Cookie conundrum
in [UK Mac]
|
From: Geoff Berrow on 2 Feb 2010 04:18 On Mon, 1 Feb 2010 19:44:25 +0000, real-address-in-sig(a)flur.bltigibbet.invalid (Rowland McDonnell) wrote: >Geoff Berrow <blthecat(a)ckdog.co.uk> wrote: > >> real-address-in-sig(a)flur.bltigibbet.invalid (Rowland McDonnell) wrote: >> >> >> Cookies can be very useful to the user as well as the site operator. >> > >> >Can be *slightly* useful to the user, not *very* useful - except for >> >those sites where the site controller, being evil, sets things up so >> >that you've got to have cookies on to permit them to track you more >> >readily and gather more detailed information on you, a behaviour that I >> >find most odious. >> >> Well I must declare an interest here, in that, as a web developer I'm >> responsible for the odd cookie, though mostly nothing more than >> session variables. > >Which means `usually a breach of personal privacy' - and sometimes very >much worse than that. > >`Session variables' - like a username and password pair in some cases, >for example. Hardly harmless, these session variables you mention. >Especially when they're available between sessions and to anything that >cares to look 'em up. Rubbish. OK, technically I could store a username and password pair but that would be ridiculous and unnecessary. If you send me information, I would store it in a database. If you ask me to remember you, I may store something that identifies you, or your last visit in a cookie. And they are not 'available between sessions and to anything that cares to look 'em up'. Cookies are sent along with http requests to the site that created them. > >> >The problem with cookies generally is that the user doesn't know and >> >can't find out what they are for, in general, nor what information is in >> >them, nor how that information might be used. >> >> Pretty easy to find out. > >I've never been able to figure out how, so I'm certain that you're wrong >about that. In Firefox you can view the cookies and their content. > >> >The user must trust those who put cookies on their computer - which, >> >obviously, only the very stupid would do. The sane user doesn't trust >> >the operators because we know that they're up to no good trying to >> >exploit us to the max. >> >> Up to a point, Lord Copper. > >Your meaning? There is little if any exploitation going on with cookies. If I have personal information on you that I wish to exploit, I'll store it myself not trust it to your machine where it can be deleted at any moment. > >> >So we have methods of dealing with cookies - i.e., not letting them >> >persist beyond browser sessions. >> >> Suits me. :) > >But since the average user has no idea these Flash cookies exist, it's >not possible for the typical user to even contemplate doing anything >about 'em. Flash cookies? When did we start talking about Flash? > >I'd spotted that Flash stores persistent data somewhere, and I've been >meaning to track the place down for some time. Now I know, and I'm >hopping mad at what's been going on behind my back. I'd suggest you vent your anger someplace where it really matters. > >> >> Some cookies are simply stored in memory and disappear when the >> >> browser is closed. It's wrong to treat them all as works of the >> >> devil. >> > >> >It's a big mistake to assume attitudes like that, because you end up >> >having a totally wrong view of the world. >> > >> >The point is that cookie-like entities *are* the work of the devil when >> >they're totally out of the users control, totally out of sight of the >> >user, and are *NOT* removed when the browser is closed. >> >> Well there /are/ constructive uses of a persistent cookie, usually for >> storing user preferences. Mostly, deleting them will result in a loss >> of functionality. You takes your choice. > >The point is that we have no /informed/ choice, meaning that we have no >real choice at all. Well several here have been trying to inform you but you have it in your head that cookies are evil and so there is no hope really, is there? > >The only sane user response is to deny all Websites the ability to store >cookies at all, unless doing so renders it unusable - and in such cases, >cookies must be deleted after each session. > >Nothing else is sane - the cookie-planters and -users cannot be trusted, >because we don't know who they are or what they are doing. Here's what you do right. See that Internet cable? Yank it right out. It's the only sane thing to do. > >> >And I had 255 of the bloody things! >> >> So what? They are tiny and are extremely unlikely to have been doing >> any harm. > >So you claim - but how could I confirm that they are in fact all utterly >benign, not breaching my privacy in any way I object to, and will all of >them always prove to be so at absolutely all times in the future? > >I know *nothing* about what's in them - your judgement that it's >`extremely unlikely' that they're harmful is meaningless and useless. >The risk exists, no data on the degree of risk exists, they are a >totally unknown quantity. > >That's `So what'. Yank the cable out and close your account. Think of the money you'll save. <snip> I can't be bothered any more. -- Geoff Berrow (Put thecat out to email) It's only Usenet, no one dies. My opinions, not the committee's, mine. Simple RFDs www.4theweb.co.uk/rfdmaker
From: Pd on 2 Feb 2010 05:08 James Taylor <usenet(a)oakseed.demon.co.uk.invalid> wrote: > Even if you tell people they're totally insecure and their privacy is at > risk, most people are too preoccupied with other priorities to spend any > time looking into what they'd need to understand to know what they'd > need to understand. Life's too short. Indeed some people prefer to > believe they're using a secure computing platform (eg. Apple) because to > entertain the possibility that it might not be secure is inconceivable > to their puny minds. Damn straight. *I* don't want to have to be a computer security expert. I'm not as clever as those bright young hackers in their basement flat in Dnepropetrovsk, weedling their way into my Facebook profile. I want the brilliant champions of the capitalist market driving to work in their Porsches to figure out how I can get my mail, browse a few websites, ogle some naked ladies, watch a movie, download the latest knitting pattern, all without having my bank account cleaned out by the black hats. It's not my job to be a security expert - that's the computer people's job. In short, I *like* the way the iPad/iPhone is locked down so that Apple has control, and hopefully doesn't let the bad guys screw me over. And yes, they should apply the same effort to making sure my iMac is secure from attack, cos I don't have the time, knowledge or skill to do it myself with my puny mind. -- Pd
From: Geoff Berrow on 2 Feb 2010 05:12 On Tue, 2 Feb 2010 10:08:20 +0000, peterd.news(a)gmail.invalid (Pd) wrote: >In short, I *like* the way the iPad/iPhone is locked down so that Apple >has control, and hopefully doesn't let the bad guys screw me over. >And yes, they should apply the same effort to making sure my iMac is >secure from attack, cos I don't have the time, knowledge or skill to do >it myself with my puny mind. I must admit, I would have been very wary about installing (and configuring) the NatWest app had it not come from the appstore. -- Geoff Berrow (Put thecat out to email) It's only Usenet, no one dies. My opinions, not the committee's, mine. Simple RFDs www.4theweb.co.uk/rfdmaker
From: Jack Campin - bogus address on 2 Feb 2010 07:01 >>>> The problem with cookies generally is that the user doesn't know and >>>> can't find out what they are for, in general, nor what information is in >>>> them, nor how that information might be used. >>> Pretty easy to find out. >> I've never been able to figure out how, so I'm certain that you're >> wrong about that. > In Firefox you can view the cookies and their content. The content is usually a string of gibberish and there is no publicly documented way to find out what it means. The commonest kinds of cookie I see are called "_utma" and "_utmz". Lots of sites leave them, so I presume they are usually in some standard format, but I've never seen it described even for this simple case. And there's nothing to stop a site from using those filenames to store whatever it wanted. (I have cookies enabled for sites I have reason to trust, and I draw that boundary quite widely - I'm not messianic about this). >>>> So we have methods of dealing with cookies - i.e., not letting them >>>> persist beyond browser sessions. >>> Suits me. :) >> But since the average user has no idea these Flash cookies exist, it's >> not possible for the typical user to even contemplate doing anything >> about 'em. > Flash cookies? When did we start talking about Flash? Flash cookies are not subject to management by the browser - they will always persist indefinitely. And since they're stored somewhere rather obscure, they provide a much better trace of what the user has been looking at than the browser's own caches. I've no idea what sort of data Flash cookies encode, anybody know? I'd bet a police forensics team could call on somebody who does. ----------------------------------------------------------------------------- e m a i l : j a c k @ c a m p i n . m e . u k Jack Campin, 11 Third Street, Newtongrange, Midlothian EH22 4PU, Scotland mobile 07800 739 557 <http://www.campin.me.uk> Twitter: JackCampin
From: James Taylor on 2 Feb 2010 07:19
Pd wrote: > James Taylor wrote: > >> Even if you tell people they're totally insecure and their privacy is at >> risk, most people are too preoccupied with other priorities to spend any >> time looking into what they'd need to understand to know what they'd >> need to understand. Life's too short. Indeed some people prefer to >> believe they're using a secure computing platform (eg. Apple) because to >> entertain the possibility that it might not be secure is inconceivable >> to their puny minds. > > Damn straight. *I* don't want to have to be a computer security expert. [...] > It's not my job to be a security expert - that's the computer > people's job. I totally understand that and would support anyone in claiming the right to use their computers constructively without having to worry about security. Even as a security specialist, or perhaps *especially* as a security specialist, I see the security arms race as a never ending struggle and waste of productivity for all concerned. Sadly, this is the world we live in and while there is money in it there will always be bad guys out to exploit the unwary and unprepared. It's human nature. > I want the brilliant champions of the capitalist market driving to > work in their Porsches to figure out how I can get my mail, browse a > few websites, ogle some naked ladies, watch a movie, download the > latest knitting pattern, all without having my bank account cleaned > out by the black hats. Then I fear you will be waiting in vain. There's plenty of money in hacking, but very little in selling security and privacy because so few of the potential customers fully understand the threat, or really care about it enough to pay for it. Furthermore, no automated security defence is 100% foolproof. It is always necessary for users to be somewhat aware of the ways they can be tricked, and most people, quite rightly, have better things to do with their time. > In short, I *like* the way the iPad/iPhone is locked down so that Apple > has control, and hopefully doesn't let the bad guys screw me over. If you believe that, you're being naive. Apple, of all the computer system producers, is the least proactive about security. Don't think that just because a product such as the iPhone or iPad is restrictive from a user's point of view that a hacker can't exploit it easily. -- James Taylor |