Cookie conundrum
in [UK Mac]
|
From: Rowland McDonnell on 2 Feb 2010 14:10 James Taylor <usenet(a)oakseed.demon.co.uk.invalid> wrote: [snip] > The caution I have for users who care about their privacy and hate the > idea of being tracked, is that this is just the begining of a long > struggle. As more people clear their browser cookies, Flash cookies, and > disable JavaScript, the sites whose business it is to profile you will > get smarter. For example, it is already possible to use browser > fingerprinting techniques to (almost) uniquely identify you even without > any kind of cookie. There is a uniqueness test from the EFF here: > > <http://panopticlick.eff.org/about.php> > > Go to the homepage and click the "Test Me" button. It would be > interesting to see what kind of results Apple users get. I get a > uniqueness rating of one in 256,032, but then I'm using Linux and have > my browser fairly heavily locked down, which is unusual. It seems the > more securely configured you are the more trackable you are, so you > can't have both security and privacy at the same time. Damn. :-( Me and Firefox: "Within our dataset of several hundred thousand visitors, only one in 32,839 browsers have the same fingerprint as yours." And that's with Javascript off. With Javascript on: "Your browser fingerprint appears to be unique among the 525,579 tested so far." Eek! So much for hiding myself... Founts and plugins, that seems to be what's doing for me. Actually, plugins - I've got a unique set of plugins, can you believe it? One other logged browser instance has the same fount set as me. Only one, eh? That'll be me with Firefox, I'll bet. So I get the same problem with Safari - I'm unique. Hmm. This is very - concerning. Rowland. -- Remove the animal for email address: rowland.mcdonnell(a)dog.physics.org Sorry - the spam got to me http://www.mag-uk.org http://www.bmf.co.uk UK biker? Join MAG and the BMF and stop the Eurocrats banning biking
From: Geoff Berrow on 2 Feb 2010 14:15 On Tue, 2 Feb 2010 18:56:41 +0000, real-address-in-sig(a)flur.bltigibbet.invalid (Rowland McDonnell) wrote: >> Do make sure you have that tinfoil the right way round, ok? > >AH, a plain ungarnished gratuitious insult. What do you expect if you run around telling everyone the sky is falling? Be reasonable and I might take you seriously. -- Geoff Berrow (Put thecat out to email) It's only Usenet, no one dies. My opinions, not the committee's, mine. Simple RFDs www.4theweb.co.uk/rfdmaker
From: Peter Ceresole on 2 Feb 2010 14:32 James Taylor <usenet(a)oakseed.demon.co.uk.invalid> wrote: > I'd heard there were people who didn't give a damn about being tracked, > identified, and profiled, but I had no idea they really existed. Do you > not accept that a certain amount of privacy is necessary for freedom of > thought and thus required for a healthy democracy? No. Anything is theoretically possible of course, but the risk involved here is vanishingly small. I know that there are people who worry a lot about this kind of thing, but I think they're wasting time. > You don't really want > to walk blindly into a police state (oh, that's a bad example because > the UK is already there) into a Big Brother society do you? That's a ridiculous statement. Have you ever been to or worked in a genuine tyranny? If you think that Britain is now a Big Brother state, then I can't believe that it's possible to have a rational discussion. -- Peter
From: Rowland McDonnell on 2 Feb 2010 14:34 James Taylor <usenet(a)oakseed.demon.co.uk.invalid> wrote: > Elliott Roper wrote: > > > James Taylor wrote: > > > >> There is a uniqueness test from the EFF here: > >> > >> <http://panopticlick.eff.org/about.php> > >> > >> Go to the homepage and click the "Test Me" button. It would be > >> interesting to see what kind of results Apple users get. I get a > >> uniqueness rating of one in 256,032, but then I'm using Linux and have > >> my browser fairly heavily locked down, which is unusual. It seems the > >> more securely configured you are the more trackable you are, so you > >> can't have both security and privacy at the same time. Damn. :-( > > > > I think your last observation may not be quite right. I was completely > > unique in their whole population and my machine is relatively wide > > open. They were able to score me uniquely on plugins and again on > > fonts. > > If I had Javascript off, they would not have been able to see the fonts. > > Ah, so the fact that I had JavaScript off was to my benefit. Good. > > I still worry about a uniqueness of 1 in 256000 though because if, for > example, I carried my laptop around while travelling through Burma or > China in the belief that I'm safer checking my email that way than by > using Internet cafe machines, then I'm probably sufficiently unique to > be trackable as I move around the country. Solution: set up a VM running an absolutely bog standard installation with no extras at all - except for that which will turn off Javascript. then test it against <http://panopticlick.eff.org/> and fiddle until you've found a set of common signatures. Then set up multiple VMs, each with a user account that's `plain'. Something like that. But I'd assume that I were trackable if I were using the Web in China or the UK or anywhere else that the government pries excessively into personal privacy - unless I was using correctly set-up special privacy software, such as TOR. <http://www.torproject.org/> Don't worry TOO much about the Burmese authorities - *they* don't have the sophistication available to the UK or Chinese governments, which are PROBABLY the worst for this sort of thing in the world (aside from maybe the Yanks - it's a bit hard to tell for obvious reasons). > If I were a journalist > working to help political dissidents tell the world about atrocities > committed by the governments of such oppressive regimes then I'd have > good reason to be very concerned indeed, as the authorities would be > able to pinpoint my geographical position every time I accessed the net, > at least to the nearest Internet cafe, hotel, or wi-fi hotspot. > > > Still, I can always don a disguise when I have to. Muck about with > > fonts and plugins installed and active. Simples! > > Unfortunately, I suspect that such tinkering would not be sufficient to > throw them off the scent. Multiple user accounts, radically different setups in each. But I'd assume that I'd have to use TOR for any sort of privacy; I'd also assume (now) that using a given Web browser in a given configuration is pretty much uniquely identifiable in an intelligence rather than evidence sense. So if one is going to use TOR, one must use a separate user account with everything set up differently so that at least they can't connect your TOR browsing with `Who you are in real life'. Rowland. -- Remove the animal for email address: rowland.mcdonnell(a)dog.physics.org Sorry - the spam got to me http://www.mag-uk.org http://www.bmf.co.uk UK biker? Join MAG and the BMF and stop the Eurocrats banning biking
From: Rowland McDonnell on 2 Feb 2010 14:34
Jack Campin - bogus address <bogus(a)purr.demon.co.uk> wrote: [snip] > >>>> So we have methods of dealing with cookies - i.e., not letting them > >>>> persist beyond browser sessions. > >>> Suits me. :) > >> But since the average user has no idea these Flash cookies exist, it's > >> not possible for the typical user to even contemplate doing anything > >> about 'em. > > Flash cookies? When did we start talking about Flash? > > Flash cookies are not subject to management by the browser - they will > always persist indefinitely. That is in fact not true - they'll persist until deleted, and there is no built-in routine mechanism provided to remove them. But they are deletable. The BetterPrivacy Firefox extension does the job automatically. > And since they're stored somewhere rather > obscure, they provide a much better trace of what the user has been > looking at than the browser's own caches. > > I've no idea what sort of data Flash cookies encode, anybody know? > I'd bet a police forensics team could call on somebody who does. I'd bet that the /typical/ police investigation team would not know that there's anything to find out in that direction. Rowland. -- Remove the animal for email address: rowland.mcdonnell(a)dog.physics.org Sorry - the spam got to me http://www.mag-uk.org http://www.bmf.co.uk UK biker? Join MAG and the BMF and stop the Eurocrats banning biking |