how-to block ads
|
Bobby_Peru
Premium
join:2003-06-16
3 edits | Re: How 'bad' are spyware cookies?? said by Jason Levine  : ... The worst thing that a cookie can do is allow an advertising network to track the sites that you've been to. ... Once again, no, since it doesn't stop at just setting and tracking cookies online. Unfortunately online "advertising networks" do not exist only Virtually (sorry Mr. Larry...).
Blake's example fails to expressly make the leap that is _no_ problem for all this - the marketing can arrive at your home or workplace (mailbox, telephone, front-door) or the data can continue to be compiled with no _present_day _noticable_ effect.
"AdCompany.com" may also obtain, keep, track and correlate much more specifically identifying information, down to your name, street address, telephone number and all that can be obtained from that (from broad demographics, down to specific personal financial (health?) data from any number of dBases.)
If the "Adcompany" doesn't know who you are, they will, as soon as a single "partner" "shares" enough information to ID you with specificity. This is why online Adcompanies have associated with "brick and mortar" dBases [and run "Contests" which require submission of personal data]. They can "Supplement" the online tracking data that they collect with data from other sources.
The existence of greater risks is really not disputable, but that does not change the existence of this specific risk, nor really matter, since it is simple to greatly reduce this potential intrusion:
1) Refuse cookies that are not absolutely needed
2) Force all cookie to Session status (unless Persistent status is absolutely needed
3) Insure the removal of all cookies that are not absolutely needed to be retained when you close a TAB, as well as close your Browser
4) Prevent the AdCompanies from setting cookies and from obtaining your IP in the first place with a combination of Scrud-Filters and Cookie Controls.
[edit: forgot *Block all 3ed Party Cookies]
While you may not be able to control the compilation and spread of this personal "history" type of information in many areas (i.e. credit card usage), the cost of greatly reducing this intrusion in this particular area is extremely low (software is all free, very little time needed).
Helpful Tools:
-FireFox/Mozilla
To prevent Ad companies from the acquisition of your IP and attempting to set cookies get the AdBlock extension.
Supplement FireFox's native site-specific Cookie Control with the following extensions for ease of use and configuration: CookieCuller, CookieButton, ViewCookies.
Consider the use of a Proxy like WebWasher, or the teeny tiny mighty mighty Proxomitron to scrub and control this stuff at a lower level, for all browsers and chat clients on your machine.
[edit: typo(s), added "Contests", clarity (I hope)]
--
**~~Infected/Hijacked? FAQ~~~Protect/Secure Your Box/Data FAQ~~~Security Forum FAQs~~** | |
|  
BrettStarr
Premium
join:2003-11-07
Las Vegas, NV
| Re: How 'bad' are spyware cookies??
Advanced Settings | | 
Managed Sites |
said by Bobby_Peru :... 1) Refuse cookies that are not absolutely needed 2) Force all cookie to Session status (unless Persistent status is absolutely needed 3) Insure the removal of all cookies that are not absolutely needed to be retained when you close a TAB, as well as close your Browser ... I totally agree with this. And it is very easy to do with IE6...if you know how. So here is how (I even attached pics):
IE > Tools > Internet Options...
1) GENERAL tab: Temporary Internet Files(TIF) area,
click Delete Cookies... to clear ALL of your cookies (if you want to start from scratch).
OR click Settings...> View files...> select and delete the cookies you don't absolutely need.
2)click PRIVACY tab:
click Advanced.. make settings as shown in pic. click OK.
click Sites... enter the domain names you always want to allow/keep cookies for (see pic for example). click OK when finished.
3) OK out.
That's it. From now on, nobody will ever be able to put a cookie on your system, EXCEPT those you have in the Managed Sites list.
Try it!...you'll be pleasantly surprised how great this works.
-
NO MORE AD TRACKING, SPYWARE, WHATEVER COOKIES and YOU WILL NEVER HAVE TO DO COOKIE CLEANING AGAIN!
ALSO, YOU DON'T NEED ANY COOKIE BLOCK LISTS EITHER. | |
| | 
ttt2525
@cable.rogers | Re: How 'bad' are spyware cookies?? Wow, thank goodness for this post!! I just noticed I had about 100 spyware website entries in my "per site privacy cactions" dialog in IE. Enlightening :=0
(incl. lop.com, various porn/xx sites....) | |
| | Mele20
Premium
join:2001-06-05
Hilo, HI | Gee, I just noticed you leave banking cookies on your computer. You should never do that! Always clear those as soon as you have finished with the site. | |
| | | 
avd706
insert annoying animated gif here
Premium
join:2003-02-06
Union, NJ | Re: How 'bad' are spyware cookies?? time for a tin-foil suit.....
let me know when cosco has a sale on Reynolds wrap... | |
| | | | Mele20
Premium
join:2001-06-05
Hilo, HI
| Re: How 'bad' are spyware cookies?? Only a crass, unfeeling person jokes about schizophrenia. Stop the jokes about mental illness please.
As for banking cookies, only an idiot would keep those. Even your bank will tell you to get rid of them. Also, never go to your bank from a favorites link. Always type in the address. These are just ordinary, standard safety measures.
--
The first and foremost function of our jurors is to protect private citizens from a tyrannical and intrusive government...Jurors are the last line of defense for liberty. Thomas Jefferson 1789 | |
| | | | | 
Steve
I'm a PC, so shut up
Consultant
join:2001-03-10
Yorba Linda, CA
| Re: How 'bad' are spyware cookies?? said by Mele20 :As for banking cookies, only an idiot would keep those. Even your bank will tell you to get rid of them. Huh? My bank has never mentioned this to me, but even a rudimentary understanding of how cookies work - at least those by clueful banks - suggests that you're demonstrating that you don't know how they work.
When you login to a secure site, the login page sends your username and password (presumably over SSL), and after validating that you're who you claim to be, a new "session" is created. This session data includes thinks like your username, time you started, IP address, etc. and is stored on the server, and a unique and random session ID is assigned.
The ID itself has no inherent meaning, nothing is "encoded" in it (it's "opaque"), and this is what is sent to you in your cookie. My last Wells Fargo cookie contained B-200409191637071418511140.
When you submit following pages (transfer money, check balance, etc.), the ID passed in your cookie is looked up in the session database, and it checks to see if you're still allowed, who you are, has it been too long since you did anything (to allow "idle sessions" to timeout), coming from the same IP address, etc. the IP test is not that simple, to allow for changes, but there are provisions to see that a cookie is not being shared.
When you click the Logout button, this not only deletes the cookie from your browser, but it invalidates the session in the database, so even if you hung onto or intercepted that cookie, it would not work. Yes, the cookie value would be sent to the server, but it would look it up and find that either (a) the session had been deleted entirely, or (b) the session had been marked explicitly "expired". Expired sessions cannot be revived by anything on the browser side without going through a new login process.
Any site that has a clue about security has designed the site to mitigate the effect of "cookie theft", so even aside of the fact that I run a secure network that prevents people from stealing my cookies, aside from the fact that banking cookies travel over unsniffable connections, there is nothing anybody could do with my banking cookies even if they got them.
If you feel better deleting your cookies, that's fine, but saying "only an idiot doesn't" puts you squarly in tinfoil hat territory and shows that you have only a limited grasp of how cookies are actually used.
Steve
--
Stephen J. Friedl • Unix Wizard • Microsoft MVP • Tustin, California USA • my web site | |
| | | | | | Mele20
Premium
join:2001-06-05
Hilo, HI
| Re: How 'bad' are spyware cookies?? Sigh. I am fully aware of all that you have thought necessary to "teach" me. My banks still recommend deleting the cookies after the visit. They are NOT deleted on exit. If you want someone to use your computer sometime and see what bank you use from your banking cookies you didn't delete fine. I prefer to guard against that. I always close the browser after visiting one of my banks also for the same reason. I do this even though it is unlikely anyone else would use this computer.
--
The first and foremost function of our jurors is to protect private citizens from a tyrannical and intrusive government...Jurors are the last line of defense for liberty. Thomas Jefferson 1789 | |
| | | | | | | 
Khaine
join:2003-03-03
Australia
| Re: How 'bad' are spyware cookies?? said by Mele20 :Sigh. I am fully aware of all that you have thought necessary to "teach" me. My banks still recommend deleting the cookies after the visit. They are NOT deleted on exit. If you want someone to use your computer sometime and see what bank you use from your banking cookies you didn't delete fine. I prefer to guard against that. I always close the browser after visiting one of my banks also for the same reason. I do this even though it is unlikely anyone else would use this computer. Banking cookies are generally session only, and hence are deleted when the session ends {when you close the web browser}
tracking cookies are at worst a privacy issue, they have little if any security concerns with their use. | |
| | | | | | | | Mele20
Premium
join:2001-06-05
Hilo, HI
1 edit | Re: How 'bad' are spyware cookies?? I end up with a bunch of banking cookies from just ONE bank after I close the browser. All my banks set permanent cookies. I don't know what bank you are using. I use major national banks. Even my two local banks set permanent cookies but they don't set as many as some of the national banks. They are almost as bad as Dell which sets about 15 cookies each time you visit. FF complains about Dell and the banks setting too many cookies both session and permanent.
Edited to ask since when is PRIVACY not a SECURITY issue??? That is the main security issue!
--
The first and foremost function of our jurors is to protect private citizens from a tyrannical and intrusive government...Jurors are the last line of defense for liberty. Thomas Jefferson 1789 | |
| | | | | | | | |
Khaine
join:2003-03-03
Australia
| Re: How 'bad' are spyware cookies?? said by Mele20 :Edited to ask since when is PRIVACY not a SECURITY issue??? That is the main security issue! Well generally I lump privacy and annomity together, and since security relies heavily on trust I tend to keep it seperate.
I didn't mean to trivialise this issue. It is an important issue, and with governments pushing more and more draconian laws reducing our privacy it is becoming very important to keep our rights. | |
| | | | | | | | | 
hpguru
Curb Your Dogma
Premium
join:2002-04-12
| said by Mele20 :...since when is PRIVACY not a SECURITY issue??? That is the main security issue! Privacy and security are linked only in our interests. The perceived linkage may in fact be a result of the use of multifunction security apps such as firewalls which perform other tasks including cookie and active content management. Fact is, one can have good rock solid security with no particular interest in privacy protection and it will not impact his security. The obverse isn't necessarily true. Privacy only becomes a security issue once security has already been breached. So for example ID theft is a privacy issue which began with a breach in security.
That's not to say privacy isn't a legitimate concern. It is but there is only so much one can do to protect it.
--
FOUR MORE YEARS!! - of fear. | |
| | | | | | | | Bobby_Peru
Premium
join:2003-06-16
4 edits | said by Khaine :tracking cookies are at worst a privacy issue, they have little if any security concerns with their use. Not to pick on Khaine , but perhaps he has hit on the key to the polarization in past and present attempts here to discuss cookies.
Tracking cookies have been, are, and will continue to absolutely, and most certainly be, a huge "privacy issue". This is self-evident from even a glance at www.abacus-direct.com (as linked and quoted in my post above). Of course there are other Ad-Servers and other deep 'consumer' (NewSpeak for humans/citizens) dBases, along with the Googles, Amazons, Pay-Pals, MSN/Passports, various "site-meters"....
If some self-appointed guardians of membership in the "Security (Professional?) Community" wish to completely exclude the realm of hundreds of millions of user's Privacy from their bailiwick, it is important that those who may be relying on these folks understand this serious self-imposed limitation, so as to know not to place any reliance on them for anything in this area. It would be nice to have them along for this effort, but, oh well...
If they, or others feel no concern in this area, that is one thing, but to dismiss other people's very reasonable and legitimate concerns over such growing intrusions into their lives with derogatory childish epitaphs, which also serve to stifle discussion, is more of a reflection on themselves than they are probably willing and/or able to admit, and should be viewed for exactly what they are - cheap rhetorical discussion killers.
Once they have provided the world with this notice, they could then safely sit out any discussions related to this pesky little Privacy thing.... Dismissing such petty concerns to the non-letter-wearing masses.....
Thanks to those who have helped clear up this misunderstanding. 
Discussion of Blake's three most recent questions would get this back towards his OP for those users who do find this area to be important.
Expanding on his list: when are cookies really absolutely essential on a single site, what info would be required there, and is there really no other mechanism to accomplish this?
-------------------
For the commoners, non-letters-on-sleeve wearing masses - who may be relying on a wider definition of Security than that of a strict Security Professional Community construction -
"WordNet (r) 2.0"
security n
1: the state of being free from danger or injury; "we support the armed services in the name of national security" [ant: insecurity]
2: a formal declaration that documents a fact of relevance to
finance and investment; the holder has a right to receive interest or dividends; "he held several valuable securities" [syn: certificate]
3: a department responsible for the security of the
institution's property and workers; "the head of security was a former policeman" [syn: security department]
4: measures taken as a precaution against theft or espionage , or sabotage etc.; "military security has been stepped up since the recent uprising" [syn: security measures], ...
--
**~~Infected/Hijacked? FAQ~~~Protect/Secure Your Box/Data FAQ~~~Security Forum FAQs~~** | |
| | | | | | |
Steve
I'm a PC, so shut up
Consultant
join:2001-03-10
Yorba Linda, CA
| said by Mele20 :Sigh. I am fully aware of all that you have thought necessary to "teach" me. OK, so you actually do understand that there aren't any technical reasons to worry about banking cookies, but you do anyway? Is this like throwing spilled salt over your shoulder? Do you read your horoscope too?
Steve
--
Stephen J. Friedl • Unix Wizard • Microsoft MVP • Tustin, California USA • my web site | |
| | | | | | 
Link Logger
Premium,MVM
join:2001-03-29
Calgary, AB
 ·Shaw
| Quick example of why tracking a session by IP address doesn't work, proxy servers. A proxy server means a couple of things, first that multiple individual clients could be connecting from the same IP address (ie the proxy server), and second a single client might use more then one proxy server for sequential requests and hence would have a different source IP address (AOL clients for example).
Three questions which might help the discussion and understanding of cookies.
Are cookies secure, meaning that can site1 read site2's cookies?
What kind of information can a cookie contain?
What kind of information should a cookie contain and why?
Blake
--
Vendor: Firewall Logging Software »www.SonicLogger.com - SonicWall and 3Com »www.LinkLogger.com - Linksys, Netgear and Zyxel | |
| | | | | | VirtualLarry
Premium
join:2003-08-01
3 edits | said by Steve :said by Mele20 :As for banking cookies, only an idiot would keep those. Even your bank will tell you to get rid of them. Huh? My bank has never mentioned this to me, but even a rudimentary understanding of how cookies work - at least those by clueful banks - suggests that you're demonstrating that you don't know how they work. Considering that many online sites use "magic cookies" as an authentication token, then they are essentially equivalent to a username/password authentication. Most people recommend never 'storing' your username/password combos in your browser for important sites (like banking), because of the risk of a potential browser exploit revealing them and allowing them to be stolen. Since "magic cookies" are logically equivalent to usernames and passwords, it would seem prudent to follow the same security precautions regarding them as well.
Considering how some recent privacy-violating browser exploits have worked, such as Download.Ject and most recently the GMail one, which did indeed work by stealing cookie-based authentication, I believe, although I didn't look at the nitty-gritty technical details, then this risk is very real. To pretend that it isn't, is being a bit dis-ingenious and and pretentiously dismissive towards Mele20, isn't it?
said by Steve :When you login to a secure site, the login page sends your username and password (presumably over SSL), and after validating that you're who you claim to be, a new "session" is created. This session data includes thinks like your username, time you started, IP address, etc. and is stored on the server, and a unique and random session ID is assigned. The ID itself has no inherent meaning, nothing is "encoded" in it (it's "opaque"), and this is what is sent to you in your cookie. When you submit following pages (transfer money, check balance, etc.), the ID passed in your cookie is looked up in the session database, and it checks to see if you're still allowed, who you are, has it been too long since you did anything (to allow "idle sessions" to timeout), coming from the same IP address, etc. When you click the Logout button, this not only deletes the cookie from your browser, but it invalidates the session in the database, so even if you hung onto or intercepted that cookie, it would not work. Yes, the cookie value would be sent to the server, but it would look it up and find that either (a) the session had been deleted entirely, or (b) the session had been marked explicitly "expired". Expired sessions cannot be revived by anything on the browser side without going through a new login process. That whole secenario assumes that the site in question was designed with a 'clueful' approach to security. Unless you can guarantee that every site on the internet, in which you conduct "secure" transactions with, is as clueful, then it would seem prudent to follow some personal security practices to protect yourself, rather than trusting every other big company to do it for you. Personal responsibility, you see.
(Interestingly enough, I just got done reading this thread »www.blacksheepnetworks.com/secur···331.html from 2002, discussing major retailers passing customer CC and other sensitive financial data "in the clear" over WiFi. Very disturbing. It tends to discount the idea that companies are always interested in proper security, because they aren't. They're only interested in implementing IT technology as cheaply as possible, to maximize profits of course. Not all banks are interested in paying for properly-secure web-development. Indeed, look at the number that still require IE for access.)
said by Steve :Any site that has a clue about security has designed the site to mitigate the effect of "cookie theft" Funny, I thought that the tech/development guys at Google were the "smartest of the smart", and yet they fell prey to a "cookie exploit". The risks are real, don't downplay or deny them, it does a disservice to security-concious people everywhere.
Btw, I do always try to "logout" from my webmail, but there are occasions when that doesn't happen. Thankfully, webmail sessions time-out after about 10 minutes of inactivity.
There are other sites that do not operate using session cookies, but instead use permanent "magic" cookies for authentication. Verizon is one of them, and they do not "time-out". If you stole those cookies, you could intercept someone's e-mail, create a sub-account, give the username/password for the sub-account to your buddy, and they could run up huge charges on your VZ ISP account.
All because of a stolen authentication cookie.
said by Steve :If you feel better deleting your cookies, that's fine, but saying "only an idiot doesn't" puts you squarly in tinfoil hat territory and shows that you have only a limited grasp of how cookies are actually used. I think that perhaps it would have been better phrased as "only an idiot doesn't know that they are a risk" - because they are. If you, or your bank's site (for example) take steps to mitigate that risk, then they are less of a risk, but they are a risk. Security is all about deciding what is an acceptable level of risk... for yourself.
Also, regarding the issue of session vs. persistant cookies - I think that you fail to consider the behavior of "persistent browsers" like myself. My browser uptime is over eight days now, and I've visited countless sites. "Session" cookies to me, are just as persistant as permanent ones, effectively, because of my browsing behavior. I always manually delete my session cookies after I'm done visiting a site that uses cookies for secure authentication.
PS. In case you were curious Steve, I only stumbled upon that other thread while investigating some Kerio firewall weaknesses, which led me to your post on that list regarding "BACKSTEALTH". I've decided to re-evaluate my own approach to security, having realized that I've become far too complacent and trivializing some risks that perhaps I should not. | |
| | | | | 
sivran
Long Live The Suite
Premium
join:2003-09-15
Arlington, TX
clubs:
·RoadRunner Cable
| said by Mele20 :
Only a crass, unfeeling person jokes about schizophrenia. Stop the jokes about mental illness please.
Tin-foil hat has nothing to do with schizophrenia, and everything to do with being overly and unnecessarily paranoid. If someone says you wear a tin-foil hat, that person thinks you are too paranoid. That's all there is to it.
quote:
never go to your bank from a favorites link. Always type in the address.
And why not? What is the difference between typing it in, and clicking the bookmark which I've had forever? None, other than the bookmark being faster.
quote:
Are cookies secure, meaning that can site1 read site2's cookies?
As far as I know and in general, yes. Heck, I've tried. There may exist a few exploits which may allow cookies to be read by a hostile webserver, but I don't recall any off the top of my head, and they probably have a) long been patched and b) only work in IE, if they do exist. Some may rely on a previously compromised system. They're just text files, after all. Only the browser really stands in the way.
quote:
What kind of information can a cookie contain?
Anything. Whatever data the webserver wants to put in it, it can.
quote:
What kind of information should a cookie contain and why?
This is a thorny one. Personally I think cookies should only contain information pertinent to the functionality of a site, for example, "color=blue" on a site you can customize. They could also be used to skip scripts which may slow the site down. Reading "Resolution=1024x768" when a user returns could save the webserver the processing cycles it takes to run a script that determines a returning user's resolution.
That cookies are used for advertising purposes is an unfortunate side-effect of the need for advertisers to support and defray the costs of maintaining a web presence. To that end you could say that keeping cookies around, letting the advertisers track you, is in some small way supporting the usefulness of the www. The more information the advertisers have about you, the more money they can potentially make, leading to potentially buying space on more websites, thereby supporting more websites. Perhaps this is an overly optimistic view, but it's better than "evil advertisers tracking you" and certainly less worrisome.
--
TCPA - Treacherous Computing
Kerio 2.1.5 - Best damn firewall
Licenses should be per user, Ditch Norton! Get F-Prot! | |
| | | | | | Mele20
Premium
join:2001-06-05
Hilo, HI
| Re: How 'bad' are spyware cookies?? said by sivran : said by Mele20 :
Only a crass, unfeeling person jokes about schizophrenia. Stop the jokes about mental illness please.
Tin-foil hat has nothing to do with schizophrenia, and everything to do with being overly and unnecessarily paranoid. If someone says you wear a tin-foil hat, that person thinks you are too paranoid. That's all there is to it. quote:
never go to your bank from a favorites link. Always type in the address.
And why not? What is the difference between typing it in, and clicking the bookmark which I've had forever? None, other than the bookmark being faster. Tinfoil hat is a nasty expression used on the internet by nasty people who wish to flame someone but don't want the mod to make them suffer the consequences of such so they use this phrase. Anyone who is "too paranoid" is by medical definition suffering from a physical disease called paranoid schizophrenia. That is what you say I am suffering from but you are not willing to actually say it because that would be clear flaming (aside from the fact that as I far as I am aware you are not a licensed medical professional capable of properly diagnosing when a person is "too paranoid").
As for always typing in the address of the bank, I don't know where you have been the last several years but even SANS and other reputable security sites recommend this because there have been exploits that could foil a user who clicked on a banking bookmark in favorites/bookmarks. Most security sites and banking sites (all of mine) warn to never place a bank's address in favorites. You must use some banks that have terrible security and don't give a hoot about the possible consequences of poor security for the individual user. Additionally, a smart user would not wish anyone who uses their computer to see what banks they use. Even if no one else uses your computer, it takes only a few seconds if you leave the room and someone else is there and your computer is on to check for this sort of information.
You should also NEVER allow your browser to save any passwords. The safest place for your passwords is locked in a safe in your home or better yet in a safety deposit box at your local bank. Or you can get programs that will allow you to encrypt them, etc on your computer but that still is less safe from physical disaster, etc. than placing them in a wall safe, etc.
--
The first and foremost function of our jurors is to protect private citizens from a tyrannical and intrusive government...Jurors are the last line of defense for liberty. Thomas Jefferson 1789 | |
| | | | | | |
Steve
I'm a PC, so shut up
Consultant
join:2001-03-10
Yorba Linda, CA
| Re: How 'bad' are spyware cookies?? said by Mele20 :You should also NEVER allow your browser to save any passwords. This is the kind of blanket statement that earns "tinfoil hat" epithets.
I have dozens and dozens of passwords saved in my browser, and it's been a wonderful timesaver. But, unlike those who are too freaked out about security to think clearly, I am able to decide which passwords are entirely unimportant (and saved by my browser) and which ones are too dangerous for that (which are not saved).
I sign up for all kinds of sites that requires a registration - the most recent was the LA Times - and there are simply no consequences that I care about if this saved password were somehow compromised. I really, really do not care (aside from the fact that the computer itself has been well secured).
You are providing a disservice to the security community by making everything a big hairy deal: if everything is important, then nothing is. Teaching newbies that it's a vice to have a sense of perspective is not helping anybody.
Steve
--
Stephen J. Friedl • Unix Wizard • Microsoft MVP • Tustin, California USA • my web site | |
| | | | | | | | Mele20
Premium
join:2001-06-05
Hilo, HI
| Re: How 'bad' are spyware cookies?? I totally discount anyone who uses that phrase as it indicates they feel they are qualified physicians capable of diagnosing a very serious physical disease. So, go ahead with your ranting. You have suceeded in my finally deciding that all your comments are tainted by your obvious prejudice against those who suffer from diseases that you seem to think are legitimate targets for your derision.
You have proven yourself not worthy of any reasoned comments from me nor my time to read your rants.
--
The first and foremost function of our jurors is to protect private citizens from a tyrannical and intrusive government...Jurors are the last line of defense for liberty. Thomas Jefferson 1789 | |
| | | | | | | | |
Steve
I'm a PC, so shut up
Consultant
join:2001-03-10
Yorba Linda, CA
1 edit | Re: How 'bad' are spyware cookies?? said by Mele20 :I totally discount anyone who uses that phrase as it indicates they feel they are qualified physicians capable of diagnosing a very serious physical disease. If you think we are diagnosing a medical illness, you're out of your mind.
This forum would be better to have less of your "advice", not more of it.
Steve
P.S. - shiny side out
--
Stephen J. Friedl • Unix Wizard • Microsoft MVP • Tustin, California USA • my web site | |
| | | | | | |
avd706
insert annoying animated gif here
Premium
join:2003-02-06
Union, NJ
| said by Mele20 : Anyone who is "too paranoid" is by medical definition suffering from a physical disease called paranoid schizophrenia. I disagree [personal flame deleted] | |
| | | | | | | dave
Premium,MVM
join:2000-05-04
not in ohio
 ·Verizon Online DSL
 ·Verizon FIOS
1 edit | OK, I wasn't going to join in the discussion about 'paranoia', because it's obviously an emotional issue.
But I think the insistence on taking 'paranoid' as a literal accusation of mental illness is getting silly. The word is used, in America, in a colloquial sense.
See here for an example of someone using the word 'paranoia' thus. I'm assuming that the writer does not literally expect that someone will develop a clinical condition from seeing a sticky note about anti-virus updates. In other words, the author is aware of the colloquialism, and expects the reader to be likewise aware.
Myself, I don't much like to see clinical terms such as paranoia used in this manner, but nevertheless I can tell a colloquial use when I see one. I'm still going to refer to tin-foil hats, by the way. Even if tin foil is really aluminium.
Edited: fix typo. | |
| | | | | | | |
avd706
insert annoying animated gif here
Premium
join:2003-02-06
Union, NJ
| OT: Tin Foil said by dave : I'm still going to refer to tin-foil hats, by the way. Even if tin foil is really aluminium. Edited: fix typo.
No no no! Ordinary aluminium doesn't work! You need real tin!
»cgi.ebay.com/ws/eBayISAPI.dll?Vi···444&rd=1 | |
| | | | | | | | | 
javaMan
Premium,MVM
join:2002-07-15
San Luis Obispo, CA
3 edits | Re: OT: Tin Foil said by avd706 :
said by dave : I'm still going to refer to tin-foil hats, by the way. Even if tin foil is really aluminium. Edited: fix typo.
No no no! Ordinary aluminium doesn't work! You need real tin! » cgi.ebay.com/ws/eBayISAPI.dll?Vi···444&rd=1
All you ever wanted to know about the tin foil hat. Be sure to read the History Of Aluminum & Psychotronics. The euphemism of the tin foil hat indicates someone who, while not necessarily mentally ill, is certainly someone who's pictures don't hang level on the wall. » zapatopi.net/afdb.html--
Woe unto them that call evil good, and good evil; that put darkness for light, and light for darkness. . . Isa. 5:20 | |
| | | | | | | | | VirtualLarry
Premium
join:2003-08-01
| said by avd706 :No no no! Ordinary aluminium doesn't work! You need real tin! I'm surprised that no-one has suggested Copper Hats - aren't they supposed to work much better for EM shielding? Or is everyone afraid that they might end up with green hair, like Marsha Brady did that one time... :P
Would tipping a metal spittoon over, and placing that over your head work?
PS. No wonder Oscar the Grouch lives in a metal trash can, and always closes the lid when he goes inside. He's the only sane one on Sesame Street - you know that, because everyone else is strangely... happy... like they are under some sort of alien mind-control... Hmm. Must think doubleplusgood thoughts. Yes... Smile!  | |
| | | | | | |
sivran
Long Live The Suite
Premium
join:2003-09-15
Arlington, TX
clubs:
·RoadRunner Cable
| quote:
there have been exploits that could foil a user who clicked on a banking bookmark in favorites/bookmarks.
Prove it. Short of a pre-existing infection, what is there to make it dangerous? Find me a vuln, preferably with proof of concept, by which a pre-existing bookmark can be compromised to point to a phishing site. Note that I use Mozilla 1.7.3 and thus any vuln you find must affect that version. Yes, I am calling on YOU to find it. It's your allegation, you prove it.
quote:
You must use some banks that have terrible security and don't give a hoot about the possible consequences of poor security for the individual user.
My bank's security is fine, thank you.
Also, silly me, in my previous post the recent GMail vuln had completely slipped my mind. Perhaps because it couldn't affect me. It's also been fixed, according to SecurityFocus.
--
TCPA - Treacherous Computing
Kerio 2.1.5 - Best damn firewall
Licenses should be per user, Ditch Norton! Get F-Prot! | |
| | |
BrettStarr
Premium
join:2003-11-07
Las Vegas, NV
1 edit | said by Mele20 :Gee, I just noticed you leave banking cookies on your computer. You should never do that! Always clear those as soon as you have finished with the site. I think you misunderstand. The managed list of sites are those you will ALLOW cookies for. It doesn't mean I keep them. You most certainly can delete them at any time, but must always have the entry in the managed sites list to allow site to set the cookie in the first place.
-
edit: Regardless of how you handle cookies, you should at least block THIRD PARTY cookies. Those are the "bad" spyware, tracking cookies 95% of the time (Doubleclick, etc). | |
| 
Jason Levine
Premium
join:2001-07-13
USA
| said by Bobby_Peru : the marketing can arrive at your home or workplace (mailbox, telephone, front-door) or the data can continue to be compiled with no _present_day _noticable_ effect. "AdCompany.com" may also obtain, keep, track and correlate much more specifically identifying information, down to your name, street address, telephone number and all that can be obtained from that (from broad demographics, down to specific personal financial (health?) data from any number of dBases.) If the "Adcompany" doesn't know who you are, they will, as soon as a single "partner" "shares" enough information to ID you with specificity. This is why online Adcompanies have associated with "brick and mortar" dBases [and run "Contests" which require submission of personal data]. They can "Supplement" the online tracking data that they collect with data from other sources. How would "Adcompany" know, via cookies, that the person at IP address 123.45.67.89 who loaded their banner ad from SomeCompany.com at a specific time is really Jason Levine and that I live at 123 Someroad Lane? (Not my real address obviously. )
Sure, they *might* be able to have a marketing deal with a company that I've given my personal information to, but this is hardly a cookie issue. If they can ID me every time I load up an ad banner of theirs, why even bother with cookies?
I do agree though that you should refuse any unneeded cookies. Not so much as a security issue, but because I think that sites overuse cookies. I have my browser configured to block 3rd party cookies, and prompt me on 1st party ones. (Session cookies are always allowed.)
If a site tries to load a cookie, I decide whether to allow it or not. Most times I block it. If the site is persistent in trying to put a cookie on my computer then they get Always Block status. (I've seen sites that require a cookie read/write to load up each image on the page!)
--
-Jason Levine
http://www.jasons-toolbox.com/
http://www.PCQandA.com/
http://www.urateit.com/ | |
| | Bobby_Peru
Premium
join:2003-06-16
2 edits | Re: How 'bad' are spyware cookies?? Jason, if you, or anyone, has any doubts about the "possibility" of alliances between cross-site online Ad/Cookie servers, like DoubleClick, and terrestrial targeted marketing firms with deep transactional (and more) data, like ABACUS, you might want consider that DoubleClick bought ABACUS some years ago.
While it is much more than a cookie issue, cookies are one place one can easily (no cost) exercise control to impede this.
»www.abacus-direct.com/corporate_profile.asp
»www.abacus-direct.com/doubleclic···tion.asp
said by ABACUS:
THE DOUBLECLICK CONNECTION
The Abacus-DoubleClick combination is more than dynamic and offers you solutions you can't find anywhere else. The Abacus-DoubleClick connection allows you to accurately identify and target your audience whether it is consumer or business to business. You can reach your customers through a multiple of channels including direct mail, Internet, e-mail, or wireless communications.
With the Abacus-DoubleClick connection you can identify where your customers and prospects are buying: web, catalog, retail or phone. This powerful pooled combination of information and technology will enable you to improve client profitability and increase your market share. »www.abacus-direct.com/products/p···ucts.asp
said by ABACUS:
ABACUS, a division of DoubleClick Inc., is a world leader in targeted marketing solutions. By combining transactional data, advanced statistical modeling, and extensive media reach, we target the customers most likely to buy your products or services.
The Abacus Alliance database of buyer behavior is the largest in the United States. It contains over 3.5 billion transactions from more than 90 million U.S. households and includes geographic, demographic, lifestyle, and behavioral data from catalog, retail, business-to-business, e-commerce, and publishing markets. We span multiple channels so you can integrate the most broadly based yet highly targeted campaigns for customer acquisition or retention. It's pretty obvious what can be done, and pretty obvious what they brag about doing. If it doesn't matter to a user, so be it (even though such acceptance ultimately 'trickles-down' to even greater intrusive behavior against everyone), but users should be aware.
--
**~~Infected/Hijacked? FAQ~~~Protect/Secure Your Box/Data FAQ~~~Security Forum FAQs~~** | |
| | | |
|
