how-to block ads
|
Link Logger
Premium,MVM
join:2001-03-29
Calgary, AB
 ·Shaw
| How 'bad' are spyware cookies??
It is somewhat my belief that the issue of spyware cookies is vastly overblown, but of course I could be wrong so hopefully this is the start of a thread which will educate myself and others on the evils of spyware cookies, and how much information can be collected by them and how 'dangerous' this information could be.
So using a description of cookies posted on Microsoft's site written by Kim Komando, lets start this thread.
---------------------
Know good cookies from bad cookies. These little text files have a bad reputation. But much of that is based on ignorance. Cookies actually perform valuable services. For instance, they can shoot you right into a site so you don't have to enter your password.
Here's how cookies work: Say you visit the ABC Book Co. You buy a book. The company downloads a text file to your computer, which includes an ID number. That's a cookie.
Two weeks later, you go back to the ABC Books site. First thing, your browser checks for an ABC cookie. It finds it, and sends it to ABC's computer.
When the ABC site opens, it says "Welcome back, Joe!" How does it know? The ABC Book Co. has the information about the sale two weeks ago in its database. It matches the ID number in the cookie to the sale information, and customizes the page for you.
When you next make a purchase, you won't have to enter your credit-card number or address. That will already be filled in. Again, that came from the database, and was enabled by the cookie.
That is all very convenient. But there are less desirable cookies, too. They're called tracking cookies. Say you visit the XYZ Brain Surgery site. There's a banner ad there. It is linked to an advertising services company. It downloads a cookie. The cookie says, "This person visited XYZ Brain Surgery."
Next, you go to a heart transplant site. The banner ad there is associated with the same advertising company. The browser sends the cookie to the banner ad. The ad adds a notation that you visited the heart transplant site.
Over time, the tracking cookie builds a profile of your interests. The advertising services company sells this information. That's why you start getting advertising for medical equipment.
---------------------
OK so evil spyware cookie company knows I visit sites like this, how bad is that and what other information do they have (and how do they get it which might be a more important question)?
Blake
--
Vendor: Firewall Logging Software »www.SonicLogger.com - SonicWall and 3Com »www.LinkLogger.com - Linksys, Netgear and Zyxel | |
pieter arntz
join:2002-02-26
Netherlands
| Since agreeing with you will hardly make it a discussion, here is a completely different opinion:
»www.pcmag.com/article2/0,1759,1674169,00.asp
Quote for those that don't like the cookies from PC Magazine. 
quote:
But let's go further and ban cookies too. Cookies are those small files that Web sites store on your computer for their convenience. I never even liked the idea of cookies. Why should some Web site be storing its data on my machine? While a cookie is kind of handy when you want to store a password, this can be done other ways without the alien Web site looking at my files. Whose idea was this anyway? Cookies are like those marks that hoboes used to make on picket fences during the depression in the 1930s. They were marks to tell other hoboes who the rubes were. A cookie is a marker telling Web sites that I'm a sucker.
{snipped a bit}
Back to my main complaint. One thing that comes to mind in all this debate and hand-wringing over spyware, cookies, ActiveX, Java and the like is the idea of making any use of cookie technology itself illegal.
I've thought about this before. This is all about your computer doing stuff to my computer without my permission, isn't it? Make all such action illegal. That means cookies too. So what if the browser lets you create cookies? Does that mean we cannot outlaw them? There are plenty of capabilities within browser code that shouldn't be allowed to be present. But let's start with cookies and generalize a law with cookies in mind.
Something like this would work for me: "Any person who knowingly writes or reads files from another person's computer by personal or robotic means for whatever reason whatsoever and without the permission of the party involved, with full knowledge of the activity each and every time the action is performed, is guilty of a felony and subject to fine and imprisonment not to exceed $10,000 and one year in prison for each offense."
That would cover it for me.
John C. Dvorak
Personally, I tend to agree more with SpywareGuides view as published here:
»www.spywareguide.com/articles/in···_57.html
It's the thought that counts more then the doing.
Regards,
Pieter
--
Metallica rulez | |
dp
Premium,MVM
join:2000-12-08
Greensburg, PA
 ·Verizon Online DSL
| There is also a lenghty discussion on that article going on in their forums (PC Mag).
»discuss.pcmag.com/n/main.asp?web···=43277.1
--
Write your questions down on the back of a $20 dollar bill and send them to me | |
Terikan
join:2004-10-07
Russell, KS | reply to Link Logger
It's fine that people have their opinions about cookies and such, it's the misconceptions that get me riled up. | |
dave
Premium,MVM
join:2000-05-04
not in ohio
·Verizon Online DSL
| reply to Link Logger
quote:
Any person who knowingly writes or reads files from another person's computer by personal or robotic means for whatever reason whatsoever and without the permission of the party involved, with full knowledge of the activity each and every time the action is performed, is guilty of a felony and subject to fine and imprisonment not to exceed $10,000 and one year in prison for each offense."
So, if I have a web site that presents content in the MIME type 'application_octet_stream/bananamatic', and this causes your browser to read its config files to see whether it can handle the bananamatic format, then I've committed a felony?
How is this, mechanically, any different from my web site causing your browser to read a cookie file?
Come to think of it, if I deliver a fairly large graphic to your memory-constrained PC, haven't I just caused your paging file to be written?
Legal codes are supposed to be unambiguous, and that wording certainly is full of ambiguity. We could start by discussing the word 'file', which I suspect is loose enough to drive a truckload of lawyers through.
The fundamental problem, as I see it, is that by you pointing your web browser at my web site, you have in fact invited my web site to alter things in your running computer. That's simply the nature of the beast. If you don't want any state changes that you did not explicitly authorize, then you'd be better off sticking to something less interactive, like ftp.
Lest you misunderstand me as having sympathy for scumbags: I don't. However, I wouldn't want to see a law that's either (a) so full of loopholes it provides no protection, or (b) so overreaching that any web site anywhere is subject to nuisance law suits from idiots. | |
jaykaykay
4 Ever Young
Premium,MVM
join:2000-04-13
Scottsdale, AZ
·Speakeasy
| reply to Link Logger
I tend to accept only certain cookies and make sure that I am cleaned of all others as I see fit. I prefer Oreos over most of those that are dispersed from the Internet.
For those who are not quite up to snuff or as yet educated enough to really follow some of these articles, my suggesting is to give a description of what a cookie is. The following comes from »computerproblems.com/questions/q···?id=2323.
"Cookies" are small text files that are stored on a Web user's hard drive to serve as a unique identifier for tracking that users preferences and profile on that Web site. Most cookie files are stored in the "C:\WINDOWS\COOKIES directory or folder.
They take very little space (I have over 200 Cookie files on my system that take less space than a single floppy disk) so “filling up your hard drive with Cookies” is not a real concern. No personal information about you or your computer, is stored in these files, but rather a profile of your movements and preferences when surfing. In the beginning, Cookies were to be used within one Web site to track specific information such as usernames and passwords for membership-based sites, to track your on-line purchases via a "shopping basket" or to store your preferences for that site (i.e. show me sports news but only about hockey). These were good uses of cookies that made getting in and around our favorite Web sites easier and more enjoyable.
But then along came the “marketing wizards” that put up sites such as DoubleClick (www.doubleclick.com) and NetGravity (www.netgravity.com ) that now use cookies to silently track a user's movements between their clients sites that carry their ads. When a user visits AltaVista to use the search engine, for example, a cookie is sent along with that site's images, and the information is stored in a database on a remote server at DoubleClick. This information is supposed to be used to display “banner ads” that would specifically appeal to you based on your previous uses whenever you visit a member Web site, not just AltaVista. This worries some users, who feel like they are being watched. Most people that are concerned about “cookie” usage will either block or delete the cookie files on their hard drive. Is it a case of paranoia or just playing it safe? It depends upon what you believe is possible with the information that is being gathered. Most people that “fear” cookies, are more concerned about what may be done with them in the future.
Deleting cookies is fairly easy. Most cookie files are stored in the “C:\WINDOWS\COOKIES directory or folder. If you have activated user profiles, each of your users that have accessed the Internet has their own cookie directory in the C:\WINDOWS\PROFILES folder. Double-click the “username” folder (where “username” is the name you use to log on to Windows) to locate the COOKIES folder. Simply delete the entire COOKIE folder when you finish surfing and none of the information that was gathered will be available the next time you connect to the Web. When you delete all your Cookie files, however, any personal preferences or user registration information for certain web sites will be deleted as well. You may have to go through a registration or reset of your preferences every time you go to these types of sites if you use this practice.
Blocking cookies is fairly easy in most current Internet browsers. Programs like Microsoft's Internet Explorer or Netscape's Communicator/Navigator give you options to either be notified before accepting a cookie or just plain block all cookies. Most current versions of Microsoft's Internet Explorer allow you to change these settings by going to the VIEW/INTERNET OPTIONS menu, then click on the Advanced tab. Look for the word cookies in the listings for the options to accept, ask before accepting or blocking all cookies. Current Netscape versions will generally allow you to change Cookie options by clicking on the EDIT/PREFERENCES menu, then click on advanced. Be aware, however, some Web sites will not allow you access without placing a cookie on your computer, so you may be limiting your surfing options." | |
salzan
Experienced Optimist
Premium
join:2004-01-08
WA State
| reply to Link Logger
My fear of cookies comes from a few years ago. I was surfing some sites I probably shouldn't have been at, (mostly *.am and *.ru) and got the "accept cookie?" pop-up (even in those days I had IE set to "always ask"). I remember thinking about it for a second and then clicking "allow". Within seconds I had the red screen from the AV alerting me that "Trojan something or other" was in my internet cache.
Looking back, it was probably just a coincidence but I've never lost the feeling that I may have actually allowed the malware to get on my system by clicking "allow".
Is it ridiculous to suspect the possibility of something other than a text file piggybacking in with the cookie? | |
Jason Levine
Premium
join:2001-07-13
Albany, NY
| The cookie may contain HTML or JavaScript code for an exploit (and thus trigger an AV notificaton), but it's benign until the website that created the cookie reads and displays the contents. And if a website is going to do that, they'll likely skip the cookie entirely and just display the exploit code directly.
The worst thing that a cookie can do is allow an advertising network to track the sites that you've been to. For example, you land on example1.com and see an ad banner. The ad banner, served by adcompany.com, writes a cookie to your hard drive with a unique ID. In their back-end database, they associate that unique ID with example1.com.
Now you continue browsing and go to example2.com. This site also displays an ad banner from the same company. Adcompany.com reads the unique ID from the cookie and uses it to store that second site in their database. Now adcompany.com knows 2 sites that you've been to.
However, if you delete adcompany.com's cookie (or refuse it in the first place), you appear to them to be a new person every time.
In short, the "Cookie Threat" is overblown by some people. There are much worse things out there to worry about.
--
-Jason Levine
http://www.jasons-toolbox.com/
http://www.PCQandA.com/
http://www.urateit.com/ | |
Bobby_Peru
Premium
join:2003-06-16
edit:
October 25th, @08:07PM
| said by Jason Levine  : ... The worst thing that a cookie can do is allow an advertising network to track the sites that you've been to. ... Once again, no, since it doesn't stop at just setting and tracking cookies online. Unfortunately online "advertising networks" do not exist only Virtually (sorry Mr. Larry...).
Blake's example fails to expressly make the leap that is _no_ problem for all this - the marketing can arrive at your home or workplace (mailbox, telephone, front-door) or the data can continue to be compiled with no _present_day _noticable_ effect.
"AdCompany.com" may also obtain, keep, track and correlate much more specifically identifying information, down to your name, street address, telephone number and all that can be obtained from that (from broad demographics, down to specific personal financial (health?) data from any number of dBases.)
If the "Adcompany" doesn't know who you are, they will, as soon as a single "partner" "shares" enough information to ID you with specificity. This is why online Adcompanies have associated with "brick and mortar" dBases [and run "Contests" which require submission of personal data]. They can "Supplement" the online tracking data that they collect with data from other sources.
The existence of greater risks is really not disputable, but that does not change the existence of this specific risk, nor really matter, since it is simple to greatly reduce this potential intrusion:
1) Refuse cookies that are not absolutely needed
2) Force all cookie to Session status (unless Persistent status is absolutely needed
3) Insure the removal of all cookies that are not absolutely needed to be retained when you close a TAB, as well as close your Browser
4) Prevent the AdCompanies from setting cookies and from obtaining your IP in the first place with a combination of Scrud-Filters and Cookie Controls.
[edit: forgot *Block all 3ed Party Cookies]
While you may not be able to control the compilation and spread of this personal "history" type of information in many areas (i.e. credit card usage), the cost of greatly reducing this intrusion in this particular area is extremely low (software is all free, very little time needed).
Helpful Tools:
-FireFox/Mozilla
To prevent Ad companies from the acquisition of your IP and attempting to set cookies get the AdBlock extension.
Supplement FireFox's native site-specific Cookie Control with the following extensions for ease of use and configuration: CookieCuller, CookieButton, ViewCookies.
Consider the use of a Proxy like WebWasher, or the teeny tiny mighty mighty Proxomitron to scrub and control this stuff at a lower level, for all browsers and chat clients on your machine.
[edit: typo(s), added "Contests", clarity (I hope)]
--
**~~Infected/Hijacked? FAQ~~~Protect/Secure Your Box/Data FAQ~~~Security Forum FAQs~~** | |
BrettStarr
Premium
join:2003-11-07
Las Vegas, NV
| 
Advanced Settings | | 
Managed Sites |
said by Bobby_Peru :... 1) Refuse cookies that are not absolutely needed 2) Force all cookie to Session status (unless Persistent status is absolutely needed 3) Insure the removal of all cookies that are not absolutely needed to be retained when you close a TAB, as well as close your Browser ... I totally agree with this. And it is very easy to do with IE6...if you know how. So here is how (I even attached pics):
IE > Tools > Internet Options...
1) GENERAL tab: Temporary Internet Files(TIF) area,
click Delete Cookies... to clear ALL of your cookies (if you want to start from scratch).
OR click Settings...> View files...> select and delete the cookies you don't absolutely need.
2)click PRIVACY tab:
click Advanced.. make settings as shown in pic. click OK.
click Sites... enter the domain names you always want to allow/keep cookies for (see pic for example). click OK when finished.
3) OK out.
That's it. From now on, nobody will ever be able to put a cookie on your system, EXCEPT those you have in the Managed Sites list.
Try it!...you'll be pleasantly surprised how great this works.
-
NO MORE AD TRACKING, SPYWARE, WHATEVER COOKIES and YOU WILL NEVER HAVE TO DO COOKIE CLEANING AGAIN!
ALSO, YOU DON'T NEED ANY COOKIE BLOCK LISTS EITHER. | |
sivran
God Save The Suite
Premium
join:2003-09-15
Arlington, TX
clubs:
·RoadRunner Cable
·Comcast
| reply to Link Logger
John C. Dvorak just lost any credibility he once had with me (did he ever have any..). That view is far too extreme. So extreme in fact, I pray that article was written sarcastically. Cookies are delicious delicacies, not malignant tumors. Cookies are the only way a website can have any assurance that a particular user has returned, and respond appropriately, without having to make the user enter some id number or login.
I take no special precautions with cookies, save for some sites in Mozilla's block list from one of those rare times I clean em up.
So they can eventually identify you. So what? That's what bitbuckets and trash cans/recycle bins are for. What's one more piece of junkmail to throw away?
--
TCPA - Treacherous Computing
Kerio 2.1.5 - Best damn firewall
Licenses should be per user, Ditch Norton! Get F-Prot! | |
Spooler
@cableone.net
| reply to Link Logger
is this too much of a stretch?
Blake said:
"
Two weeks later, you go back to the ABC Books site. First thing, your browser checks for an ABC cookie. It finds it, and sends it to ABC's computer.
When the ABC site opens, it says "Welcome back, Joe!" How does it know? The ABC Book Co. has the information about the sale two weeks ago in its database. It matches the ID number in the cookie to the sale information, and customizes the page for you.
When you next make a purchase, you won't have to enter your credit-card number or address. That will already be filled in. Again, that came from the database, and was enabled by the cookie."
----------------
Okay, assume other spyware is on the user's machine which transmits the ABC cookie from the user's machine to a third party. The third party then sends it from another machine to the ABC site, does the third party then have access to purchase things on the user's credit card? | |
Jason Levine
Premium
join:2001-07-13
Albany, NY
| Perhaps. Of course, the spyware could just "listen in" on what you type on the keyboard and send that back to it's master. Then the "spyware master" will not only have access to credit card numbers, but also to usernames and passwords.
We're getting past spyware and into a keylogger trojan, but that's just semantics really. Once a malicious program is running on your system you've lost the battle. It doesn't matter if a cookie stores an ID for ABC Book company or if you log in each time.
--
-Jason Levine
http://www.jasons-toolbox.com/
http://www.PCQandA.com/
http://www.urateit.com/ | |
Steve
Security is inefficient
Consultant
join:2001-03-10
Tustin, CA
| reply to sivran
Re: How 'bad' are spyware cookies??
said by sivran :John C. Dvorak just lost any credibility he once had with me (did he ever have any..). That view is far too extreme. I pretty much completely agree with this: cookies are very nearly "nothing to think about", and it does a disservice to stupid users by misleading them about "what really matters" and "what's not that important".
People who rail against cookies do not belong in the security community.
Steve
--
Stephen J. Friedl • Unix Wizard • Microsoft MVP • Tustin, California USA • my web site | |
Jason Levine
Premium
join:2001-07-13
Albany, NY
| reply to Bobby_Peru
said by Bobby_Peru : the marketing can arrive at your home or workplace (mailbox, telephone, front-door) or the data can continue to be compiled with no _present_day _noticable_ effect. "AdCompany.com" may also obtain, keep, track and correlate much more specifically identifying information, down to your name, street address, telephone number and all that can be obtained from that (from broad demographics, down to specific personal financial (health?) data from any number of dBases.) If the "Adcompany" doesn't know who you are, they will, as soon as a single "partner" "shares" enough information to ID you with specificity. This is why online Adcompanies have associated with "brick and mortar" dBases [and run "Contests" which require submission of personal data]. They can "Supplement" the online tracking data that they collect with data from other sources. How would "Adcompany" know, via cookies, that the person at IP address 123.45.67.89 who loaded their banner ad from SomeCompany.com at a specific time is really Jason Levine and that I live at 123 Someroad Lane? (Not my real address obviously. )
Sure, they *might* be able to have a marketing deal with a company that I've given my personal information to, but this is hardly a cookie issue. If they can ID me every time I load up an ad banner of theirs, why even bother with cookies?
I do agree though that you should refuse any unneeded cookies. Not so much as a security issue, but because I think that sites overuse cookies. I have my browser configured to block 3rd party cookies, and prompt me on 1st party ones. (Session cookies are always allowed.)
If a site tries to load a cookie, I decide whether to allow it or not. Most times I block it. If the site is persistent in trying to put a cookie on my computer then they get Always Block status. (I've seen sites that require a cookie read/write to load up each image on the page!)
--
-Jason Levine
http://www.jasons-toolbox.com/
http://www.PCQandA.com/
http://www.urateit.com/ | |
Bobby_Peru
Premium
join:2003-06-16
edit:
October 25th, @07:29PM
| Jason, if you, or anyone, has any doubts about the "possibility" of alliances between cross-site online Ad/Cookie servers, like DoubleClick, and terrestrial targeted marketing firms with deep transactional (and more) data, like ABACUS, you might want consider that DoubleClick bought ABACUS some years ago.
While it is much more than a cookie issue, cookies are one place one can easily (no cost) exercise control to impede this.
»www.abacus-direct.com/corporate_profile.asp
»www.abacus-direct.com/doubleclic···tion.asp
said by ABACUS:
THE DOUBLECLICK CONNECTION
The Abacus-DoubleClick combination is more than dynamic and offers you solutions you can't find anywhere else. The Abacus-DoubleClick connection allows you to accurately identify and target your audience whether it is consumer or business to business. You can reach your customers through a multiple of channels including direct mail, Internet, e-mail, or wireless communications.
With the Abacus-DoubleClick connection you can identify where your customers and prospects are buying: web, catalog, retail or phone. This powerful pooled combination of information and technology will enable you to improve client profitability and increase your market share. »www.abacus-direct.com/products/p···ucts.asp
said by ABACUS:
ABACUS, a division of DoubleClick Inc., is a world leader in targeted marketing solutions. By combining transactional data, advanced statistical modeling, and extensive media reach, we target the customers most likely to buy your products or services.
The Abacus Alliance database of buyer behavior is the largest in the United States. It contains over 3.5 billion transactions from more than 90 million U.S. households and includes geographic, demographic, lifestyle, and behavioral data from catalog, retail, business-to-business, e-commerce, and publishing markets. We span multiple channels so you can integrate the most broadly based yet highly targeted campaigns for customer acquisition or retention. It's pretty obvious what can be done, and pretty obvious what they brag about doing. If it doesn't matter to a user, so be it (even though such acceptance ultimately 'trickles-down' to even greater intrusive behavior against everyone), but users should be aware.
--
**~~Infected/Hijacked? FAQ~~~Protect/Secure Your Box/Data FAQ~~~Security Forum FAQs~~** | |
Mele20
Premium
join:2001-06-05
Hilo, HI
edit:
October 25th, @07:42PM
| reply to Steve
said by Steve : said by sivran :People who rail against cookies do not belong in the security community. Steve Gee, thank you kind sir! I've been here over three years and did not realize until now that I was not welcome.  --
The first and foremost function of our jurors is to protect private citizens from a tyrannical and intrusive government...Jurors are the last line of defense for liberty. Thomas Jefferson 1789 | |
Steve
Security is inefficient
Consultant
join:2001-03-10
Tustin, CA
| I have no idea what your opinion is on cookies (though I take it I can guess), but those who rail hysterically against cookies are not part of the professional security community.
It's more than fine to dislike cookies, to block them, to not care for advertising in general, and to hate Doubleclick, but when I see people putting cookies in the same category as real spyware, it shows a poverty of perspective.
I have no idea if that applies to you, and in any case anybody is welcome to post here.
Steve
--
Stephen J. Friedl • Unix Wizard • Microsoft MVP • Tustin, California USA • my web site | |
Mele20
Premium
join:2001-06-05
Hilo, HI
| Ahh..you have now qualified your original statement to read "professional" security community instead of just "security community". Fine. I am not a member of the "professional" security community. I do consider myself a member of the "security community" as I have a strong interest in computer security and have been posting in this forum (the main forum I visit here) for over three years. I also post regularly at Wilders Security and also at Computer Cops.
I do agree that "railing hysterically" about cookies is not very smart be it from a "professional"{ security person or simply a user who tries to keep up with security issues regarding their computer. I suspect though that we might disagree somewhat on what specifically entails "railing hysterically" in regard to cookies.
The first piece of software I ever bought about 8 months after I got my first computer in 1999 was Cookie Crusher. I still consider it to have been one of the most important softwares I could get at the time. I was already using Ad/subtract beta and had just gotten Zone Alarm beta for a dial up connection. I had no idea what a cookie was when I first got that computer. When I first looked at my cookies I was appalled as I had hundreds of them and many of them were third party. I began reading about cookies and bought Cookie Crusher and still use it on that computer. I have stated many times over the years here how I feel about cookies. I vividly recall the lengthy, classic discussions here on cookies when IE6 first came out. I refused to upgrade my 98Se box to IE6 because of its poor handling of cookies. Instead, I got Mozilla way back because it handles cookies so much better even after IE6 cookie handling was improved. On my XP Pro box, I allow only a handful of permanent cookies and one reason I don't use IE on it is because it still has poor cookie handling compared to FF and Mozilla.
--
The first and foremost function of our jurors is to protect private citizens from a tyrannical and intrusive government...Jurors are the last line of defense for liberty. Thomas Jefferson 1789 | |
ttt2525
@cable.rogers
| Oh, I guess you're talking about how IE6 no longer allowed you to set cookies in zones. I used to block all cookies in the internet zone and allow them in trusted...sadly, a few virus scares forced me to upgrade to IE6 | |
|
