Novell CEO Attacked by Cookie Monster 228
It is a given that cookies are flawed:
- Most systems store them in a readable format on your harddrive. Yeah, that kinda sucks. But if your machine isn't secure, then you've got bigger problems then just your cookies file.
- They are sent in plaintext over the internet. But thats why we have SSL when you need security. Someday all net transmissions will be encrypted anyway. (assuming nobody else from the IETF gets bothered by the FBI)
- Cookies used to be pretty well forced on netscape users, but now most browsers give you an option. And there's always junkbusters for the more paranoid.
It is given that I need state over httpd. I want shopping carts. I want net commerce. I want user preferences on websites I frequent. Maybe you don't want these things, but I do, and I don't think I'm alone on this one. There are a few ways besides cookies to do this.
- Intel would love to use a CPU ID to help us. This has so many problems that I'm just not going to go into it. But it would work.
- Webmasters could create a session and pass it in a URL with each page. This suffers from all of the same problems as cookies, except that the session ID isn't stored on your hardrive. Unless you bookmark it. Ooops. It also has the added benefit of making URLs messy, and being a huge pain in the ass for a webmaster.
- Some sort of third party big brother handling authentication. I'd much rather just have a cookie that I can turn on or off than have a third party take care of it for me. I trust me more than them.
I really thought that the 'Cookies are Evil' was dying down as people realized that while they aren't the best solution, they are as good as we're gonna get any time soon. Then to see someone who ought to know better get out and throw fire ants into the mix to plug his software, well thats just really rubs me the wrong way.
It's like telling people that the water that comes through your pipes has floride in it, so you ought to buy their brand of bottled water instead. You ever see a communist drink water, Mandrake?
Security and Privacy (Score:4)
Trust (Score:1)
Unless id Software, Real Networks, Novell, Netscape/AOL, or anyone else proves to me that they NEED a certain bit of information, in order to serve ME better, I'm not giving them the first initial of my first name.
They already get enough for system administration purposes: HTTP referrer, IP address, even browser type (although Konqueror allows you to change that).
Read the "Talkbalk" (Score:3)
The most telling part of the whole tale though, is the ZDNet TalkBalk. When "Larry, Internet Web Designer" can identify it as a joke, you know that even the lowest common denominator can see right through this guy.
I can't help but wonder why even ZDNet would lower their quality control to this level.
------
CC# stolen, or guessed? (Score:4)
The thing with the latter is due to the fact that most CC # checkers check the numbers, and not the expiration date. Thus, pass 10^16 numbers to one of the sites, and you're bound to get some cash. Once they have a number that works, then they're set.
Therefore, he might have been hit with this instead of true CC# stealing (It's really hard to get at cookies although there are some bugs, but require a lot of assumptions on the end user's actions). This only suggests to me that we need to make sure that CC# verification systems are more secure, and ask for the experiation date in addition to all other info. Or even better, add a PGP-like key to CC# info to make it more secure.
Re:Read the "Talkbalk" (Score:1)
I can't help but wonder why even ZDNet would lower their quality control to this level.
ZDNet has quality control? Oh, maybe that's Jesse Berst's job...
________________________
Cookies are not evil but.. (Score:1)
BTW I know CORBA is language independent but honestly it's bit complicated for the average developer. HTML was great because it was so simple to learn and effective at what it wanted to accomplish.
I dont trust my computer, but I trust Novell ! (Score:3)
I hope they implement "digitalme" soon. My cash is running out. I need a database of credit card numbers.
Manifest
Say what? (Score:1)
Are there sites that store cookies with your freshly entered credit card number in it? I can't believe it. Only thing this shows is that he lacks a fundamental grasp of what cookies are and how they work.
Latest in a long line... (Score:2)
Anyone else remember McAfee and the Michalangelo virus?
It's just one of those necessary evils. (Score:2)
Oh no! (Score:2)
Re: (Score:2)
Re:Oh no! (Score:1)
At least, that's what I'll tell my wife
Like we need another "cookies are bad" headline (Score:1)
Lots of people may see this headline, but not read far enough into the article to see it's a thinly-veiled product plug. Now all the newbies have one more reason to think cookies are some evil scam.
Grrrrrr.
-- Cara
.... (Score:2)
I'm the guy who writes those silly fortunes. =)
Credit Cards Online (Score:3)
It is NOT easy to grab a credit card number on-line. Sniffing packets, intercepting e-mails, grabbing cookies, etc. is bloody hard work. Especially since you could spend 5 minutes raking in the bins at your local mall and get 100 numbers.
I am willing to bet $50 that Mr. Schmidt has at some point in the last 6 months handed over his credit card in a restaurant. Doing that is opening up his card number to a wider audience than using it on Amazon.com ever could.
However, it is helluva easy to use a credit card number online, once you have it. Go on, fill in a few forms, and it doesn't matter if you're a 13-year-old boy in Arseville, Tenessee -- you can use that card number from the 70-year-old woman in Alaska who wouldn't know a modem if it bit her on the arse.
Last week, I found a $60 Amazon.com charge on my card which wasn't mine. I don't blame the internet. I don't blame Amazon. I don't blame cookies, SSL, e-mail, or Elvis.
I don't even care that much. So what? I shout a bit, get my $60 back, and carry on like nothing ever happened. No big deal.
This kind of thing has been happening for years on the phone. This is nothing new, except for the sheer volume of fake transactions. But until the card companies make it easier to verify transactions on the fly (see Philip Greenspun's excellent book [photo.net] for a description of how pathetic the whole thing is), it's not going to get better any faster.
Just don't forget to burn your carbons.
rOD.
--
How Very Unfortunate (Score:1)
Quidquid latine dictum sit, altum viditur.
Oh, not again... (Score:2)
The problem of sending cookies in cleartext is harder. The solution is of course encrypted communication. For anyone with Apache this shouldn'e be too difficult (SSL should be sufficient)... except for the whole certificate problem. I'll be glad when encryption is built into the protocol.
Come to think of it, the only way this credit-card number could have actively been stolen would be if the sessions hadn't been encrypted. Does this mean that one of the "great" computer executives was actually stupid enough to give his credit card number to an insecure site? I find that hard to believe, though if he's trying to hawk his own wares I suppose it could be some kind of play.
More likely he simply fell victim to a credit card number generator (which exist all over the place) and blamed cookies since he could use that as an advertisement.
Other things worry me more (Score:1)
I'm more worried about some store clerk collecting card numbers and passing them on to someone else. That is a lot more likely to happen in the real world!
Mike Eckardt [geocities.com] meckardt@yahoo.spam.com
Big problem with cookies (Score:4)
Credit card numbers should either be kept in a back-end database, or (preferably) not at all. I'd prefer it happen the latter way. I like net commerce as a bright idea (both generic and in the IBM-branded net.commerce) and have even worked on some commercial sites, but that's part of the problem: you don't want schmoes like me safeguarding your credit card
If Novell's CEO is having problems with credit cards kept in cookies, it isn't the fault of the medium but the way it's being used. If anything, we should adopt best practise standards which keep credit card numbers secure and press business software vendors, like IBM or MS, to do the same.
Of course, I suspect that it wasn't the fault of cookies at all; it was a cracked machine or even a shopclerk who swiped his card twice. But that's just my nasty, nasty suspicion.
--
Credit Card Authentication Services (Score:1)
So here's my suggestion...
When a person is issued with a credit/debit card account, they are asked if they want to make online purchases. If they think they might want to, the bank supplies them with a small device, like a pager.
Whenever a customer wants to make a purchase, they enter their credit card details and send them off, where the mod 10 algorithm and expiration dates are checked.
If this passes the test, the bank sends a message to the pager-like device asking the user if he/she authorises the transaction. The device has at least 2 buttons, maybe 3: one for "yes", one for "no", one for "alert, someone else is trying to use my account!"
I think it would be a good idea for a bank to provide this sort of service, because then users would be much happier with their security, and less worried about the possibility of online fraud.
Re:CC# stolen, or guessed? (Score:1)
Re:Trust (Score:1)
As does lynx, the one true browser.
Banner ad that set cookie (Score:1)
What's the implication if a banner ad that send me a cookie?
As far as I can think of, using this cookie, the ad provider company will know which page I viewed their ad, can they get more info out of this?
A prediction (?) about smart cards (Score:5)
Imagine that, as a web surfer, you have a smart card that identifies you as a web surfer. Personally I am a believer that you should have to identify yourself as adult/child in order to cruise some areas of the web, but that's my personal opinion. But that's not for this thread to discuss. Add to the smart card some sort of bio sensitive way to identify yourself, maybe a thumb, maybe an iris scan. The key being that everything you need (short of the reader hardware) is stored on the card. You can take it with you to any browser (unlike cookies).
Your smart card not only identifies you, it has a profile on you. It can keep your web site preferences, but it can also keep your buying habits, etc. And your age, marital status, and so on. It's here that people scream bloody murder about privacy on the net. But here's my hopeful suggestion : that your profile will come with trust zones. If you're doing anonymous surfing, maybe all the site gets is your age -- or maybe nothing at all. For sites you want to register with long enough to read a story (like NYTimes), you let them have your name but not your profile. And so on. For trusted sites like slashdot you set up preferences. For sites where you are actually a customer of some sort, you let them have your profile (linking in yesterday's discussion about IBM's miniature vegetable commercials).
Wouldn't this be nice? My company has a large number of business units, each with their own web site, and we've worked to setup a shared profile system so that, once you've told us something once, you don't have to tell us again. Wouldn't it be good if this extended to multiple businesses? Don't you think it's a pain in the ass to have to continually identify yourself and set up preferences on every site you want? Wouldn't it be nice to have a mini-profile that you could use to bootstrap your registration to new sites?
My point is that, with a self contained smart card, you can have a level of control over the information that you provide. It's the card that has the brains. A web site couldn't just tell the card "Give me the whole profile". It would have to say "Please validate me as being a trusted site and give me whatever information I am entitled to." And then, in something of an ironic twist, *it* has to identify itself to *you*, and you get to decide what to do next.
Will this happen anytime soon? I wish. I think the reason that digital certificate authentication didn't catch on is that it was too confusing to get the certificates into the browsers, people didn't want to give up their passwords, and the certificates weren't portable. In a world where you have a smart card reader built into your keyboard, these problems seem like they might go away. Nobody thinks twice about having to flash a passport when flying internationally, and they usually only grumble a little bit about being carded at the local bar. Is it really that much of a stretch to think that there'll come a day when you take your webId card out, stick it in the slot, and then periodically answer a question about how much information you want to provide to the web site you just visitd? I don't think it's really all that bad.
I'm curious to know if I'm, like, *way* off on this one. Are people going to flame the hell out of me on this one? Or agree completely?
d
Please dont waste time. Read this instead (Score:2)
If I am not mistaken, it talks about the security loophole [cookiecentral.com] that was created when GIF images were allowed to embed cookies in computers. This has been discussed on
Hopefully you didn't miss the point, though (Score:1)
they are as good as we're gonna get any time soon. Then to see someone who ought to know better get out and
throw fire ants into the mix to plug his software, well thats just really rubs me the wrong way.
Well, it may rub you the wrong way, but I wonder whether you are missing the most important point: there IS a technology out there that solves the problem of identifying yourself on hte 'net in a secure way, giving out only the information you want and only to those you want. It's based on NDS and it's working. Novell has baeen developing NDS for about 10 years now, it's a proven directory solution and there are many applications already that use, plug into, distribute data through or collect data through NDS. One of them is DigitalMe, and it solves the ancient mechanism of cookies. It's a flawed mechanism for many applications, and guess what? Novell has a solution that works today (Microsoft AD anyone?) and solves the problem. Is there anything wrong with that?
Stolen at a restaurant? (Score:2)
Cookies don't contain credit card info... (Score:1)
The only way a cookie could be used to steal from your credit card is if they copy the cookie to another machine and hit a site such as 'Amazon.com' when you have 'one-button' shopping enabled.
I think this whole cookie scare is total nonesense--there are easier ways to steal credit cards than trying to reverse engineer site-specific database key identifiers out of a cookie file. Such as working as a waiter for a restaurant...
CPUID / HostID (Score:1)
Intel would love to use a CPU ID to help us. This has so many problems that I'm just not going to go into it. But it would work.
Many boxes already have HostID numbers, but the PC world has not had this, traditionally. I have not heard any complaints from Sun users, apart from when they need to fool a license server somewhere - but in a PC a hostid is suddenly something bad? (Well, you can change the ID in a Sun, but if it's etched into the CPU it might be harder to change.)
But what I was going to say was that it wouldn't work, since a CPUID/HostID identifies a machine, and not a user. Think about multiuser environments. Think about typical university setups, where you can sit at any one of hundreds of machines. Or when you set up individual accounts for each member of your family on your home box.
No, we absolutely need something that follows the user, and not the machine. I don't see any better solutions than cookies, but I'm sure that there are some.
Re:Cookies are not evil but.. (Score:2)
This would solve the privacy issue and it would allow sites to verify that you are who you say you are.
What we need for this is standards. We have standards to verify that a piece of software is from a certain company, why don't we have a standard to establish the identity of someone.
The Evil Use of Cookies (Score:2)
I think one of the greatest dangers of cookies is that right now they're insecure an invisible.
I had a friend who had his browser set up to accept all cookies. I was ranting to him one day about how I hate being forced to accept cookies at some sites, and how I nearly always refuse to accept them. He decided to check out his cookie file. Guess what he found...
Some site (I don't remember the offender) had set a cookie that contained a ridiculous amount of information about him: full name, home phone number, home address, job title, etc. Obviously he had filled out some kind of form at some point and they just dumped the info into a cookie. This meant that without his knowledge, every time he used their website, all of his personal info was being sent back and forth in plain text.
A system that allows this kind of abuse is seriously flawed.
I don't think it's time to rewrite the whole cookie spec -- and I don't like the alternatives to cookies either, but this current situation isn't acceptable.
What I'd like to see is some "cookie" icon in the statusbar of your browser that's shown whenever the site you're communicating with is using cookies, and clicking on that "cookie" would give the full cookie details.
I also think that all new browsers should have cookie filtering built in. I don't mind accepting any cookie from Slashdot.org, but I don't want to accept a single cookie from doubleclick. I'd also like to see some content based filtering available. This would allow me to refuse cookies that try to do dumb things like store my password in the cookie.
In the mean time, I'll keep plugging Cookie Pal [kburra.com] for Windows users. It does a great job of filtering and handling cookies, and is very unintrusive and small. I'm a satisfied user, but don't have anything to do with the company other than that.
You mean, like Slashdot? (Score:3)
I am Bob Washburne rcwash@concentric.net
I am a registered slashdot reader. But Slashdot refuses to accept my password even though I am looking at it on the screen.
I do not accept cookies. They can be harvested by any number of means (just check BugTraq) unless you devote your life to securing your box and don't make any mistakes. Ever. I have other things to spend my life on, so I take reasonable precautions and then refuse all cookies.
Cookies are not necessary. I fill in my Nickname and Passwd on the first screen and it is brought along through the Preview and subsequent screens. This is done without a cookie, so why any cookie at all?
I would be quite willing to enter my passwd each time I make a submission rather than leaving personal information lying around for a rogue marketing-bot to harvest.
That is the whole purpose of a password; to authenticate the action. Storing a password defeats the entire purpose. So why have a password at all if anyone can just walk up to your box and post without it?
I would even rather be mistaken for an Anonymous Coward than subscribe to the urban legend that cookies are safe. Anyone who thinks cookies are harmless obviously doesn't know much about them.
not caused by cookies (Score:2)
What's being stored in cookies? Well, a session id. Or a user name. Or maybe even some personal info or preferences. But I have never ever seen any site storing the credit card number in a cookie! And I shop online an awful lot.
If the credit card number was in fact lost online, and you must blame it on someone, blame it on the stupidity of this particular user. You don't send that info online in a non-encrypted format and as a general practice you probably should not shop online at a store you don't trust (for a variety of reasons, privacy and security being only some of those reasons.
Junkbusters (Score:1)
Also, it lets me tell everyone that the web-browser I'm using is 'Flipper the web-surfing goat (C64 edition)'
God, that sounded to much like an advert, btw you can it from here [junkbusters.com].
All Cookies -> /dev/null (Score:1)
cookies files to
bucket). Netscape never knows the difference!
Works great!
I also refrain from shopping at grocery stores
which encourage membership cards. I hate people
keeping files on me.
Cookie Monster? (Score:2)
The big question in my mind -- Sure, Novell's new software may protect you from Cookie Monster, but can it protect you from other muppet menaces like the powerful Big Bird or Bert (who everyone knows is Evil)? The article doesn't say, and I'd have to assume not.
Which is of course where my software comes in. Sesame Shield is released under the GPL and is easily configurable to run as a daemon that will block all Sesame Street characters, and soon Muppet Show characters as well. Don't rely on closed-source programs to protect you!
Re:"funny as hell" (Score:1)
Powers&8^]
Re:A prediction (?) about smart cards (Score:1)
One potential drawback I see is theft of the actual card. That's a problem with anything you carry in your wallet, of course, but the problem is still there.
Of course, then there's the fact that I don't want to have to go fetch my wallet when I trudge out to the computer in my PJs every morning. =)
Powers&8^]
Re:Banner ad that set cookie (Score:1)
Well, they can then match up this cookie with other cookies from them that you have, giving them a pretty good history of your web travels. And they may even eventually grab your personal information from a survey, contest, or other source and match that up to your web travels in a nice database. Who knows what other companies this ad provider might buy/merge with in the future and what the info in this database will be used for?
wouldn't someone steal something MORE? (Score:1)
Now, WHY, pray tell, would someone who broke into the CEO of Novell's computer take JUST a credit card number? I'm sure there were FAR more interesting things lying around than a cookie file. Especially if it was a Windows PC - then there's all sorts of neat things like (crackable) password lists, etc., which could probably get you into some pretty interesting places at Novell. But no, none of this was stolen.
Hence, my bullshit meter has gone off the chart.
Comment removed (Score:4)
Re:Hopefully you didn't miss the point, though (Score:1)
But when is Novell going to finally get around to releasing a GPL-ish version of NDS that can be incorporated into Linux or other platforms in a stand-alone fashion? As long as I'm stuck running @#$%^& "Netware" OS for NDS and NDS management, it's pretty much worthless.
And I'm talking about a full-blown NDS v8 compliant version, not that ancient 4.10 thing that Caldera sells. Yes, I know that the sell NDS for Solaris and NT, but they want a small fortune for it AND it still requires Netware running someplace to host the replicas.
somebody needs to corner the aluminum foil market (Score:1)
i should be putting it in my walls, on my windows, heck i should be be wearing it. what, me paranoid?
seriously, if a cookie cost somebody their credit card number, the responsibility is on the web site, not on cookies. it was just a bit to promote there digitalme stuff, but in a high-tech world and as a head of a high-tech company, you shouldn't be making yourself look like an idiot. it might have sounded cool to some marketers, but it didn't come out that way.
Re:Cookie Monster? (Score:1)
Folks, don't run sshd -- it's WAY too dangerous to be r00t3d by B1g b1rD, and he and his l33t friends will probably raid ~/.netscape/cookies.
(and let's not talk about Barney's Gateway Protocol...)
Really Secure Transactions Methods... (Score:1)
The ideal form any secure transaction takes, whether it's cash or information changing hands, is one where none of the participants really knows any more than absolutely necessary about the other parties involved.
There are a lot of variations of this sort of scheme, usually including some sort of trusted third party or PKI (public key infrastructure,) as well as any non-vulnerable local authentication storage medium. Smart cards come to mind.
One really cool scheme I've seen involved having user info stored in a strongly encrypted form on a web page, where the user used a key exchange between his authentication info on a local chip card and a TPT to access his info automatically. Great idea, since the TPT doesn't know anything about the user's content, but just provides their half of the security info, nobody can go mucking around with it while it's inert, and the user isn't storing anything locally or in a publicly accessible format. Maybe an alternative to cookies, since the sort of infos they are used for is pretty small, and thus almost instantly retriavable via the net...
Cookies are a pretty dumb way of doing things in any case.
Re: are there sites that send cookies with c.c #'s (Score:3)
In relation to using personal information on the net (including my e-mail address, you may notice that I did not "anti-spam" my e-mail address here on /. However, I only use that e-mail address in conjunction with a few sites, limiting the number of points from which my personal information can be derived to those sites with privacy policies that are up to spec, saving my regular e-mail address only being given to a much more private and personalized list of people that I am willing to receive information from. That way if there is a security problem, I know where it originated by my email address. Similarly, when I write software that uses cookies, I don't put any personal information in it. All of that type of information can and should only be kept in a back end database, well shielded from crackers, etc. For example, on one e-commerce site I designed, the cookie "knew" who you were, but in order to place a credit card order, you had to validate certain information within an encrypted page, even though the user had already "registered" their information (including the c.c. #) into the database via the web. We also included a fraud detection program designed to stop the c.c. # generators from ever being able to spoof an order. And folks, it just wasn't that hard to do!!
I agree with previous posters. The Novell CEO was trying to sell proprietary software, and claiming to have been attacked by the "poison cookie" monster in order to do so.
DigitalMe (Score:1)
Eric Schmidt: BceOFH? (Score:4)
"Do you know why the system is slow?" they ask
"It's probably something to do with..." I look up today's excuse ".. clock speed"
I'm feeling very uncomfortable here. I mean...I've grown up worshipping the BOFH [iinet.net.au]...and now...what doth my eyes detect, but...
A Bastard Chief Executive Operator From Hell?
You know, some strange part of me wants to see this as a complement.
The odds that Mr. Schmidt purchased something from such a fly by night operation that the credit card number was embedded in the cookie so low, that it stretches the imagination beyond repair to consider the idea that that same operation would ever have the technical desire or even knowledge to use Novell's new DigitalMe software!
Of course, he could have just been tricked by a *real* BOFH... "GEEK! HOW DID MY CREDIT CARD NUMBER GET TAKEN!" "Mmmm. Cookie." "I knew those things were trouble!" "Mmm. Oreo. Chips Ahoy. Yum."
Seriously, there's a gigantic amount of irony embedded in Novell proposing that their DigitalMe system would improve consumer privacy. Consider: Most sites that require state don't require your identity, pretty much because it takes time to get somebody to reveal who they are, and attention spans are small. Look how much traffic The New York Times loses from people too lazy to even lie on a form--MTV may have done more for consumer privacy than any other company in history.
Novell's DigitalMe changes that. Assuming the infrastructure is such that any site that wants to do trustable-state transactions(which is really what Schmidt and Novell is trying to sell) actually has enough DigitalMe access to not have to worry about Yet Another Single Point of Failure, DigitalMe lets the user disclose every piece of information the user could possibly expose in the click of a "OK, tell 'em whatever they want to know."
Heh, Novell--Suddenly everyone's finding out a hell of alot more about you!
And the worst part? Unlike that paltry $50 liability had, you'll never know what people are doing with your personal information. I find it interesting that in a place that espouses freedom and individuality so much, people don't own their identities.
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
What about encrypted cookies? (Score:2)
The only potential issue I can see with this is the possibility that the limited size of the cookies may make decent grade encryption too big. I'm not certain though.
Personally I like the use of cookies as a session token for server-side session management. The only thing stored on the client is a one-use session ID which expires. Thus, even if somebody could get your cookie file, they'd have to take the session ID and use it within say 15 minutes, otherwise it would be totally useless. To further prevent fraud, you can link the session ID with the IP address, which eliminates all but the most complex hijackings that I can think of.
---
Manage Your Cookies (Score:2)
http://www.atguard.com/
Comment removed (Score:3)
One flaw in your logic (Score:1)
Re:It's just one of those necessary evils. (Score:1)
Actually cookies DONT'T suck at all... the implementation by braindead web-developers sucks... I mean think about it...
why have a cookie with all that info, just return a GID-style string that is unique for you and keep all the state info on your own goddamn server, just asking the end user for his/her/its ID?? no more problems.
Re:Banner ad that set cookie (Score:4)
The problem is that the agency can track you across multiple sites. If you visit www.site1.com, you can only get a cookie which will be sent back to that server, right? WRONG. While you were at www.site1.com, you viewed a banner from ad.doubleclick.net (for example). The problem is that when you visit www.site2.com, which should not be able to 'see' the cookie from www.site1.com, you took another banner from ad.doubleclick.net. This means that Doubleclick can track you between sites, which is a bad thing. I also saw something (this morning, I think, but I can't remember where) saying that companies are sending HTML mail which downloads an image which sets a cookie. The agency then has your e-mail address associated with a cookie, giving them (potentially at least) a lot more information about you. Not a problem for me, of course, since I use Pine for mail :-)
I have no problem at all with certain sites using cookies. I am currently (since earlier on this week) using Junkbuster [junkbuster.com], and I have it set to allow cookies from Slashdot, LinuxToday, Amazon, and a couple of stock sites. If anyone else wants to send me a cookie, they can ask me and I'll decide on each individual case. At least I have the choice.
Sad to see, really... (Score:4)
Excuse Server (was Re:Eric Schmidt: BceOFH?) (Score:1)
Offtopic slightly, I know, but here's the shamless plug, and pointer, to the BOFH Excuse server [wisc.edu].
Cheers.
Re:All Cookies -> /dev/null (Score:1)
Netscape never knows the difference!
Well, I had never thought of doing that (being a relative newbie to Linux at home and having the powers to explore UNIX as a system), and yes, it certainly does seem to be a wonderful solution, with the small exception that here at least, each new pages requires me to log in again. A small price to pay I guess! Thanks for the suggestion.
Re:How Very Unfortunate (Score:2)
I agree, I've never seen any cookies storing cc numbers. I've seen userids, email addresses, zip codes, all sorts of stuff, but never cc numbers.
If any website is storying cc numbers, or anything else which is sensitive, we should publicly scold them until they do. Anyone got URL's to check out?
Re:Oh, not again... (Score:3)
Re:Big problem with cookies (Score:2)
Quite frankly, this is the only way to keep state after you close you browser. Rob is right - if you like personalization, etc. then you better like cookies.
more your ~/.netscape/cookies file and see what is in there. Mine is over 20K and all it is is user id serial numbers.
The other thing to note with cookies is that many places use temporary cookies - stored in RAM only and never stored on your hard drive. They terminate when your close your browser.
Re:A prediction (?) about smart cards (Score:2)
The business logic of the poor adoption of smart cards has been that they're currently too expensive. Nobody will pay $5 just for a card, especially if there are a number of different entities that each expect you to get your own card. As an example, they have "SpeedPass" at my local gas station. It's a smart card that's in a keychain, you wave it at the pump instead of having to get out a credit card. This is a free service. I don't think anybody would pay for the card. Because then they would be worry about if they lost the card, or it got worn out, or whatever. When it's free they can always get a new one.
So, smart cards won't be truly adopted until they're "relatively" free (maybe a cost of $1 or something could be eaten by other fees). As for who sponsors/provides them, the question turns to one of identification. Traditionally you rely on a government agency to provide your identification (passport, driver's license, birth certificate...) so it's logical to extend that into this arena. But again, people will go bananas if you start talking about the government being involved in such a thing when it relates to the web.
Who knows. Maybe some enterprising company will figure out a way to market the cards as essentially free, but then sell the readers. The trick there would be in fostering the adoption of the card/standard. You'd need to get all kinds of retailers on board that use your card, so that people would get use out of it. This has been tried numerous times with a variety of "electronic cash" methods, but none have really caught on that I know of.
cold fusion cookies (Score:1)
An alternate method of session tracking (Score:2)
http://www.wherever.com/ss.asdf98cs/some/path/f
I tested it for months. Pros:
- No cookies at all.
- Very reliable. Session state is retained without problems.
- Works even in Lynx.
Cons:
- Search engines record the URL with the session ID. Although the session ID is invalid after only a short time, it's quite ugly.
- When people would try to tell each other what URL to visit, they would try to pronounce the session ID.
- Absolute links always cause the browser to ignore the ID. Solution: dynamic HTML or no absolute links.
- The browser reveals the session ID to other sites when the user follows a link there. The ID is even recorded in the referrer log.
- Browser redirects are required. However, cookie solutions often face the same problem.
Eventually, I decided that cookies were a better solution for our purposes and switched over.
One thing that people need to understand, however, is that there are cookies that never make it to the user's hard drive. It puzzles me that browser makers put all cookies in the same category. The Best Way, at this time, to keep session state is to send a cookie to the user's browser that is never stored anywhere but in memory.
Re:Hopefully you didn't miss the point, though (Score:1)
Re:someone tell me... (Score:2)
...phil
Re:Session ID URLs /are/ stored on your drive. (Score:1)
Re: (Score:2)
Re:Hopefully you didn't miss the point, though (Score:2)
Given the choice between something propriatary & something open, I know which way I'd lean.
Re:A prediction (?) about smart cards (Score:2)
This logic implies that "Those who do not study history are doomed to repeat it" is incorrect. That industry does not learn from its mistakes. This might be true, I don't know. I don't think it is. You're welcome to. There's no real way to tell if it's an absolute truth, now is there?
First, every company will get into an endless Beta-VHS standards war seeking to control the standard and therefore the royalties.
And by this logic, we would never have settled on the magnetic stripe card, would we? Somewhere along the line competing plcaes like Visa and Mastercard got together enough to agree on the format. Why is it so unbelievable a stretch that this couldn't happen with smart cards, which are often compared very closely to magnetic stripe cards? There's a darwinistic element to the introduction of a standard, no question about it. And we all know that it's not usually the technically superior standard that wins. But a standard does usually emerge. It's not an endless battle.
Second, this type of "universal profile" turns people off.
Define "people" in this case. You forget that most people out there are not freedom fighters. They are consumers. More than that, they are lazy, cheap consumers. It's cost-benefit analysis. What am I giving up by having the card? What benefit does the card give me? If people perceive that the card makes life easier, they are likely to use it. If you don't wnat to use it, fine. I know people that don't use ATM cards for many of the reasons you list. Fine. But that hasn't stopped them from becoming very popular.
d
Guessing CC numbers is easier than you think... (Score:2)
#include<stdlib.h>
intluhn_ok(
char*inp
){
return((luhn(inp)%10) ==0);
}
intluhn(
char*inp
){
staticint x[2][10]= {0,1,2,3,4,5,6,7,8,9,0,2,4,6,8,1,3,5,7,9};
char* p;
int s =0;
int sum =0;
char c;
if((inp==NULL)|| (*inp=='\0'))return -1;/*biteme, doughboy!*/
for(p=inp;*p !='\0';++p){}
do{
c=*--p;
if((c<'0')|| (c>'9'))continue;
sum+=x[s][c-'0'];
s^=1;
}while(p!=inp);
returnsum;
}
Re:Big problem with cookies (Score:2)
Hmmmm. Let's see. Three cookies for the NYTimes site. One for Slashdot. One for Gist (an online TV guide)
That's it.
If all developers ever cared about were state, then cookies that do not persist when the browser was closed or ones with short termination dates would be necessary. Why can't I be the one to determine how long cookies are kept? As it is, I decline cookies unless *I* have a reason to keep it. Any sight that presents me with too many cookies dialogs does not get revisited.
Re:Cookies are not evil but.. (Score:2)
"I remove all cookies during boot up each time and I NEVER KEEP sensitive personal info on my PC."
If I were you I would unplug the computer, lock the door and be afraid for the rest of my life. Not taking part in society is excellent defense against Big Brother. But seriously, what's the big deal with cookies? Only the site that created them can access them and they might as well store it serverside if there really is something worth storing. Cookies are mostly for your convenience so with deleting them you only give yourself extra trouble.
Moving privacy sensitive data to a central place gives you more privacy because you know who leaked information when something goes wrong. In my view your privacy sensitive data should be legally protected (i.e. you can sue when somebody illegally accessess it).
"Because some of us prefer that BIG BROTHER does not know everything we do and when and at what time...."
I suppose you're not that paranoid that you don't store your money in a bank. I.e. anytime you make a payment with your creditcard (online/offline) that information is registered anyway.
"Any other behavior is just proof of evolution in action...the stupid shall be fleeced
*sarcasm* Ok we an über mensch posting here.*/sarcasm* Just because you learned to operate a computer doesn't make you any smarter. In fact the smart let geeks like you do the monotonous work of operating a computer since they have better things to do.
Re:Cookie handling in IBrowse 2 (Score:2)
Incidentally, I've found lynx's cookie handling fairly good; you at least have the site granularity, which is nice.
Re:Trust (Score:2)
Umm.. heh. Can someone please explain to me what you gain out of changing this information? I can't see any possible gain, but there are tons of drawbacks. Specifically, web pages that dynamically generate content based on the browser string will be generating content that either doesn't work in your browser, or is meant for sub-standard browsers (hence you'll be missing out on features or content that might necessarily be limited to more capable browsers).
So what's the rush to change this text?
Re:CC# stolen, or guessed? (Score:2)
Not even that many. 10^14, tops. The first digit identifies the type of card (Visa, Amex, MC, etc) and the last digit is a checkdigit. (I used to know the formula for the checkdigit, since I coded software to check it, but that was years ago).
And I believe the next few digits after the first identify the issuing bank, so one could probably make educated guesses about that.
Not that there aren't a zillion other ways to just go ahead and steal real CC numbers, if one is so inclined.
Re:Security and Privacy (Score:4)
Are you just totally ignoring what everyone's been saying? Cookies are quite necessary to preserve state information between web site requests and visits.
I personally love the fact that I can re-visit outpost.com and not have to enter my address in every time I want to order something. I like being able to pick out a book or two from Amazon, set them aside, and come back in a week to complete the order. It's all about convenience, and I'm sorry, but outpost.com doesn't spam me, so I don't really see where you get off labelling all cookie users as evil conspirators that want to spam you.
There are quite legitimate uses, and the only real way I can see them being abused has been discussed on Slashdot ad nauseum in that they could possibly be exploited to track your movements between cooperating sites. The only marketing-related way they're being used today is to try and "target" those banner ads that you see to your tastes. The banner ads are still there, mind you, but now they're advertising stuff you're interested in.
Re:A prediction (?) about smart cards (Score:2)
No, not really.
My company has a large number of business units, each with their own web site, and we've worked to setup a shared profile system so that, once you've told us something once, you don't have to tell us again. Wouldn't it be good if this extended to multiple businesses?
No.
Don't you think it's a pain in the ass to have to continually identify yourself and set up preferences on every site you want?
Yes. I don't want to identify myself to every website that I visit. Frankly, moist sites I visit once and never return. Neither do I want prefeences set at every website that I visit. Most sites aren't as configurable as
My point is that, with a self contained smart card, you can have a level of control over the information that you provide. It's the card that has the brains.
My point is that I have the brains. I don't want a smart card giving out any information on me. I don't need the card. If I want to lie to a site and tell them that I am a 75 year old lesbian mother of three, I will do so. I don't need your smart card and I don't want it.
one way of dealing with cookies (Score:2)
Tell your browser to accept all cookies. Did this several months ago with no problems.
There's probably an equivalent for MSIE, but since I don't use it, I don't know what it is.
y2k info - http://www.ecis.com/~alizard/y2k.html
Re:A prediction (?) about smart cards (Score:2)
I usually browse the web with cookies turned off and only turn them on when I need to to look at a site, or if doing so would really make my life easier. I usually delete most of my cookies daily, except for a few sites which I use often and having cookies will save some state which I want saved.
I often sign up for something on the web using false information. Why should I let my free email service know anything about me other than my real name so they can tell people who I send mail to, who it is from? Maybe they want to know my income and marital status, but they won't get it just because they can target ads at me better. If I buy something, they get my address and credit card, but no more. Certainly not my real phone number.
I can't believe anybody would use a system where they say "here, take my info and share it. Shaft me for all I worth, please!!!"
Re:A prediction (?) about smart cards (Score:2)
Read what I wrote again, and you'll see that you still get to use your brain. All the card does it regulate and structure the flow of information. You still get to set up the whole "trust" mechanism. If you trust no one, and it sounds like you don't, then don't use the thing. But you must not be a customer many places, though, because I would think that you'd be willing to identify yourself to a web site in order to get a look at your stock portfolio, or the status of your new order of blowup dolls.
As for pretending to be a 75yr old lesbian, your personal life is your business. Sounds to me like wearing a different disguise to the supermarket every week so that nobody recognizes you as a regular shopper, though. Kinda pointless. But if that's where you want to spend your time and energy, more power to ya. I'm just trying to spend mine coming up with ways that might actually benefit both people and industry. It can happen, ya know.
An important point buried in BS? (Score:2)
I've seen poor implementation of cookies lead to server B looking at cookies that had been set and should only have been readable from server A. I've gotten spam because of it. Blame the Webmasters? Sure, but I'll stick to blaming the browsers. They ought to have more fine-grained control over cookies. Why, even IE4 (*suppresses gag reflex*), on which I am typing this post, only offers "cookies on" or "cookies off." What about "prohibit cookies from server foo.bar.com" or "foo.bar.com can only read foo.bar.com's cookies?" Then, the users who still wanted loads of customizable preferences could leave everything on and not worry about it, while people like me could turn on just enough cookies to keep our favorite tech support sites from barfing in a cookie-less environment.
Hope some browser writer is listening somewhere (or better, a knowledgeable user of an existing browser I don't know about).
Bye all....
--unDees
Re:Credit Cards Online (Score:2)
Yup.
"f Sears throws all their receipts through a shredder, are you really going to be able to sift through that mess and find one good number?"
Having worked at a mall before, I can assure you that most places (not all) do very little in the interest of CC security. None (that I saw) even owned a shredder, much less used one.
As an example, the place where I worked threw the carbons out with the trash. The trash went into the dumpster. Within the span of ten minutes, I promise I could dig up 50+ CC numbers out of one bag of trash. (if I could stand the smell
And it's worse during the holidays.
Jedi Hacker (Apprentice) and Code Poet
Linking Cookies and E-mail (Score:2)
The essay on HTML enabled e-mail and cookies is at:
http://www.tiac.net/users/smiths/p rivacy/cookleak.htm
state in a stateless protocol (Score:2)
if they want state, why use a stateless protocol like http?
why not iiop (that is stateful, no?)?
Why not a protocol like ftp or ssh (if you're a security nut) which is stateful?
Hack over hack over hack.. the statelessness of HTTP was a performance hack... the cookies are a statefulness hack... junkbuster is a stateless stateful statelessness hack...
This is easy (Score:2)
Just create a session ID and pass it in the the URL. Also, associate an IP address with the session ID.
To avoid problems with bookmarking, expire them after an hour.
I do this on a bunch of different sites, and it works great, with no cookies. -Loopy
Cookie abuse (Score:2)
If not wanting my browsing habits tracked this way makes me "ultra-paranoid", sign me up.
Sigh (Score:2)
When are people going to get it through their heads that cookies can only return information the server sends to you? The only way cookies are going to "give" your information to a site is if you already told the site your information in the first place.
Why should I let my free email service know anything about me other than my real name...?
Maybe so they can pay for the free email service? Didn't anyone ever tell you There Ain't No Such Thing As A Free Lunch?
If you win, you lose (Score:2)
Question: Would you pay to visit all of the websites you visit? And I do mean all of them, from Slashdot to cNet to Yahoo to some two-bit page on GeoCities?
The reason I ask is that banner advertising is what pays for an awful lot of the web today. Unless the page is promoting a company's product (making the whole page one big ad) or supporting a company's product (you already paid for the page), banner advertising is the only alternative to charging for access.
If banner ads go away, then you will lose all of your free web pages. Web content providers will instead start charging for access. That will require you to -- guess what -- identify yourself to facilitate payment. And that identification process will be far more in-depth, involved, and intrusive then any banner ad from Doubleclick.
I am not saying this makes what Doubleclick does right or wrong. I am just wondering if you have considered the consequences of your actions, or if you are simply hoping for a free lunch, like so many people seem to do.
Be careful what you wish for. You might just get it.
I want to be anonymous, but I post my email addy (Score:2)
Interesting to note that the techniques for skimming cookies off net traffic can also skim that same password and user ID.
What's that, you say? Encrypt the password? Well, sure... but why not just encrypt the cookie instead?
Anyone who says "cookies are not needed" has obviously never done any programming. Without persistent, state information, computer programming is just about useless. Oh, sure, you can do one-way content delivery that way, but I, for one, want the web to be something a bit more interactive then a glorified TV broadcast.
I really get a kick out of the fact that you don't want people tracking you, but you post your email address in a public forum. Yah.
There are issues with cookies that make them less then perfect (to put it mildly), but treating them with extreme paranoia and fear is rather an over-reaction.
Re:state in a stateless protocol (Score:2)
Of course! Why didn't I think of that? I'll just surf on over to Amazon.com using my IIOP-based web browser and...
Oh.
Why blame cookies? (Score:2)
If I ran a conventional store, and you bought something with a credit card, I could xerox 200 pieces of paper with the number on it and post them on telephone poles. This does NOT mean we need to blame telephone poles! Credit cards, not cookies, are the dangerously flawed technology we need to cope with here. You have a 20- or so digit number, which anyone can use to spend your money any number of times, for anything and for any amount of money, without your approval? Suddenly, cookies sound rather benign in comparison.
Re:state in a stateless protocol (Score:2)
Re:Cookie abuse (Score:2)
You cannot use what you do not have (Score:2)
Because it is there. It exists. It can be used.
CORBA is nice, fun, elegant, cool, whatever, but you cannot use it because it isn't available to the target market.
An inferior solution that works will always win over a superior solution that does not exist.
(It is also worth pointing out that a lot of things are used for purposes they were never intended. Thus do we evolve.)
Re:If you win, you lose (Score:2)
Fortunately, there are other possible sources of website revenue - sponsored links, merchandizing (get those /. tee shirts), affiliate programs, and voluntary contributions (works for NPR and PBS stations) come to mind.
Supported by advertizing != free. Just on the basic level, if Coke runs a banner ad on a site, where do you think the money for their ad budget comes from? It's figured into the cost of every can of carbonated caffeinated sugar you buy from them. Then there's the cost of your time to download the ad. Harder to measure is the psychological cost of being engulfed the sea of advertizing that encourages the culture of consumption in which we dwell. Nope. Anonymous digital cash is a solved problem.Anonymous digital cash? (Score:2)
Anonymous digital cash is a solved problem.
I'm intrigued. Could you provide some more info on this? In particular, I generally see information technology leading to very easy tracking (to wit, the whole Doubleclick cookie issue). How does anonymous digital cash work?
Advertising, "free" content, and more (Score:2)
Could be. Alternatively, consider highly targeted banner ads. I deliberately fill out a survey giving the advertiser demographics information, such that they can target their ads to
the sorts of things I am interested in. My interest goes up, clickthroughs increase, sales benefit.
Now, why would I fill out such a survey, you ask? Well, one the purposes of advertising is to inform potential customers of your product or service, whereas they may have been in the dark before. That is a useful thing, to me. If I am going to be bombarded with ads, at least they could be relevant ads.
I have to wonder just how "ineffective" banner ads really are. I see 'em. I read some of them. I even click interesting ones from time to time. Sometimes I learn something, sometimes I close the window in disgust, occasional I bookmark a site for future investigation. This works better, for me, then ads on the side of a bus, where I cannot easily remember the company or investigate their product.
there are other possible sources of website revenue
Okay...
sponsored links
Sponsorship is just another way of saying "advertising", is it not? Sponsors will likely want an attractive, thing to get my attention, no? How is that different from a banner ad?
merchandizing (get those
I somehow doubt Slashdot could be funded on the income from T-shirt sales.
affiliate programs
You mean like, "Link to our online store, and you get a kickback"? Frankly, I find those sorts of agreements more insidious then advertising. With ads, you see a product of possible interest and get the chance to evaluate it. The content provider gets their money regardless. With affiliate programs, I am locked into a choice. What if the affiliate provides lousy service? Do I use them anyway, and support my preferred content-provider? Or do I leave the C.P. out in the cold and use my preferred online store (or whatever)?
voluntary contributions (works for NPR and PBS stations)
Riiiight. Voluntary contributions are never enough. You think NPR and NPTV aren't funded through your tax dollars? There are too many things of possible interest to possibly get supported through donations. No, I don't buy it. Sorry. I want more then two channels worth of National Public Internet.
Supported by advertizing != free
Good point. Touche. However, supported by advertising is also not the same as paying cash.
Harder to measure is the psychological cost of being engulfed the sea of advertizing that encourages the culture of consumption in which we dwell.
Oh, please. I'm not going to crawl into a hole and isolate myself from the rest of the world just because I might fall in with a trend.
Anonymous digital cash is a solved problem.
Very interesting. See my post at #215 [slashdot.org] for a seperate thread on this.
Re:Big problem with cookies (Score:2)
I'd personally like to do mostly script-free sites, or at least offer script-free alternatives, but clients simply will not pay for that - it's their business to address the great majority of browsers, and that quite often means neglecting alternative browsers (or any other than the strict mainstream) and users who customize their browser config.
In other words, it's a no-win situation for an architect to suggest - "you want to spend how much money addressing the needs of how few users?". You start losing proposals if you end up playing technology pedant like this, and unfortunately consulting is the game of winning, not losing, proposals.
A lot of the cutting-edge UI stuff relies on javascript, but the core functionality shouldn't. IMHO, of course. But clients pay for as much eye-candy as they can afford, and because it tends to attract repeat visitors it is a strategy that works. I disapprove of it on personal and puritanical grounds, but it does pay the rent
--
Re:Anonymous digital cash? (Score:2)
I'll try to give a paper and envelopes version of a simple scheme; replace the envelopes with blinding (a reversable encryption operation on a message that allows a blinded message to be signed without the signer knowing its contents) and physical signatures with digital ones. IANA crytographer, so I invite correction on this.
I want to send you an anonymous money order. I write up 100 of them, each of the form "This is money order [random large id string]; pay to bearer $42." and place each one in an envelope. I go to the bank with all 100. They choose 99 of them to open and see that they're all for $42. So they have a high degree of certainty that the one they didn't pick is also for $42. They sign the envelope with a special ink that stains through onto the money order, and take my $42 (plus a handling fee, no doubt). I take the envelope, open it, and send you the money order. You cash it for $42. The id string uniquely identifies each order and prevents double spending.
More complicated algorithms allow the tracking of counterfiters while leaving legitimate transactions private, but they make my head hurt.