Forgot your password?
typodupeerror
Firefox Privacy Security Your Rights Online

Nevercookie Eats Evercookies 91

Posted by CmdrTaco
from the i-eat-heavy-metals dept.
wiredmikey writes "Anonymizer, Inc. has developed Anonymizer Nevercookie, a free Firefox plugin that protects against the Evercookie, a javascript API built and made available by Samy Kamkar (same guy who brought you the Samy Worm and XSS Hacking to Determine Physical Location) who set out to prove that the more you store and the more places you store it, the harder it is for users to control a Web site's ability to uniquely identify their computer. The plugin extends Firefox's private browsing mode by preventing Evercookies from identifying and tracking users."
This discussion has been archived. No new comments can be posted.

Nevercookie Eats Evercookies

Comments Filter:
  • by Anonymusing (1450747) on Wednesday November 10, 2010 @10:10AM (#34185496)

    In development now: ForeverEverCookies, then NeverNeverCookies, then SuperCantTouchThisCookie, then ImGonnaEatYourDamnCookiesForBreakfast.

  • Vaporware (Score:5, Insightful)

    by Anonymous Coward on Wednesday November 10, 2010 @10:10AM (#34185504)

    The company says that Nevercookie will be available as a free download later this month.

    Premature story.

    • What about Chrome? Why are its users still without a defense? Is this company policy?

      I may have to switch back to Firefox. I'm getting crushed by spam using Chrome.

      • by bberens (965711)
        I'm honestly curious what you mean by this. What kind of spam are you experiencing? I pretty much only use Chrome these days and haven't noticed anything.
      • by eln (21727) on Wednesday November 10, 2010 @11:28AM (#34186268) Homepage
        Chrome is made by Google, which is essentially a data mining company. Why would you expect them to have any desire to help their users eliminate these sorts of tracking cookies?
        • by vux984 (928602)

          Why would google need a tracking cookie? They've already got you using their browser. They could just hardware any tracking they want directly into the browser.

      • Re: (Score:1, Informative)

        by Anonymous Coward

        Well, depends on what you mean by 'defense'.

        Private browsing has issues (see: http://blogs.pcmag.com/securitywatch/2010/08/university_study_finds_problem.php), so evercookie isn't really needed to track non-geeks.

        Personally I skip the whole thing and run an instance of my browser of choice (chrome) in an chroot-jailed sandbox when I need a private browsing. After I finish browsing I wipe the sandbox clean and that is that. The only thing I really use incognito mode for is when I need to be logged in on two

    • by Anonymous Coward
      Well, Slashdot is usually about 1-6 months late reporting anything, so no doubt this was released quite a while ago.
    • wait wait, vaporware.. never.. associations coming in.. DukeNukemForNever!!!
  • Well... (Score:3, Funny)

    by Anonymous Coward on Wednesday November 10, 2010 @10:13AM (#34185516)

    As an Anonymous Coward, I'm really getting a kick out of this plugin.

  • by Amorymeltzer (1213818) on Wednesday November 10, 2010 @10:13AM (#34185520)

    I look forward to reading this exact same story, except with details, in less than a month.

  • virtual machines (Score:2, Interesting)

    by Anonymous Coward

    I do almost everything in VMs since it keeps my computer cleaner. My web browsing VM starts from scratch each time I load it (with a random MAC address inside the VM). Only the bookmarks get exported and imported. Evercookie doesn't stand a chance with me.

    To further improve the situation, I have privoxy chained to squid. My iptables rules don't allow the user that runs the VMs to connect to the internet at all, not even dns. Only a connection to the local privoxy proxy which strips all ads and other annoyin

    • by Whalou (721698)
      Nice setup. I think it would be a curious experience to take a look at your pron collection... :)
    • Re: (Score:2, Interesting)

      by leuk_he (194174)

      You are unique Just like everyone else [eff.org]

      please tell me how unique you are there... (me: one in 627,021 browsers have the same fingerprint as yours.)

      Since you have a special setup i wonder if you can really hide in the crowd.

      • Re: (Score:1, Interesting)

        by Anonymous Coward

        Within our dataset of several million visitors, only one in 418,016 browsers have the same fingerprint as yours.

        Currently, we estimate that your browser has a fingerprint that conveys 18.67 bits of identifying information.

        Although it is clearly wrong. It says I don't have javascript or cookies enabled. I do. I am also running chrome in an XP VM.

        Funny thing about chrome is that Google will never allow ad blockers, but they allow http proxies. All of my ad blocking is done at that level since it applies to al

        • Re:virtual machines (Score:4, Interesting)

          by Amorymeltzer (1213818) on Wednesday November 10, 2010 @10:53AM (#34185874)

          That page has got to be faulty. Go to the main link, http://panopticlick.eff.org/ [eff.org] - the results are staggeringly different. That tells me I'm unique out of everyone (>1.2 million) whereas the link given in GP says I'm 1 out of around 85k.

          • Re: (Score:1, Interesting)

            by Anonymous Coward

            I am the original poster. It says I am unique, but clearly the script has a bug in it. For example it says that my user agent of "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7" is 1 in 14093.54. Very unlikely.

            Also I am using stock chrome in stock XP SP3, yet my plugins are 1 in 418108.33 and my fonts are 1 in 553.54. Both are very unlikely. Remember that this is not a worn in XP install. It is virgin (up to date) XP SP3 with chrome insta

            • Re: (Score:1, Interesting)

              by Anonymous Coward

              I started the VM off from scratch and went back and now I am one in 2327.42 for the (same) user agent. 1 in 139386.78 for the (same) plugins, and 1 in 553.37 for the (same) fonts. Only the fonts number is similar to last time, yet the entire situation is the same. Same fonts, plugins, and user agent. I call shenanigans.

        • by stg (43177) on Wednesday November 10, 2010 @10:58AM (#34185934) Homepage

          How does Google disallow Ad Blockers? I've been using AdBlock on Chrome for several months now... (before that I just used a filtering proxy)

          I think it's been available since January.

        • Within our dataset of several million visitors, only one in 418,016 browsers have the same fingerprint as yours.

          Using Opera 10.63 in FreeBSD 8.1, cookies and JS for whitelisted sites only plus using privoxy I get:
          Your browser fingerprint appears to be unique among the 1,254,192 tested so far.

          • by beelsebob (529313)

            The test is a lie, refreshing it again tells me I'm still unique.

            • by WoOS (28173)

              Well, switch all your cookies and javascript off and it changes.
              The second time *I* was told there was only one other browser with same fingerprint.

              I guess with cookies/supercookies it simply stores you have been there before in your browser.

      • "Your browser fingerprint appears to be unique among the 1,254,152 tested so far." Geh, that's not especially promising...
      • by lxs (131946)

        I'm a unique and beautiful snowflake apparently. That's what I get for running Opera on Win2K.

      • by GNious (953874)

        I ran this with
        1) Firefox, OSX 10.6
        2) Lynx, Ubuntu Server 10.4

        Except User Agent and ACCEPT headers, they come up with identical stats ....

        Meanwhile, the Lynx is more unique than the Firefox ...

      • Mine says:

        "Within our dataset of several million visitors, only one in 48,245 browsers have the same fingerprint as yours."

        Vanilla XP install, FF, Noscript, etc. Better than I would have thought. Hmmm.

        Lol. I switched to IE8 (default config) and got:

        "Your browser fingerprint appears to be unique among the 1,254,460 tested so far."

        Open Source bias?

      • Re: (Score:2, Insightful)

        Isn't it better to be more common that to be more unique? Setting the USER-AGENT to something randomly generated will make you unique, but it's it better to "blend in" than to "stand out" ?
        • Re: (Score:2, Insightful)

          by mobets (101759)

          I think being unique would be fine as long as you are differently unique every time.

    • I've been thinking about doing something similar in my dorm room, just haven't had the time between random internet surfing and classes. Hadn't looked into privoxy before. :)

      Mind if I ask what OS you're using for your web browsing VM?

      • Re: (Score:1, Interesting)

        by Anonymous Coward

        Chrome in XP for random nonsense like Slashdot. Firefox with noscript in a linux VM for gmail and banking etc.

        The host OS is linux of course since I am using iptables to control the VM network activity. I am using qemu with the user mode networking option. With KVM acceleration it is amazing. Near native speeds.

        I'm also going to reply to the person who posted below you right now so I don't need to get a new IP address again. Why bother with a live cd? That is not convenient at all. I am not a political pris

    • So, what's the OS & hardware setup? And how long does it take for you to start your VM + Browser?
    • Re:virtual machines (Score:5, Interesting)

      by couchslug (175151) on Wednesday November 10, 2010 @12:11PM (#34186744)

      I just use Linux for most of my surfing, but light VMs are very easy to set up and worth doing for the education.

      I like Portable VirtualBox for Windows use because I can make a self-extracting .rar of the complete program with VMs for backup:

      http://www.dedoimedo.com/computers/portable-virtualbox.html [dedoimedo.com]

      Grab a light Linux distro like DSL (small download, speedy performance), and install to VM from the .iso:

      http://www.damnsmalllinux.org/ [damnsmalllinux.org]

      You can then play with MANY operating systems, and if they screw up, delete their VM. If you have bigger problems, reload by extracting the backup. :)

    • by gozar (39392)

      I wonder how well that does against https://panopticlick.eff.org/ [eff.org] ...

    • by golf2 (1938140)
      I'm all for a sensible amount of anonymity - what are you up to that requires such a setup?!
  • One hopes... (Score:5, Insightful)

    by fuzzyfuzzyfungus (1223518) on Wednesday November 10, 2010 @10:24AM (#34185600) Journal
    I hope that this "Nevercookie" addresses the issues raised by "Evercookie" in a systematic way, rather than just defeating Evercookie point-by-point.

    Evercookie's creator explicitly noted that his work was a simple proof of concept, cooked up fairly quickly, as a way of raising the issue of covert persistent data storage on the web. He further noted that people who actually do evil for a living are probably at least as creative as he is, and have a whole lot more time to work on the problem. Simply defeating Evercookie, as released, will probably save you from a few of whatever the analytics world's equivalent of a script-kiddie is; but will do next to nothing against the issues that Evercookie was designed merely to demonstrate...
    • Like most common cold "remedies" it's a treatment for the symptom, not the disease.
    • Re: (Score:1, Informative)

      by Anonymous Coward

      https://panopticlick.eff.org/ still would need to be addressed.

    • Re: (Score:2, Informative)

      by gabbott (1938128)
      Check out how it works here: http://www.anonymizer.com/learningcenter/#lc_labs [anonymizer.com] I used nevercookie as sort of a fitness test, but it wasn't designed to only defeat evercookie, it was designed to address the larger problem of tracking via all kinds of local storage mechanisms.
  • Please, just one cookie, I promise I'll go away!

  • From the end of the article, " Specifically, Nevercookie prevents abuse to both the Adobe Flash Local Storage Object (LSO) and Microsoft's Silverlight Isolated Storage (MIS)." "

    Doesn't BetterPrivacy [mozilla.org] already eliminate LSOs and other stored data?

    I don't have Silverlight so I don't know if it eliminates that data but unless these "Evercookies" are somehow different than "Supercookies" you can eliminate this issue right now.

  • Was not XSS, but based on insecure session ID generation. http://samy.pl/phpwn [samy.pl]

  • hey guys (Score:5, Informative)

    by gabbott (1938128) on Wednesday November 10, 2010 @02:21PM (#34188440)
    My name is Geoff and I created "nevercookie". I'm a researcher at Anonymizer. I can assure you all that it is not vaporware, it works and has been pretty thoroughly tested, it's just that marketing wants to brand it and make it all slick before we release it to the general public (which should be in a week or two). I've sent out a few beta versions for friends in the security field to test out, and I might be able to send out a few more if anyone is interested in field testing it early (I'll ask my boss). To address concerns about how it works, it's pretty simple actually. When private browsing mode in firefox is initiated, the external data storage of Flash and Silverlight is quarantined (this is done because the browser normally can't touch these things cause they are browser independent, this is the most obvious place that an evercookie can respawn from (unless you clean it manually)). Then a clean, temporary user profile is spawned for the current browsing session, eliminating any lingering cached data. There's actually a decent explanation here: http://www.anonymizer.com/learningcenter/#lc_labs [anonymizer.com]
  • Who are the web sites that use theses cookies? why do they remain unnamed? I think that knowledge is just as important as making blocking software.
  • I don't have this problem because I use Adblock Plus!

IF I HAD A MINE SHAFT, I don't think I would just abandon it. There's got to be a better way. -- Jack Handley, The New Mexican, 1988.

Working...