who the rubes were. A cookie is a marker telling Web sites that I'm a sucker.

{snipped a bit}

Back to my main complaint. One thing that comes to mind in all this debate and hand-wringing over spyware, cookies, ActiveX, Java and the like is the idea of making any use of cookie technology itself illegal.

I've thought about this before. This is all about your computer doing stuff to my computer without my permission, isn't it? Make all such action illegal. That means cookies too. So what if the browser lets you create cookies? Does that mean we cannot outlaw them? There are plenty of capabilities within browser code that shouldn't be allowed to be present. But let's start with cookies and generalize a law with cookies in mind.

Something like this would work for me: "Any person who knowingly writes or reads files from another person's computer by personal or robotic means for whatever reason whatsoever and without the permission of the party involved, with full knowledge of the activity each and every time the action is performed, is guilty of a felony and subject to fine and imprisonment not to exceed $10,000 and one year in prison for each offense."

That would cover it for me.

John C. Dvorak

Personally, I tend to agree more with SpywareGuides view as published here:
»www.spywareguide.com/art ··· _57.html
It's the thought that counts more then the doing.

Regards,

Pieter

dp
MVM
join:2000-12-08
Greensburg, PA

dp

MVM

said by pieter arntz:

Since agreeing with you will hardly make it a discussion, here is a completely different opinion:
»www.pcmag.com/article2/0 ··· 9,00.asp
There is also a lenghty discussion on that article going on in their forums (PC Mag).
»discuss.pcmag.com/n/main ··· =43277.1
Terikan
join:2004-10-07
Russell, KS

Terikan to Link Logger

Member

to Link Logger
It's fine that people have their opinions about cookies and such, it's the misconceptions that get me riled up.
dave
Premium Member
join:2000-05-04
not in ohio

3 recommendations

dave to Link Logger

Premium Member

to Link Logger
quote:
Any person who knowingly writes or reads files from another person's computer by personal or robotic means for whatever reason whatsoever and without the permission of the party involved, with full knowledge of the activity each and every time the action is performed, is guilty of a felony and subject to fine and imprisonment not to exceed $10,000 and one year in prison for each offense."
So, if I have a web site that presents content in the MIME type 'application_octet_stream/bananamatic', and this causes your browser to read its config files to see whether it can handle the bananamatic format, then I've committed a felony?

How is this, mechanically, any different from my web site causing your browser to read a cookie file?

Come to think of it, if I deliver a fairly large graphic to your memory-constrained PC, haven't I just caused your paging file to be written?

Legal codes are supposed to be unambiguous, and that wording certainly is full of ambiguity. We could start by discussing the word 'file', which I suspect is loose enough to drive a truckload of lawyers through.

The fundamental problem, as I see it, is that by you pointing your web browser at my web site, you have in fact invited my web site to alter things in your running computer. That's simply the nature of the beast. If you don't want any state changes that you did not explicitly authorize, then you'd be better off sticking to something less interactive, like ftp.

Lest you misunderstand me as having sympathy for scumbags: I don't. However, I wouldn't want to see a law that's either (a) so full of loopholes it provides no protection, or (b) so overreaching that any web site anywhere is subject to nuisance law suits from idiots.

jaykaykay
4 Ever Young
MVM
join:2000-04-13
USA

1 recommendation

jaykaykay to Link Logger

MVM

to Link Logger
I tend to accept only certain cookies and make sure that I am cleaned of all others as I see fit. I prefer Oreos over most of those that are dispersed from the Internet.

For those who are not quite up to snuff or as yet educated enough to really follow some of these articles, my suggesting is to give a description of what a cookie is. The following comes from »computerproblems.com/que ··· ?id=2323.

"Cookies" are small text files that are stored on a Web user's hard drive to serve as a unique identifier for tracking that users preferences and profile on that Web site. Most cookie files are stored in the "C:\WINDOWS\COOKIES directory or folder.
They take very little space (I have over 200 Cookie files on my system that take less space than a single floppy disk) so “filling up your hard drive with Cookies” is not a real concern. No personal information about you or your computer, is stored in these files, but rather a profile of your movements and preferences when surfing. In the beginning, Cookies were to be used within one Web site to track specific information such as usernames and passwords for membership-based sites, to track your on-line purchases via a "shopping basket" or to store your preferences for that site (i.e. show me sports news but only about hockey). These were good uses of cookies that made getting in and around our favorite Web sites easier and more enjoyable.
But then along came the “marketing wizards” that put up sites such as DoubleClick (www.doubleclick.com) and NetGravity (www.netgravity.com ) that now use cookies to silently track a user's movements between their clients sites that carry their ads. When a user visits AltaVista to use the search engine, for example, a cookie is sent along with that site's images, and the information is stored in a database on a remote server at DoubleClick. This information is supposed to be used to display “banner ads” that would specifically appeal to you based on your previous uses whenever you visit a member Web site, not just AltaVista. This worries some users, who feel like they are being watched. Most people that are concerned about “cookie” usage will either block or delete the cookie files on their hard drive. Is it a case of paranoia or just playing it safe? It depends upon what you believe is possible with the information that is being gathered. Most people that “fear” cookies, are more concerned about what may be done with them in the future.
Deleting cookies is fairly easy. Most cookie files are stored in the “C:\WINDOWS\COOKIES directory or folder. If you have activated user profiles, each of your users that have accessed the Internet has their own cookie directory in the C:\WINDOWS\PROFILES folder. Double-click the “username” folder (where “username” is the name you use to log on to Windows) to locate the COOKIES folder. Simply delete the entire COOKIE folder when you finish surfing and none of the information that was gathered will be available the next time you connect to the Web. When you delete all your Cookie files, however, any personal preferences or user registration information for certain web sites will be deleted as well. You may have to go through a registration or reset of your preferences every time you go to these types of sites if you use this practice.
Blocking cookies is fairly easy in most current Internet browsers. Programs like Microsoft's Internet Explorer or Netscape's Communicator/Navigator give you options to either be notified before accepting a cookie or just plain block all cookies. Most current versions of Microsoft's Internet Explorer allow you to change these settings by going to the VIEW/INTERNET OPTIONS menu, then click on the Advanced tab. Look for the word cookies in the listings for the options to accept, ask before accepting or blocking all cookies. Current Netscape versions will generally allow you to change Cookie options by clicking on the EDIT/PREFERENCES menu, then click on advanced. Be aware, however, some Web sites will not allow you access without placing a cookie on your computer, so you may be limiting your surfing options."

salzan
Experienced Optimist
Premium Member
join:2004-01-08
WA State

salzan to Link Logger

Premium Member

to Link Logger
My fear of cookies comes from a few years ago. I was surfing some sites I probably shouldn't have been at, (mostly *.am and *.ru) and got the "accept cookie?" pop-up (even in those days I had IE set to "always ask"). I remember thinking about it for a second and then clicking "allow". Within seconds I had the red screen from the AV alerting me that "Trojan something or other" was in my internet cache.

Looking back, it was probably just a coincidence but I've never lost the feeling that I may have actually allowed the malware to get on my system by clicking "allow".

Is it ridiculous to suspect the possibility of something other than a text file piggybacking in with the cookie?

TechyDad
Premium Member
join:2001-07-13
USA

TechyDad

Premium Member

The cookie may contain HTML or JavaScript code for an exploit (and thus trigger an AV notificaton), but it's benign until the website that created the cookie reads and displays the contents. And if a website is going to do that, they'll likely skip the cookie entirely and just display the exploit code directly.

The worst thing that a cookie can do is allow an advertising network to track the sites that you've been to. For example, you land on example1.com and see an ad banner. The ad banner, served by adcompany.com, writes a cookie to your hard drive with a unique ID. In their back-end database, they associate that unique ID with example1.com.

Now you continue browsing and go to example2.com. This site also displays an ad banner from the same company. Adcompany.com reads the unique ID from the cookie and uses it to store that second site in their database. Now adcompany.com knows 2 sites that you've been to.

However, if you delete adcompany.com's cookie (or refuse it in the first place), you appear to them to be a new person every time.

In short, the "Cookie Threat" is overblown by some people. There are much worse things out there to worry about.
Bobby_Peru
Premium Member
join:2003-06-16

3 edits

1 recommendation

Bobby_Peru

Premium Member

said by TechyDad:

... The worst thing that a cookie can do is allow an advertising network to track the sites that you've been to. ...
Once again, no, since it doesn't stop at just setting and tracking cookies online. Unfortunately online "advertising networks" do not exist only Virtually (sorry Mr. Larry...).

Blake's example fails to expressly make the leap that is _no_ problem for all this - the marketing can arrive at your home or workplace (mailbox, telephone, front-door) or the data can continue to be compiled with no _present_day _noticable_ effect.

"AdCompany.com" may also obtain, keep, track and correlate much more specifically identifying information, down to your name, street address, telephone number and all that can be obtained from that (from broad demographics, down to specific personal financial (health?) data from any number of dBases.)

If the "Adcompany" doesn't know who you are, they will, as soon as a single "partner" "shares" enough information to ID you with specificity. This is why online Adcompanies have associated with "brick and mortar" dBases [and run "Contests" which require submission of personal data]. They can "Supplement" the online tracking data that they collect with data from other sources.

The existence of greater risks is really not disputable, but that does not change the existence of this specific risk, nor really matter, since it is simple to greatly reduce this potential intrusion:

1) Refuse cookies that are not absolutely needed
2) Force all cookie to Session status (unless Persistent status is absolutely needed
3) Insure the removal of all cookies that are not absolutely needed to be retained when you close a TAB, as well as close your Browser
4) Prevent the AdCompanies from setting cookies and from obtaining your IP in the first place with a combination of Scrud-Filters and Cookie Controls.

[edit: forgot *Block all 3ed Party Cookies]

While you may not be able to control the compilation and spread of this personal "history" type of information in many areas (i.e. credit card usage), the cost of greatly reducing this intrusion in this particular area is extremely low (software is all free, very little time needed).

Helpful Tools:
-FireFox/Mozilla
To prevent Ad companies from the acquisition of your IP and attempting to set cookies get the AdBlock extension.

Supplement FireFox's native site-specific Cookie Control with the following extensions for ease of use and configuration: CookieCuller, CookieButton, ViewCookies.

Consider the use of a Proxy like WebWasher, or the teeny tiny mighty mighty Proxomitron to scrub and control this stuff at a lower level, for all browsers and chat clients on your machine.

[edit: typo(s), added "Contests", clarity (I hope)]

BrettStarr
Premium Member
join:2003-11-07
Las Vegas, NV

3 recommendations

BrettStarr

Premium Member


Advanced Settings
 

Managed Sites
said by Bobby_Peru:

...
1) Refuse cookies that are not absolutely needed
2) Force all cookie to Session status (unless Persistent status is absolutely needed
3) Insure the removal of all cookies that are not absolutely needed to be retained when you close a TAB, as well as close your Browser ...
I totally agree with this. And it is very easy to do with IE6...if you know how. So here is how (I even attached pics):
IE > Tools > Internet Options...
1) GENERAL tab: Temporary Internet Files(TIF) area,
click Delete Cookies... to clear ALL of your cookies (if you want to start from scratch).
OR click Settings...> View files...> select and delete the cookies you don't absolutely need.
2)click PRIVACY tab:
click Advanced.. make settings as shown in pic. click OK.
click Sites... enter the domain names you always want to allow/keep cookies for (see pic for example). click OK when finished.
3) OK out.
That's it. From now on, nobody will ever be able to put a cookie on your system, EXCEPT those you have in the Managed Sites list.
Try it!...you'll be pleasantly surprised how great this works.
-
NO MORE AD TRACKING, SPYWARE, WHATEVER COOKIES and YOU WILL NEVER HAVE TO DO COOKIE CLEANING AGAIN!
ALSO, YOU DON'T NEED ANY COOKIE BLOCK LISTS EITHER.

sivran
Vive Vivaldi
Premium Member
join:2003-09-15
Irving, TX

1 recommendation

sivran to Link Logger

Premium Member

to Link Logger
John C. Dvorak just lost any credibility he once had with me (did he ever have any..). That view is far too extreme. So extreme in fact, I pray that article was written sarcastically. Cookies are delicious delicacies, not malignant tumors. Cookies are the only way a website can have any assurance that a particular user has returned, and respond appropriately, without having to make the user enter some id number or login.

I take no special precautions with cookies, save for some sites in Mozilla's block list from one of those rare times I clean em up.

So they can eventually identify you. So what? That's what bitbuckets and trash cans/recycle bins are for. What's one more piece of junkmail to throw away?

Spooler
@cableone.net

Spooler to Link Logger

Anon

to Link Logger

is this too much of a stretch?

Blake said:
"
Two weeks later, you go back to the ABC Books site. First thing, your browser checks for an ABC cookie. It finds it, and sends it to ABC's computer.

When the ABC site opens, it says "Welcome back, Joe!" How does it know? The ABC Book Co. has the information about the sale two weeks ago in its database. It matches the ID number in the cookie to the sale information, and customizes the page for you.

When you next make a purchase, you won't have to enter your credit-card number or address. That will already be filled in. Again, that came from the database, and was enabled by the cookie."

----------------

Okay, assume other spyware is on the user's machine which transmits the ABC cookie from the user's machine to a third party. The third party then sends it from another machine to the ABC site, does the third party then have access to purchase things on the user's credit card?

TechyDad
Premium Member
join:2001-07-13
USA

1 recommendation

TechyDad

Premium Member

Perhaps. Of course, the spyware could just "listen in" on what you type on the keyboard and send that back to it's master. Then the "spyware master" will not only have access to credit card numbers, but also to usernames and passwords.

We're getting past spyware and into a keylogger trojan, but that's just semantics really. Once a malicious program is running on your system you've lost the battle. It doesn't matter if a cookie stores an ID for ABC Book company or if you log in each time.

Steve
I know your IP address

join:2001-03-10
Tustin, CA

Steve to sivran

to sivran

Re: How 'bad' are spyware cookies??

said by sivran:

John C. Dvorak just lost any credibility he once had with me (did he ever have any..). That view is far too extreme.
I pretty much completely agree with this: cookies are very nearly "nothing to think about", and it does a disservice to stupid users by misleading them about "what really matters" and "what's not that important".

People who rail against cookies do not belong in the security community.

Steve

TechyDad
Premium Member
join:2001-07-13
USA

TechyDad to Bobby_Peru

Premium Member

to Bobby_Peru
said by Bobby_Peru:

the marketing can arrive at your home or workplace (mailbox, telephone, front-door) or the data can continue to be compiled with no _present_day _noticable_ effect.

"AdCompany.com" may also obtain, keep, track and correlate much more specifically identifying information, down to your name, street address, telephone number and all that can be obtained from that (from broad demographics, down to specific personal financial (health?) data from any number of dBases.)

If the "Adcompany" doesn't know who you are, they will, as soon as a single "partner" "shares" enough information to ID you with specificity. This is why online Adcompanies have associated with "brick and mortar" dBases [and run "Contests" which require submission of personal data]. They can "Supplement" the online tracking data that they collect with data from other sources.
How would "Adcompany" know, via cookies, that the person at IP address 123.45.67.89 who loaded their banner ad from SomeCompany.com at a specific time is really Jason Levine and that I live at 123 Someroad Lane? (Not my real address obviously. )

Sure, they *might* be able to have a marketing deal with a company that I've given my personal information to, but this is hardly a cookie issue. If they can ID me every time I load up an ad banner of theirs, why even bother with cookies?

I do agree though that you should refuse any unneeded cookies. Not so much as a security issue, but because I think that sites overuse cookies. I have my browser configured to block 3rd party cookies, and prompt me on 1st party ones. (Session cookies are always allowed.)

If a site tries to load a cookie, I decide whether to allow it or not. Most times I block it. If the site is persistent in trying to put a cookie on my computer then they get Always Block status. (I've seen sites that require a cookie read/write to load up each image on the page!)
Bobby_Peru
Premium Member
join:2003-06-16

2 edits

2 recommendations

Bobby_Peru

Premium Member

Jason, if you, or anyone, has any doubts about the "possibility" of alliances between cross-site online Ad/Cookie servers, like DoubleClick, and terrestrial targeted marketing firms with deep transactional (and more) data, like ABACUS, you might want consider that DoubleClick bought ABACUS some years ago.

While it is much more than a cookie issue, cookies are one place one can easily (no cost) exercise control to impede this.

»www.abacus-direct.com/co ··· file.asp

»www.abacus-direct.com/do ··· tion.asp
said by ABACUS:

THE DOUBLECLICK CONNECTION

The Abacus-DoubleClick combination is more than dynamic and offers you solutions you can't find anywhere else. The Abacus-DoubleClick connection allows you to accurately identify and target your audience whether it is consumer or business to business. You can reach your customers through a multiple of channels including direct mail, Internet, e-mail, or wireless communications.

With the Abacus-DoubleClick connection you can identify where your customers and prospects are buying: web, catalog, retail or phone. This powerful pooled combination of information and technology will enable you to improve client profitability and increase your market share.
»www.abacus-direct.com/pr ··· ucts.asp
said by ABACUS:

ABACUS, a division of DoubleClick Inc., is a world leader in targeted marketing solutions. By combining transactional data, advanced statistical modeling, and extensive media reach, we target the customers most likely to buy your products or services.

The Abacus Alliance database of buyer behavior is the largest in the United States. It contains over 3.5 billion transactions from more than 90 million U.S. households and includes geographic, demographic, lifestyle, and behavioral data from catalog, retail, business-to-business, e-commerce, and publishing markets. We span multiple channels so you can integrate the most broadly based yet highly targeted campaigns for customer acquisition or retention.
It's pretty obvious what can be done, and pretty obvious what they brag about doing. If it doesn't matter to a user, so be it (even though such acceptance ultimately 'trickles-down' to even greater intrusive behavior against everyone), but users should be aware.
Mele20
Premium Member
join:2001-06-05
Hilo, HI

1 edit

2 recommendations

Mele20 to Steve

Premium Member

to Steve
said by Steve:
said by sivran:
People who rail against cookies do not belong in the security community.

Steve
Gee, thank you kind sir! I've been here over three years and did not realize until now that I was not welcome.

Steve
I know your IP address

join:2001-03-10
Tustin, CA

1 recommendation

Steve

I have no idea what your opinion is on cookies (though I take it I can guess), but those who rail hysterically against cookies are not part of the professional security community.

It's more than fine to dislike cookies, to block them, to not care for advertising in general, and to hate Doubleclick, but when I see people putting cookies in the same category as real spyware, it shows a poverty of perspective.

I have no idea if that applies to you, and in any case anybody is welcome to post here.

Steve
Mele20
Premium Member
join:2001-06-05
Hilo, HI

1 recommendation

Mele20

Premium Member

Ahh..you have now qualified your original statement to read "professional" security community instead of just "security community". Fine. I am not a member of the "professional" security community. I do consider myself a member of the "security community" as I have a strong interest in computer security and have been posting in this forum (the main forum I visit here) for over three years. I also post regularly at Wilders Security and also at Computer Cops.

I do agree that "railing hysterically" about cookies is not very smart be it from a "professional"{ security person or simply a user who tries to keep up with security issues regarding their computer. I suspect though that we might disagree somewhat on what specifically entails "railing hysterically" in regard to cookies.

The first piece of software I ever bought about 8 months after I got my first computer in 1999 was Cookie Crusher. I still consider it to have been one of the most important softwares I could get at the time. I was already using Ad/subtract beta and had just gotten Zone Alarm beta for a dial up connection. I had no idea what a cookie was when I first got that computer. When I first looked at my cookies I was appalled as I had hundreds of them and many of them were third party. I began reading about cookies and bought Cookie Crusher and still use it on that computer. I have stated many times over the years here how I feel about cookies. I vividly recall the lengthy, classic discussions here on cookies when IE6 first came out. I refused to upgrade my 98Se box to IE6 because of its poor handling of cookies. Instead, I got Mozilla way back because it handles cookies so much better even after IE6 cookie handling was improved. On my XP Pro box, I allow only a handful of permanent cookies and one reason I don't use IE on it is because it still has poor cookie handling compared to FF and Mozilla.

ttt2525
@cpe.net.cable.rogers

ttt2525

Anon

Oh, I guess you're talking about how IE6 no longer allowed you to set cookies in zones. I used to block all cookies in the internet zone and allow them in trusted...sadly, a few virus scares forced me to upgrade to IE6

hpguru
Curb Your Dogma
Premium Member
join:2002-04-12

1 recommendation

hpguru to TechyDad

Premium Member

to TechyDad
said by TechyDad:

However, if you delete adcompany.com's cookie (or refuse it in the first place), you appear to them to be a new person every time.
Yes and no. I have detected my IP address in cookies served from various sites (not in a while though). I have also seen sites insert my IP address into the query strings and posted data from form submittal. So while deleting stored cookies will prevent most sites from tracking you it won't help if they are using your IP as a unique id unless your IP address changes frequently.
ghost16825
Use security metrics
Premium Member
join:2003-08-26

ghost16825

Premium Member

said by hpguru:

said by TechyDad:

However, if you delete adcompany.com's cookie (or refuse it in the first place), you appear to them to be a new person every time.
Yes and no. I have detected my IP address in cookies served from various sites (not in a while though). I have also seen sites insert my IP address into the query strings and posted data from form submittal. So while deleting stored cookies will prevent most sites from tracking you it won't help if they are using your IP as a unique id unless your IP address changes frequently.
That's exactly it. If your IP address changes frequently and you delete cookies before the IP changes over in all reality what can be done?
Mele20
Premium Member
join:2001-06-05
Hilo, HI

Mele20

Premium Member

But who has a dynamic IP these days? My IP hasn't changed since the last time I shut the computer down when I went on vacation. That was Sept 2003. I bought this computer November 2003 and have had the same IP address all this time. I have Road Runner as my ISP. I have noted for years that if you want a new IP with Road Runner you must shut down the computers for at least 96 hours and sometimes it must be even longer. Three weeks will do it.

Snowy
Lock him up!!!
Premium Member
join:2003-04-05
Kailua, HI

Snowy to ghost16825

Premium Member

to ghost16825
said by ghost16825:

That's exactly it. If your IP address changes frequently and you delete cookies before the IP changes over in all reality what can be done?
That's it exactly. I'll take it a step further & ask even if your IP doesn't change frequently in all reality what can be done?

Link Logger
MVM
join:2001-03-29
Calgary, AB

1 recommendation

Link Logger

MVM

Excellent discussion thus far. I would agree that when a cookie is cross linked with personal data then that would be bad. The easy way to deal with that is don't give out your personal information to any site which sells or otherwise cross link your personal data (generally its not a good idea to give out personal data unless you absolutely have to and then only to a highly responsible site). If you have to give out personal data and you suspect the site is bogus, give bogus information as the only thing worse then no information is bogus information. So in short for myself unless some very trusted sites have cough up the pill then its unlikely that my personal information exists in any adware/spyware site. If they did have my email address then any email they send me will be consumed by my ever so hungry spam filters. As for popping up ad-banners based on sites I have previously visited, who cares as I can choose to ignore them as I wish, or I can block that traffic at the firewall for example (and likely pay a performance penalty as its seems that some sites want to persuade you not to block banners or ads).

I think that any company that sells or is otherwise cross linking personal data with adware/spyware cookie companies should be exposed and shot, twice.

Anyone who thinks that cookies should be tossed altogether has no idea as to how the internet works and why cookies are required and I'd like to see PCMag under the artful guidance of Mr. Dvorak eliminate cookies from their site first, good luck.

It would also appear that it is possible to configure just about any browser to reject or otherwise manage cookies, so in my ever so humble opinion anyone who mentions spyware cookies in the same statistic as spyware/malware infections like CWS or keyloggers is likely trying to sell you something based on FUD.

Blake

Snowy
Lock him up!!!
Premium Member
join:2003-04-05
Kailua, HI

Snowy

Premium Member

said by Link Logger:

... I would agree that when a cookie is cross linked with personal data then that would be bad. The easy way to deal with that is don't give out your personal information to any site which sells or otherwise cross link your personal data (generally its not a good idea to give out personal data unless you absolutely have to and then only to a highly responsible site)....
That's it again. How do you separate the responsible sites from the irresponsible ones? You use cookies.
If a site is setting tracking cookies, that's not a site I'm likely to share anything with. Tracking cookies cut both ways.

antiserious
The Future ain't what it used to be
Premium Member
join:2001-12-12
Scranton, PA

1 recommendation

antiserious to Steve

Premium Member

to Steve
said by Steve:
I pretty much completely agree with this: cookies are very nearly "nothing to think about", Steve

... then it shouldn't matter that I toss 'em almost immediately ...

... my take is simple - the site didn't ask me (directly) if they could plant a cookie, they didn't explain what data they were 'harvesting' or what they planned to use it for, and often the site will work adequately without the cookie - so they (or you) shouldn't mind if I decline the cookie or delete it immediately after leaving the site ... it's no bother to me to clean 'em out, or log in again when I need to ...

... "People who rail against cookies do not belong in the security community." ... that seems a bit harsh, if not absurd ...

... f w i w ...
Goldengamego
Premium Member
join:2004-02-22
Okemos, MI

Goldengamego to Link Logger

Premium Member

to Link Logger
Again and again and again.

They are just text files; the websites 'setting' them are not really ever touching your computer in any way. It is simply telling your browser to "help remember this for me" and your browser jots whatever it was down (or a ref ID to it on the server) in a text file aka. the cookie.

They only get what you give them. So don't, or give them BS (I have my Google toolbar preprogrammed with mounds of bogus info for just such occasions).

Who came up with "cookie" anyway? Why not just log or state file?
alien8
join:2004-03-03
UK

alien8

Member

"Where did the term cookies come from?":
»www.cookiecentral.com/faq/#1.2
steveknj4
join:2001-05-09
Old Bridge, NJ

steveknj4 to Link Logger

Member

to Link Logger
My rule with cookies, which is something I read on a website like CNET or ZDNET years ago (or maybe in a magazine), is I NEVER accept a cookie from a website that doesn't match the website's domain. For example, if I'm at Yahoo and I am prompted to accept a cookie from yahoo.com, then I will usually accept it. But if I'm at Yahoo, and am prompted to accept a cookie from joeswebsite.com, then I WON'T accpet. With that and running spybot, I have managed to stay generally clean. I have also played around a bit with IE6's cookie settings and they seem to help in websites that require certain odd named cookies in order to load (Excite seems to work in this fashion). All in all, if a website doesn't require a cookie to load, I err on the side of caution and don't load.