how-to block ads
|
VirtualLarry
Premium
join:2003-08-01
| reply to avd706
Re: OT: Tin Foil
said by avd706  :No no no! Ordinary aluminium doesn't work! You need real tin! I'm surprised that no-one has suggested Copper Hats - aren't they supposed to work much better for EM shielding? Or is everyone afraid that they might end up with green hair, like Marsha Brady did that one time... :P
Would tipping a metal spittoon over, and placing that over your head work?
PS. No wonder Oscar the Grouch lives in a metal trash can, and always closes the lid when he goes inside. He's the only sane one on Sesame Street - you know that, because everyone else is strangely... happy... like they are under some sort of alien mind-control... Hmm. Must think doubleplusgood thoughts. Yes... Smile!  | |
javaMan
Premium,MVM
join:2002-07-15
San Luis Obispo, CA
3 edits | reply to avd706
said by avd706 :
said by dave : I'm still going to refer to tin-foil hats, by the way. Even if tin foil is really aluminium. Edited: fix typo.
No no no! Ordinary aluminium doesn't work! You need real tin! » cgi.ebay.com/ws/eBayISAPI.dll?Vi···444&rd=1
All you ever wanted to know about the tin foil hat. Be sure to read the History Of Aluminum & Psychotronics. The euphemism of the tin foil hat indicates someone who, while not necessarily mentally ill, is certainly someone who's pictures don't hang level on the wall. » zapatopi.net/afdb.html--
Woe unto them that call evil good, and good evil; that put darkness for light, and light for darkness. . . Isa. 5:20 | |
sivran
Long Live The Suite
Premium
join:2003-09-15
Arlington, TX
clubs:
 ·RoadRunner Cable
| reply to Mele20
Re: How 'bad' are spyware cookies??
quote:
there have been exploits that could foil a user who clicked on a banking bookmark in favorites/bookmarks.
Prove it. Short of a pre-existing infection, what is there to make it dangerous? Find me a vuln, preferably with proof of concept, by which a pre-existing bookmark can be compromised to point to a phishing site. Note that I use Mozilla 1.7.3 and thus any vuln you find must affect that version. Yes, I am calling on YOU to find it. It's your allegation, you prove it.
quote:
You must use some banks that have terrible security and don't give a hoot about the possible consequences of poor security for the individual user.
My bank's security is fine, thank you.
Also, silly me, in my previous post the recent GMail vuln had completely slipped my mind. Perhaps because it couldn't affect me. It's also been fixed, according to SecurityFocus.
--
TCPA - Treacherous Computing
Kerio 2.1.5 - Best damn firewall
Licenses should be per user, Ditch Norton! Get F-Prot! | |
avd706
insert annoying animated gif here
Premium
join:2003-02-06
Union, NJ
| reply to dave
OT: Tin Foil
said by dave : I'm still going to refer to tin-foil hats, by the way. Even if tin foil is really aluminium. Edited: fix typo.
No no no! Ordinary aluminium doesn't work! You need real tin!
»cgi.ebay.com/ws/eBayISAPI.dll?Vi···444&rd=1 | |
dave
Premium,MVM
join:2000-05-04
not in ohio
 ·Verizon Online DSL
 ·Verizon FIOS
1 edit | reply to Mele20
Re: How 'bad' are spyware cookies??
OK, I wasn't going to join in the discussion about 'paranoia', because it's obviously an emotional issue.
But I think the insistence on taking 'paranoid' as a literal accusation of mental illness is getting silly. The word is used, in America, in a colloquial sense.
See here for an example of someone using the word 'paranoia' thus. I'm assuming that the writer does not literally expect that someone will develop a clinical condition from seeing a sticky note about anti-virus updates. In other words, the author is aware of the colloquialism, and expects the reader to be likewise aware.
Myself, I don't much like to see clinical terms such as paranoia used in this manner, but nevertheless I can tell a colloquial use when I see one. I'm still going to refer to tin-foil hats, by the way. Even if tin foil is really aluminium.
Edited: fix typo. | |
avd706
insert annoying animated gif here
Premium
join:2003-02-06
Union, NJ
| reply to Mele20
said by Mele20 : Anyone who is "too paranoid" is by medical definition suffering from a physical disease called paranoid schizophrenia. I disagree [personal flame deleted] | |
Steve
I'm a PC, so shut up
Consultant
join:2001-03-10
Yorba Linda, CA
1 edit | reply to Mele20
said by Mele20 :I totally discount anyone who uses that phrase as it indicates they feel they are qualified physicians capable of diagnosing a very serious physical disease. If you think we are diagnosing a medical illness, you're out of your mind.
This forum would be better to have less of your "advice", not more of it.
Steve
P.S. - shiny side out
--
Stephen J. Friedl • Unix Wizard • Microsoft MVP • Tustin, California USA • my web site | |
Mele20
Premium
join:2001-06-05
Hilo, HI
| reply to Steve
I totally discount anyone who uses that phrase as it indicates they feel they are qualified physicians capable of diagnosing a very serious physical disease. So, go ahead with your ranting. You have suceeded in my finally deciding that all your comments are tainted by your obvious prejudice against those who suffer from diseases that you seem to think are legitimate targets for your derision.
You have proven yourself not worthy of any reasoned comments from me nor my time to read your rants.
--
The first and foremost function of our jurors is to protect private citizens from a tyrannical and intrusive government...Jurors are the last line of defense for liberty. Thomas Jefferson 1789 | |
Steve
I'm a PC, so shut up
Consultant
join:2001-03-10
Yorba Linda, CA
| reply to Mele20
said by Mele20 :You should also NEVER allow your browser to save any passwords. This is the kind of blanket statement that earns "tinfoil hat" epithets.
I have dozens and dozens of passwords saved in my browser, and it's been a wonderful timesaver. But, unlike those who are too freaked out about security to think clearly, I am able to decide which passwords are entirely unimportant (and saved by my browser) and which ones are too dangerous for that (which are not saved).
I sign up for all kinds of sites that requires a registration - the most recent was the LA Times - and there are simply no consequences that I care about if this saved password were somehow compromised. I really, really do not care (aside from the fact that the computer itself has been well secured).
You are providing a disservice to the security community by making everything a big hairy deal: if everything is important, then nothing is. Teaching newbies that it's a vice to have a sense of perspective is not helping anybody.
Steve
--
Stephen J. Friedl • Unix Wizard • Microsoft MVP • Tustin, California USA • my web site | |
Mele20
Premium
join:2001-06-05
Hilo, HI
| reply to sivran
said by sivran : said by Mele20 :
Only a crass, unfeeling person jokes about schizophrenia. Stop the jokes about mental illness please.
Tin-foil hat has nothing to do with schizophrenia, and everything to do with being overly and unnecessarily paranoid. If someone says you wear a tin-foil hat, that person thinks you are too paranoid. That's all there is to it. quote:
never go to your bank from a favorites link. Always type in the address.
And why not? What is the difference between typing it in, and clicking the bookmark which I've had forever? None, other than the bookmark being faster. Tinfoil hat is a nasty expression used on the internet by nasty people who wish to flame someone but don't want the mod to make them suffer the consequences of such so they use this phrase. Anyone who is "too paranoid" is by medical definition suffering from a physical disease called paranoid schizophrenia. That is what you say I am suffering from but you are not willing to actually say it because that would be clear flaming (aside from the fact that as I far as I am aware you are not a licensed medical professional capable of properly diagnosing when a person is "too paranoid").
As for always typing in the address of the bank, I don't know where you have been the last several years but even SANS and other reputable security sites recommend this because there have been exploits that could foil a user who clicked on a banking bookmark in favorites/bookmarks. Most security sites and banking sites (all of mine) warn to never place a bank's address in favorites. You must use some banks that have terrible security and don't give a hoot about the possible consequences of poor security for the individual user. Additionally, a smart user would not wish anyone who uses their computer to see what banks they use. Even if no one else uses your computer, it takes only a few seconds if you leave the room and someone else is there and your computer is on to check for this sort of information.
You should also NEVER allow your browser to save any passwords. The safest place for your passwords is locked in a safe in your home or better yet in a safety deposit box at your local bank. Or you can get programs that will allow you to encrypt them, etc on your computer but that still is less safe from physical disaster, etc. than placing them in a wall safe, etc.
--
The first and foremost function of our jurors is to protect private citizens from a tyrannical and intrusive government...Jurors are the last line of defense for liberty. Thomas Jefferson 1789 | |
VirtualLarry
Premium
join:2003-08-01
3 edits | reply to Steve
said by Steve :said by Mele20 :As for banking cookies, only an idiot would keep those. Even your bank will tell you to get rid of them. Huh? My bank has never mentioned this to me, but even a rudimentary understanding of how cookies work - at least those by clueful banks - suggests that you're demonstrating that you don't know how they work. Considering that many online sites use "magic cookies" as an authentication token, then they are essentially equivalent to a username/password authentication. Most people recommend never 'storing' your username/password combos in your browser for important sites (like banking), because of the risk of a potential browser exploit revealing them and allowing them to be stolen. Since "magic cookies" are logically equivalent to usernames and passwords, it would seem prudent to follow the same security precautions regarding them as well.
Considering how some recent privacy-violating browser exploits have worked, such as Download.Ject and most recently the GMail one, which did indeed work by stealing cookie-based authentication, I believe, although I didn't look at the nitty-gritty technical details, then this risk is very real. To pretend that it isn't, is being a bit dis-ingenious and and pretentiously dismissive towards Mele20, isn't it?
said by Steve :When you login to a secure site, the login page sends your username and password (presumably over SSL), and after validating that you're who you claim to be, a new "session" is created. This session data includes thinks like your username, time you started, IP address, etc. and is stored on the server, and a unique and random session ID is assigned. The ID itself has no inherent meaning, nothing is "encoded" in it (it's "opaque"), and this is what is sent to you in your cookie. When you submit following pages (transfer money, check balance, etc.), the ID passed in your cookie is looked up in the session database, and it checks to see if you're still allowed, who you are, has it been too long since you did anything (to allow "idle sessions" to timeout), coming from the same IP address, etc. When you click the Logout button, this not only deletes the cookie from your browser, but it invalidates the session in the database, so even if you hung onto or intercepted that cookie, it would not work. Yes, the cookie value would be sent to the server, but it would look it up and find that either (a) the session had been deleted entirely, or (b) the session had been marked explicitly "expired". Expired sessions cannot be revived by anything on the browser side without going through a new login process. That whole secenario assumes that the site in question was designed with a 'clueful' approach to security. Unless you can guarantee that every site on the internet, in which you conduct "secure" transactions with, is as clueful, then it would seem prudent to follow some personal security practices to protect yourself, rather than trusting every other big company to do it for you. Personal responsibility, you see.
(Interestingly enough, I just got done reading this thread »www.blacksheepnetworks.com/secur···331.html from 2002, discussing major retailers passing customer CC and other sensitive financial data "in the clear" over WiFi. Very disturbing. It tends to discount the idea that companies are always interested in proper security, because they aren't. They're only interested in implementing IT technology as cheaply as possible, to maximize profits of course. Not all banks are interested in paying for properly-secure web-development. Indeed, look at the number that still require IE for access.)
said by Steve :Any site that has a clue about security has designed the site to mitigate the effect of "cookie theft" Funny, I thought that the tech/development guys at Google were the "smartest of the smart", and yet they fell prey to a "cookie exploit". The risks are real, don't downplay or deny them, it does a disservice to security-concious people everywhere.
Btw, I do always try to "logout" from my webmail, but there are occasions when that doesn't happen. Thankfully, webmail sessions time-out after about 10 minutes of inactivity.
There are other sites that do not operate using session cookies, but instead use permanent "magic" cookies for authentication. Verizon is one of them, and they do not "time-out". If you stole those cookies, you could intercept someone's e-mail, create a sub-account, give the username/password for the sub-account to your buddy, and they could run up huge charges on your VZ ISP account.
All because of a stolen authentication cookie.
said by Steve :If you feel better deleting your cookies, that's fine, but saying "only an idiot doesn't" puts you squarly in tinfoil hat territory and shows that you have only a limited grasp of how cookies are actually used. I think that perhaps it would have been better phrased as "only an idiot doesn't know that they are a risk" - because they are. If you, or your bank's site (for example) take steps to mitigate that risk, then they are less of a risk, but they are a risk. Security is all about deciding what is an acceptable level of risk... for yourself.
Also, regarding the issue of session vs. persistant cookies - I think that you fail to consider the behavior of "persistent browsers" like myself. My browser uptime is over eight days now, and I've visited countless sites. "Session" cookies to me, are just as persistant as permanent ones, effectively, because of my browsing behavior. I always manually delete my session cookies after I'm done visiting a site that uses cookies for secure authentication.
PS. In case you were curious Steve, I only stumbled upon that other thread while investigating some Kerio firewall weaknesses, which led me to your post on that list regarding "BACKSTEALTH". I've decided to re-evaluate my own approach to security, having realized that I've become far too complacent and trivializing some risks that perhaps I should not. | |
sivran
Long Live The Suite
Premium
join:2003-09-15
Arlington, TX
clubs:
·RoadRunner Cable
| reply to Mele20
said by Mele20 :
Only a crass, unfeeling person jokes about schizophrenia. Stop the jokes about mental illness please.
Tin-foil hat has nothing to do with schizophrenia, and everything to do with being overly and unnecessarily paranoid. If someone says you wear a tin-foil hat, that person thinks you are too paranoid. That's all there is to it.
quote:
never go to your bank from a favorites link. Always type in the address.
And why not? What is the difference between typing it in, and clicking the bookmark which I've had forever? None, other than the bookmark being faster.
quote:
Are cookies secure, meaning that can site1 read site2's cookies?
As far as I know and in general, yes. Heck, I've tried.  There may exist a few exploits which may allow cookies to be read by a hostile webserver, but I don't recall any off the top of my head, and they probably have a) long been patched and b) only work in IE, if they do exist. Some may rely on a previously compromised system. They're just text files, after all. Only the browser really stands in the way.
quote:
What kind of information can a cookie contain?
Anything. Whatever data the webserver wants to put in it, it can.
quote:
What kind of information should a cookie contain and why?
This is a thorny one. Personally I think cookies should only contain information pertinent to the functionality of a site, for example, "color=blue" on a site you can customize. They could also be used to skip scripts which may slow the site down. Reading "Resolution=1024x768" when a user returns could save the webserver the processing cycles it takes to run a script that determines a returning user's resolution.
That cookies are used for advertising purposes is an unfortunate side-effect of the need for advertisers to support and defray the costs of maintaining a web presence. To that end you could say that keeping cookies around, letting the advertisers track you, is in some small way supporting the usefulness of the www. The more information the advertisers have about you, the more money they can potentially make, leading to potentially buying space on more websites, thereby supporting more websites. Perhaps this is an overly optimistic view, but it's better than "evil advertisers tracking you" and certainly less worrisome.
--
TCPA - Treacherous Computing
Kerio 2.1.5 - Best damn firewall
Licenses should be per user, Ditch Norton! Get F-Prot! | |
Steve
I'm a PC, so shut up
Consultant
join:2001-03-10
Yorba Linda, CA
| reply to Mele20
said by Mele20 :Sigh. I am fully aware of all that you have thought necessary to "teach" me. OK, so you actually do understand that there aren't any technical reasons to worry about banking cookies, but you do anyway? Is this like throwing spilled salt over your shoulder? Do you read your horoscope too?
Steve
--
Stephen J. Friedl • Unix Wizard • Microsoft MVP • Tustin, California USA • my web site | |
hpguru
Curb Your Dogma
Premium
join:2002-04-12
| reply to Mele20
said by Mele20 :...since when is PRIVACY not a SECURITY issue??? That is the main security issue! Privacy and security are linked only in our interests. The perceived linkage may in fact be a result of the use of multifunction security apps such as firewalls which perform other tasks including cookie and active content management. Fact is, one can have good rock solid security with no particular interest in privacy protection and it will not impact his security. The obverse isn't necessarily true. Privacy only becomes a security issue once security has already been breached. So for example ID theft is a privacy issue which began with a breach in security.
That's not to say privacy isn't a legitimate concern. It is but there is only so much one can do to protect it.
--
FOUR MORE YEARS!! - of fear. | |
Khaine
join:2003-03-03
Australia
| reply to Mele20
said by Mele20 :Edited to ask since when is PRIVACY not a SECURITY issue??? That is the main security issue! Well generally I lump privacy and annomity together, and since security relies heavily on trust I tend to keep it seperate.
I didn't mean to trivialise this issue. It is an important issue, and with governments pushing more and more draconian laws reducing our privacy it is becoming very important to keep our rights. | |
Bobby_Peru
Premium
join:2003-06-16
4 edits | reply to Khaine
said by Khaine :tracking cookies are at worst a privacy issue, they have little if any security concerns with their use. Not to pick on Khaine , but perhaps he has hit on the key to the polarization in past and present attempts here to discuss cookies.
Tracking cookies have been, are, and will continue to absolutely, and most certainly be, a huge "privacy issue". This is self-evident from even a glance at www.abacus-direct.com (as linked and quoted in my post above). Of course there are other Ad-Servers and other deep 'consumer' (NewSpeak for humans/citizens) dBases, along with the Googles, Amazons, Pay-Pals, MSN/Passports, various "site-meters"....
If some self-appointed guardians of membership in the "Security (Professional?) Community" wish to completely exclude the realm of hundreds of millions of user's Privacy from their bailiwick, it is important that those who may be relying on these folks understand this serious self-imposed limitation, so as to know not to place any reliance on them for anything in this area. It would be nice to have them along for this effort, but, oh well...
If they, or others feel no concern in this area, that is one thing, but to dismiss other people's very reasonable and legitimate concerns over such growing intrusions into their lives with derogatory childish epitaphs, which also serve to stifle discussion, is more of a reflection on themselves than they are probably willing and/or able to admit, and should be viewed for exactly what they are - cheap rhetorical discussion killers.
Once they have provided the world with this notice, they could then safely sit out any discussions related to this pesky little Privacy thing.... Dismissing such petty concerns to the non-letter-wearing masses.....
Thanks to those who have helped clear up this misunderstanding.
Discussion of Blake's three most recent questions would get this back towards his OP for those users who do find this area to be important.
Expanding on his list: when are cookies really absolutely essential on a single site, what info would be required there, and is there really no other mechanism to accomplish this?
-------------------
For the commoners, non-letters-on-sleeve wearing masses - who may be relying on a wider definition of Security than that of a strict Security Professional Community construction -
"WordNet (r) 2.0"
security n
1: the state of being free from danger or injury; "we support the armed services in the name of national security" [ant: insecurity]
2: a formal declaration that documents a fact of relevance to
finance and investment; the holder has a right to receive interest or dividends; "he held several valuable securities" [syn: certificate]
3: a department responsible for the security of the
institution's property and workers; "the head of security was a former policeman" [syn: security department]
4: measures taken as a precaution against theft or espionage , or sabotage etc.; "military security has been stepped up since the recent uprising" [syn: security measures], ...
--
**~~Infected/Hijacked? FAQ~~~Protect/Secure Your Box/Data FAQ~~~Security Forum FAQs~~** | |
Mele20
Premium
join:2001-06-05
Hilo, HI
1 edit | reply to Khaine
I end up with a bunch of banking cookies from just ONE bank after I close the browser. All my banks set permanent cookies. I don't know what bank you are using. I use major national banks. Even my two local banks set permanent cookies but they don't set as many as some of the national banks. They are almost as bad as Dell which sets about 15 cookies each time you visit. FF complains about Dell and the banks setting too many cookies both session and permanent.
Edited to ask since when is PRIVACY not a SECURITY issue??? That is the main security issue!
--
The first and foremost function of our jurors is to protect private citizens from a tyrannical and intrusive government...Jurors are the last line of defense for liberty. Thomas Jefferson 1789 | |
Khaine
join:2003-03-03
Australia
| reply to Mele20
said by Mele20 :Sigh. I am fully aware of all that you have thought necessary to "teach" me. My banks still recommend deleting the cookies after the visit. They are NOT deleted on exit. If you want someone to use your computer sometime and see what bank you use from your banking cookies you didn't delete fine. I prefer to guard against that. I always close the browser after visiting one of my banks also for the same reason. I do this even though it is unlikely anyone else would use this computer. Banking cookies are generally session only, and hence are deleted when the session ends {when you close the web browser}
tracking cookies are at worst a privacy issue, they have little if any security concerns with their use. | |
Link Logger
Premium,MVM
join:2001-03-29
Calgary, AB
·Shaw
| reply to Steve
Quick example of why tracking a session by IP address doesn't work, proxy servers. A proxy server means a couple of things, first that multiple individual clients could be connecting from the same IP address (ie the proxy server), and second a single client might use more then one proxy server for sequential requests and hence would have a different source IP address (AOL clients for example).
Three questions which might help the discussion and understanding of cookies.
Are cookies secure, meaning that can site1 read site2's cookies?
What kind of information can a cookie contain?
What kind of information should a cookie contain and why?
Blake
--
Vendor: Firewall Logging Software »www.SonicLogger.com - SonicWall and 3Com »www.LinkLogger.com - Linksys, Netgear and Zyxel | |
Mele20
Premium
join:2001-06-05
Hilo, HI
| reply to Steve
Sigh. I am fully aware of all that you have thought necessary to "teach" me. My banks still recommend deleting the cookies after the visit. They are NOT deleted on exit. If you want someone to use your computer sometime and see what bank you use from your banking cookies you didn't delete fine. I prefer to guard against that. I always close the browser after visiting one of my banks also for the same reason. I do this even though it is unlikely anyone else would use this computer.
--
The first and foremost function of our jurors is to protect private citizens from a tyrannical and intrusive government...Jurors are the last line of defense for liberty. Thomas Jefferson 1789 | |
|
