Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
News

Novell CEO Attacked by Cookie Monster 228

CitizenC sent us a funny as hell article where Novell CEO Eric Schmidt talks about having his credit card stolen. The funny part is that he blames cookies. Cookies are certainly flawed, but he goes as far as to call them one of the biggest disasters in computers and tell us that they are stored in the wrong place (what, we're gonna keep them on floppy disks?). Finally he (surprise!) plugs Novell's own digital authentication mechanism (aha! The truth comes out). Hit the link to read a little more ranting by me on the subject.

It is a given that cookies are flawed:

  • Most systems store them in a readable format on your harddrive. Yeah, that kinda sucks. But if your machine isn't secure, then you've got bigger problems then just your cookies file.
  • They are sent in plaintext over the internet. But thats why we have SSL when you need security. Someday all net transmissions will be encrypted anyway. (assuming nobody else from the IETF gets bothered by the FBI)
  • Cookies used to be pretty well forced on netscape users, but now most browsers give you an option. And there's always junkbusters for the more paranoid.

It is given that I need state over httpd. I want shopping carts. I want net commerce. I want user preferences on websites I frequent. Maybe you don't want these things, but I do, and I don't think I'm alone on this one. There are a few ways besides cookies to do this.

  • Intel would love to use a CPU ID to help us. This has so many problems that I'm just not going to go into it. But it would work.
  • Webmasters could create a session and pass it in a URL with each page. This suffers from all of the same problems as cookies, except that the session ID isn't stored on your hardrive. Unless you bookmark it. Ooops. It also has the added benefit of making URLs messy, and being a huge pain in the ass for a webmaster.
  • Some sort of third party big brother handling authentication. I'd much rather just have a cookie that I can turn on or off than have a third party take care of it for me. I trust me more than them.

I really thought that the 'Cookies are Evil' was dying down as people realized that while they aren't the best solution, they are as good as we're gonna get any time soon. Then to see someone who ought to know better get out and throw fire ants into the mix to plug his software, well thats just really rubs me the wrong way.

It's like telling people that the water that comes through your pipes has floride in it, so you ought to buy their brand of bottled water instead. You ever see a communist drink water, Mandrake?

This discussion has been archived. No new comments can be posted.

Novell CEO Attacked by Cookie Monster

Comments Filter:
  • One of the greatest problems in this whole arena is that anytime someone stores any bit of information for whatever reason people will get unnecessarily angry. It's a fact of life, albiet a sad one, that many people have become so astoundingly paranoid. If we had slightly more trust then maybe things could start to work, but not until then.
  • Trust isn't something that should be granted by default, only to be taken when something goes wrong.

    Unless id Software, Real Networks, Novell, Netscape/AOL, or anyone else proves to me that they NEED a certain bit of information, in order to serve ME better, I'm not giving them the first initial of my first name.

    They already get enough for system administration purposes: HTTP referrer, IP address, even browser type (although Konqueror allows you to change that).
  • by legoboy ( 39651 ) on Friday December 03, 1999 @05:06AM (#1483316)
    I saw this a few hours ago. I was thinking, "Good god, not the cookies are evil thing again." But no, it turns out that the article is nothing but a shameless plug for a product that this fellow is trying to shill.

    The most telling part of the whole tale though, is the ZDNet TalkBalk. When "Larry, Internet Web Designer" can identify it as a joke, you know that even the lowest common denominator can see right through this guy.

    I can't help but wonder why even ZDNet would lower their quality control to this level.

    ------
  • by Masem ( 1171 ) on Friday December 03, 1999 @05:09AM (#1483318)
    There's not enough details in this article to say whether the CC# was stolen, or was guessed at by a random # generator. I know that about a year ago, I was victim to the random # generator fraud that charged $19.95 to my card, enough to rake in money, but not enough to tip ppl off that aren't careful with their statements. Fortunatley, I caught it, called my CC bank, and got the money removed.

    The thing with the latter is due to the fact that most CC # checkers check the numbers, and not the expiration date. Thus, pass 10^16 numbers to one of the sites, and you're bound to get some cash. Once they have a number that works, then they're set.

    Therefore, he might have been hit with this instead of true CC# stealing (It's really hard to get at cookies although there are some bugs, but require a lot of assumptions on the end user's actions). This only suggests to me that we need to make sure that CC# verification systems are more secure, and ask for the experiation date in addition to all other info. Or even better, add a PGP-like key to CC# info to make it more secure.

  • I can't help but wonder why even ZDNet would lower their quality control to this level.

    ZDNet has quality control? Oh, maybe that's Jesse Berst's job...
    ________________________

  • It's true that we a need to keep state in writing out web apps but maybe we should retink this whole web app thing in the first place. Trying to write a serious commerce app over a stateless anonymous protocol is a recipe for disaster. What we need is another protocol for delivering code over the net and leave http for delivering content. Something like RMI but language independent if possible.

    BTW I know CORBA is language independent but honestly it's bit complicated for the average developer. HTML was great because it was so simple to learn and effective at what it wanted to accomplish.
  • by Manifest ( 50758 ) on Friday December 03, 1999 @05:11AM (#1483321) Homepage
    I am paranoid. I dont trust any one. Cookies are bad. Javascripts are yuckkkk .. But I TRUST Novell. They are so carefull people. see they learn from their.. opps their CEO's experience.

    I hope they implement "digitalme" soon. My cash is running out. I need a database of credit card numbers.

    Manifest
  • I'm hesitant to condemn the man on the spot, because after all, he is CEO of a multimillion dollar company and one would guess that his vide presidents shield him carefully from saying anything TOO embarassing in public. But when I read the vague 'I don't know how it worked, but I'm sure cookies had something to do with it', I really started to have my doubts.
    Are there sites that store cookies with your freshly entered credit card number in it? I can't believe it. Only thing this shows is that he lacks a fundamental grasp of what cookies are and how they work.
  • Of CEOs shooting off their mouths to try and move product.

    Anyone else remember McAfee and the Michalangelo virus?
  • Sure, you could rant and rave about how bad cookies suck - but what would you do without shopping carts, user preferences, and *GASP* slashboxes? Of course I suppose you could petition all programmers to use Php4's session functions and not only get nowhere fast, but get rid of cookies all together.
  • by pen ( 7191 )
    Rob just stole your credit card! Look out!
  • Comment removed based on user account deletion
  • THAT explains all the pr0n charges to my account.

    At least, that's what I'll tell my wife :D
  • Shame on ZDNet for this headline. It flashed across my MSNBC breaking news thingy, too.

    Lots of people may see this headline, but not read far enough into the article to see it's a thinly-veiled product plug. Now all the newbies have one more reason to think cookies are some evil scam.

    Grrrrrr.

    -- Cara
  • RUN! It's OSCAR THE GROUCH, and he's running an E-COMMERCE site!

    I'm the guy who writes those silly fortunes. =)

  • by rodbegbie ( 4449 ) on Friday December 03, 1999 @05:16AM (#1483331) Homepage
    Let's get this straight once and for all.

    It is NOT easy to grab a credit card number on-line. Sniffing packets, intercepting e-mails, grabbing cookies, etc. is bloody hard work. Especially since you could spend 5 minutes raking in the bins at your local mall and get 100 numbers.

    I am willing to bet $50 that Mr. Schmidt has at some point in the last 6 months handed over his credit card in a restaurant. Doing that is opening up his card number to a wider audience than using it on Amazon.com ever could.

    However, it is helluva easy to use a credit card number online, once you have it. Go on, fill in a few forms, and it doesn't matter if you're a 13-year-old boy in Arseville, Tenessee -- you can use that card number from the 70-year-old woman in Alaska who wouldn't know a modem if it bit her on the arse.

    Last week, I found a $60 Amazon.com charge on my card which wasn't mine. I don't blame the internet. I don't blame Amazon. I don't blame cookies, SSL, e-mail, or Elvis.

    I don't even care that much. So what? I shout a bit, get my $60 back, and carry on like nothing ever happened. No big deal.

    This kind of thing has been happening for years on the phone. This is nothing new, except for the sheer volume of fake transactions. But until the card companies make it easier to verify transactions on the fly (see Philip Greenspun's excellent book [photo.net] for a description of how pathetic the whole thing is), it's not going to get better any faster.

    Just don't forget to burn your carbons.

    rOD.


    --

  • It really ticks me off to see people spreading the FUD about cookies. Especially when it's all in the vein of marketing. Clearly, Schmidt wants to plug his new "digitalme" online identification-management service, and needed a good reason to do so. Here's another example of someone exploiting the media to get gratuitous advertisement. He wants to say that his "digitalme" is better than cookies, and that's all fine and dandy. But it's not a real big deal yet. But maybe if he claims that he was the victim of credit card fraud through insecure cookies it will get him more attention. Hell, he's not even sure it was due to cookies (if it even happened at all):
    Although he isn't sure exactly how his card number was lifted, Schmidt says he believes it was through a mechanism that reads the cookies-files sitting on a user's desktop and storing personal information, such as passwords and preferences.
    Besides this, most any company that I would do online business with has the integrity & knowledge to NOT store credit card information in my cookie. Very few do so.


    Quidquid latine dictum sit, altum viditur.
  • Yes, there are quite a few problems with cookies. The major two have to deal, of course, with encryption. The encrypted storage is depressingly easy for a browser company to fix; I can only wonder why Netscape, Mozilla, or even IE hasn't at least done a weak scheme (at this stage, with the RSA patents set to expire in less than a year unless I'm mistaken, Mozilla will probably be the first to do it).

    The problem of sending cookies in cleartext is harder. The solution is of course encrypted communication. For anyone with Apache this shouldn'e be too difficult (SSL should be sufficient)... except for the whole certificate problem. I'll be glad when encryption is built into the protocol.

    Come to think of it, the only way this credit-card number could have actively been stolen would be if the sessions hadn't been encrypted. Does this mean that one of the "great" computer executives was actually stupid enough to give his credit card number to an insecure site? I find that hard to believe, though if he's trying to hawk his own wares I suppose it could be some kind of play.

    More likely he simply fell victim to a credit card number generator (which exist all over the place) and blamed cookies since he could use that as an advertisement.
  • Sure, its possible for a clever Cracker to get at my cookies. But I'm not too concerned with it. The guys who are that good have bigger fish to fry.

    I'm more worried about some store clerk collecting card numbers and passing them on to someone else. That is a lot more likely to happen in the real world!

    Mike Eckardt [geocities.com] meckardt@yahoo.spam.com
  • by twit ( 60210 ) on Friday December 03, 1999 @05:18AM (#1483336) Homepage
    The big problem with cookies, I think, is that they're misused. You should maintain state, not useful information, using cookies. They're perfect for stuff like a session ID, a user ID, that kind of thing, which does not need to be kept secure.

    Credit card numbers should either be kept in a back-end database, or (preferably) not at all. I'd prefer it happen the latter way. I like net commerce as a bright idea (both generic and in the IBM-branded net.commerce) and have even worked on some commercial sites, but that's part of the problem: you don't want schmoes like me safeguarding your credit card :).

    If Novell's CEO is having problems with credit cards kept in cookies, it isn't the fault of the medium but the way it's being used. If anything, we should adopt best practise standards which keep credit card numbers secure and press business software vendors, like IBM or MS, to do the same.

    Of course, I suspect that it wasn't the fault of cookies at all; it was a cracked machine or even a shopclerk who swiped his card twice. But that's just my nasty, nasty suspicion.

    --
  • Okay, now smart cards are obviously the solution here, but your average online purchaser isn't going to have a card reader for a while.

    So here's my suggestion...

    When a person is issued with a credit/debit card account, they are asked if they want to make online purchases. If they think they might want to, the bank supplies them with a small device, like a pager.

    Whenever a customer wants to make a purchase, they enter their credit card details and send them off, where the mod 10 algorithm and expiration dates are checked.

    If this passes the test, the bank sends a message to the pager-like device asking the user if he/she authorises the transaction. The device has at least 2 buttons, maybe 3: one for "yes", one for "no", one for "alert, someone else is trying to use my account!"

    I think it would be a good idea for a bank to provide this sort of service, because then users would be much happier with their security, and less worried about the possibility of online fraud.

  • Don't be such a pessimist! ;-) The person who entered it could have entered his credit card number incorrectly, and the resulting number just happened to be the Novell CC#. Also, it could have been a mix-up on the back-end.
  • They already get enough for system... even browser type (although Konqueror allows you to change that).

    As does lynx, the one true browser. :)
  • I am always curious on this one, hope this is not off topic:

    What's the implication if a banner ad that send me a cookie?

    As far as I can think of, using this cookie, the ad provider company will know which page I viewed their ad, can they get more info out of this?
  • A few years ago I did a commercial system for using digital certificates to identify yourself to a web site. It was generally liked as being nice and secure, but hated as being too hard for the consumer to understand. That was before smart cards.

    Imagine that, as a web surfer, you have a smart card that identifies you as a web surfer. Personally I am a believer that you should have to identify yourself as adult/child in order to cruise some areas of the web, but that's my personal opinion. But that's not for this thread to discuss. Add to the smart card some sort of bio sensitive way to identify yourself, maybe a thumb, maybe an iris scan. The key being that everything you need (short of the reader hardware) is stored on the card. You can take it with you to any browser (unlike cookies).

    Your smart card not only identifies you, it has a profile on you. It can keep your web site preferences, but it can also keep your buying habits, etc. And your age, marital status, and so on. It's here that people scream bloody murder about privacy on the net. But here's my hopeful suggestion : that your profile will come with trust zones. If you're doing anonymous surfing, maybe all the site gets is your age -- or maybe nothing at all. For sites you want to register with long enough to read a story (like NYTimes), you let them have your name but not your profile. And so on. For trusted sites like slashdot you set up preferences. For sites where you are actually a customer of some sort, you let them have your profile (linking in yesterday's discussion about IBM's miniature vegetable commercials).

    Wouldn't this be nice? My company has a large number of business units, each with their own web site, and we've worked to setup a shared profile system so that, once you've told us something once, you don't have to tell us again. Wouldn't it be good if this extended to multiple businesses? Don't you think it's a pain in the ass to have to continually identify yourself and set up preferences on every site you want? Wouldn't it be nice to have a mini-profile that you could use to bootstrap your registration to new sites?

    My point is that, with a self contained smart card, you can have a level of control over the information that you provide. It's the card that has the brains. A web site couldn't just tell the card "Give me the whole profile". It would have to say "Please validate me as being a trusted site and give me whatever information I am entitled to." And then, in something of an ironic twist, *it* has to identify itself to *you*, and you get to decide what to do next.

    Will this happen anytime soon? I wish. I think the reason that digital certificate authentication didn't catch on is that it was too confusing to get the certificates into the browsers, people didn't want to give up their passwords, and the certificates weren't portable. In a world where you have a smart card reader built into your keyboard, these problems seem like they might go away. Nobody thinks twice about having to flash a passport when flying internationally, and they usually only grumble a little bit about being carded at the local bar. Is it really that much of a stretch to think that there'll come a day when you take your webId card out, stick it in the slot, and then periodically answer a question about how much information you want to provide to the web site you just visitd? I don't think it's really all that bad.

    I'm curious to know if I'm, like, *way* off on this one. Are people going to flame the hell out of me on this one? Or agree completely?

    d

  • Please dont waste time. Read this artic le [zdnet.com] on the evils of cookies instead. Atleast these people know a bit about what they are talking about.

    If I am not mistaken, it talks about the security loophole [cookiecentral.com] that was created when GIF images were allowed to embed cookies in computers. This has been discussed on / [slashdot.org].
  • I really thought that the 'Cookies are Evil' was dying down as people realized that while they aren't the best solution,
    they are as good as we're gonna get any time soon. Then to see someone who ought to know better get out and
    throw fire ants into the mix to plug his software, well thats just really rubs me the wrong way.


    Well, it may rub you the wrong way, but I wonder whether you are missing the most important point: there IS a technology out there that solves the problem of identifying yourself on hte 'net in a secure way, giving out only the information you want and only to those you want. It's based on NDS and it's working. Novell has baeen developing NDS for about 10 years now, it's a proven directory solution and there are many applications already that use, plug into, distribute data through or collect data through NDS. One of them is DigitalMe, and it solves the ancient mechanism of cookies. It's a flawed mechanism for many applications, and guess what? Novell has a solution that works today (Microsoft AD anyone?) and solves the problem. Is there anything wrong with that?



  • Isn't it more likely that this guy paid with credit card and a waiter wrote the number down? If I were going to commit credit card fraud I'd just get a job at Red Lobster and start writing.
  • Most shopping sites that I'm aware of, and most software packages that allow you to add a shopping cart to your web site, don't store the credit card info in the cookie. They store a session identifier--either a UUID or some other unique key generated by their database engine. So it's impossible for someone to lift your credit card from your machine by simply reading your cookies: they'd also have to be able to get into the shopping vender's database and look up your credit card. At which point, they could get *everyone's* credit card.

    The only way a cookie could be used to steal from your credit card is if they copy the cookie to another machine and hit a site such as 'Amazon.com' when you have 'one-button' shopping enabled.

    I think this whole cookie scare is total nonesense--there are easier ways to steal credit cards than trying to reverse engineer site-specific database key identifiers out of a cookie file. Such as working as a waiter for a restaurant...
  • Intel would love to use a CPU ID to help us. This has so many problems that I'm just not going to go into it. But it would work.

    Many boxes already have HostID numbers, but the PC world has not had this, traditionally. I have not heard any complaints from Sun users, apart from when they need to fool a license server somewhere - but in a PC a hostid is suddenly something bad? (Well, you can change the ID in a Sun, but if it's etched into the CPU it might be harder to change.)

    But what I was going to say was that it wouldn't work, since a CPUID/HostID identifies a machine, and not a user. Think about multiuser environments. Think about typical university setups, where you can sit at any one of hundreds of machines. Or when you set up individual accounts for each member of your family on your home box.

    No, we absolutely need something that follows the user, and not the machine. I don't see any better solutions than cookies, but I'm sure that there are some.

  • I agree with this. The whole problem is that each web app deals with security on its own way. Many sites require a person to identify himself. This is commonly solved with a username/password combination. What would be nice is if there were a third party that would do user identification. Rather than providing each site with all your details you could authorize (through a certificate) a company to verify with that third party that you are you. This would also be a way to limit the amount of information you show to that company. The third party could of course maintain a database of user data but you could agree (with a contract if necessary) to restrict access to that database.

    This would solve the privacy issue and it would allow sites to verify that you are who you say you are.

    What we need for this is standards. We have standards to verify that a piece of software is from a certain company, why don't we have a standard to establish the identity of someone.
  • I think one of the greatest dangers of cookies is that right now they're insecure an invisible.

    I had a friend who had his browser set up to accept all cookies. I was ranting to him one day about how I hate being forced to accept cookies at some sites, and how I nearly always refuse to accept them. He decided to check out his cookie file. Guess what he found...

    Some site (I don't remember the offender) had set a cookie that contained a ridiculous amount of information about him: full name, home phone number, home address, job title, etc. Obviously he had filled out some kind of form at some point and they just dumped the info into a cookie. This meant that without his knowledge, every time he used their website, all of his personal info was being sent back and forth in plain text.

    A system that allows this kind of abuse is seriously flawed.

    I don't think it's time to rewrite the whole cookie spec -- and I don't like the alternatives to cookies either, but this current situation isn't acceptable.

    What I'd like to see is some "cookie" icon in the statusbar of your browser that's shown whenever the site you're communicating with is using cookies, and clicking on that "cookie" would give the full cookie details.

    I also think that all new browsers should have cookie filtering built in. I don't mind accepting any cookie from Slashdot.org, but I don't want to accept a single cookie from doubleclick. I'd also like to see some content based filtering available. This would allow me to refuse cookies that try to do dumb things like store my password in the cookie.

    In the mean time, I'll keep plugging Cookie Pal [kburra.com] for Windows users. It does a great job of filtering and handling cookies, and is very unintrusive and small. I'm a satisfied user, but don't have anything to do with the company other than that.

  • by Anonymous Coward on Friday December 03, 1999 @05:31AM (#1483354)
    I am not an Anonymous Coward.

    I am Bob Washburne rcwash@concentric.net

    I am a registered slashdot reader. But Slashdot refuses to accept my password even though I am looking at it on the screen.

    I do not accept cookies. They can be harvested by any number of means (just check BugTraq) unless you devote your life to securing your box and don't make any mistakes. Ever. I have other things to spend my life on, so I take reasonable precautions and then refuse all cookies.

    Cookies are not necessary. I fill in my Nickname and Passwd on the first screen and it is brought along through the Preview and subsequent screens. This is done without a cookie, so why any cookie at all?

    I would be quite willing to enter my passwd each time I make a submission rather than leaving personal information lying around for a rogue marketing-bot to harvest.

    That is the whole purpose of a password; to authenticate the action. Storing a password defeats the entire purpose. So why have a password at all if anyone can just walk up to your box and post without it?

    I would even rather be mistaken for an Anonymous Coward than subscribe to the urban legend that cookies are safe. Anyone who thinks cookies are harmless obviously doesn't know much about them.

  • I could just start and speculate for hours as to how his credit card number was stolen. Maybe somebody sniffed a packet and read the card. unlikely but technically possible. Maybe the random card generator. Maybe it's not an online problem at all. But there is one thing I am pretty sure of, regardless of how flawed the cookie system might be, whoever got his credit card number in all likelyhood did not get it through a cookie!!

    What's being stored in cookies? Well, a session id. Or a user name. Or maybe even some personal info or preferences. But I have never ever seen any site storing the credit card number in a cookie! And I shop online an awful lot.

    If the credit card number was in fact lost online, and you must blame it on someone, blame it on the stupidity of this particular user. You don't send that info online in a non-encrypted format and as a general practice you probably should not shop online at a store you don't trust (for a variety of reasons, privacy and security being only some of those reasons.
  • I love Junkbusters, it lets you specify only the domains that you trust with your cookies, and filters out the rest. If you don't like the idea of arbitrary web sites tracking your every move (the eyes, the eyes), don't like all the 'accept this cookie' windows that pop up when you have the confirm option on in Netscape, and still want /. to auto-log you in, you should check it out.

    Also, it lets me tell everyone that the web-browser I'm using is 'Flipper the web-surfing goat (C64 edition)' ;-)

    God, that sounded to much like an advert, btw you can it from here [junkbusters.com].
  • I protect my privacy by linking my Netscape
    cookies files to /dev/null (the infamous bit-
    bucket). Netscape never knows the difference!
    Works great!

    I also refrain from shopping at grocery stores
    which encourage membership cards. I hate people
    keeping files on me.
  • How tragic that the CEO of Novell has been assaulted by a plush puppet. I'm glad to hear that he came away with nothing worse than a stolen CC#. Cookie monster can be pretty viscious when he's mad.

    The big question in my mind -- Sure, Novell's new software may protect you from Cookie Monster, but can it protect you from other muppet menaces like the powerful Big Bird or Bert (who everyone knows is Evil)? The article doesn't say, and I'd have to assume not.

    Which is of course where my software comes in. Sesame Shield is released under the GPL and is easily configurable to run as a daemon that will block all Sesame Street characters, and soon Muppet Show characters as well. Don't rely on closed-source programs to protect you!
  • I dunno, this [theonion.com] is pretty funny. =)

    Powers&8^]

  • Sounds like a great idea. I assume you intend a company to market these cards? Would they be free, or would you have to pay an annual fee?

    One potential drawback I see is theft of the actual card. That's a problem with anything you carry in your wallet, of course, but the problem is still there.

    Of course, then there's the fact that I don't want to have to go fetch my wallet when I trudge out to the computer in my PJs every morning. =)

    Powers&8^]

  • As far as I can think of, using this cookie, the ad provider company will know which page I viewed their ad, can they get more info out of this?


    Well, they can then match up this cookie with other cookies from them that you have, giving them a pretty good history of your web travels. And they may even eventually grab your personal information from a survey, contest, or other source and match that up to your web travels in a nice database. Who knows what other companies this ad provider might buy/merge with in the future and what the info in this database will be used for?

  • Assuming that SSL was in use, and the site he was at implemented some kind of expiration on the session ID stored in the cookie, the only way this hack could have occurred is if someone had actually cracked his computer to obtain his cookies file.

    Now, WHY, pray tell, would someone who broke into the CEO of Novell's computer take JUST a credit card number? I'm sure there were FAR more interesting things lying around than a cookie file. Especially if it was a Windows PC - then there's all sorts of neat things like (crackable) password lists, etc., which could probably get you into some pretty interesting places at Novell. But no, none of this was stolen.

    Hence, my bullshit meter has gone off the chart.
  • by account_deleted ( 4530225 ) on Friday December 03, 1999 @05:43AM (#1483366)
    Comment removed based on user account deletion
  • I like NDS, especially for managing the hordes of end-users across a zillion servers.

    But when is Novell going to finally get around to releasing a GPL-ish version of NDS that can be incorporated into Linux or other platforms in a stand-alone fashion? As long as I'm stuck running @#$%^& "Netware" OS for NDS and NDS management, it's pretty much worthless.

    And I'm talking about a full-blown NDS v8 compliant version, not that ancient 4.10 thing that Caldera sells. Yes, I know that the sell NDS for Solaris and NT, but they want a small fortune for it AND it still requires Netware running someplace to host the replicas.

  • (or as they say in these parts al-u-min-ee-um)

    i should be putting it in my walls, on my windows, heck i should be be wearing it. what, me paranoid?

    seriously, if a cookie cost somebody their credit card number, the responsibility is on the web site, not on cookies. it was just a bit to promote there digitalme stuff, but in a high-tech world and as a head of a high-tech company, you shouldn't be making yourself look like an idiot. it might have sounded cool to some marketers, but it didn't come out that way.
  • ...and upon further research, we find out that ssh really stands for Sesame Street Hell.

    Folks, don't run sshd -- it's WAY too dangerous to be r00t3d by B1g b1rD, and he and his l33t friends will probably raid ~/.netscape/cookies.

    (and let's not talk about Barney's Gateway Protocol...)
  • ...Don't store stuff on your hard drive.

    The ideal form any secure transaction takes, whether it's cash or information changing hands, is one where none of the participants really knows any more than absolutely necessary about the other parties involved.

    There are a lot of variations of this sort of scheme, usually including some sort of trusted third party or PKI (public key infrastructure,) as well as any non-vulnerable local authentication storage medium. Smart cards come to mind.

    One really cool scheme I've seen involved having user info stored in a strongly encrypted form on a web page, where the user used a key exchange between his authentication info on a local chip card and a TPT to access his info automatically. Great idea, since the TPT doesn't know anything about the user's content, but just provides their half of the security info, nobody can go mucking around with it while it's inert, and the user isn't storing anything locally or in a publicly accessible format. Maybe an alternative to cookies, since the sort of infos they are used for is pretty small, and thus almost instantly retriavable via the net...

    Cookies are a pretty dumb way of doing things in any case.

  • If there are, they'll be dead meat following the first lawsuit which tags them. Even in the initial Netscape spec, they specifically caution against using cookies to do anything much more than identifying a computer to a server, the same way /. knows "who I am" by reading an ID off of the hard drive where I am viewing the pages.

    In relation to using personal information on the net (including my e-mail address, you may notice that I did not "anti-spam" my e-mail address here on /. However, I only use that e-mail address in conjunction with a few sites, limiting the number of points from which my personal information can be derived to those sites with privacy policies that are up to spec, saving my regular e-mail address only being given to a much more private and personalized list of people that I am willing to receive information from. That way if there is a security problem, I know where it originated by my email address. Similarly, when I write software that uses cookies, I don't put any personal information in it. All of that type of information can and should only be kept in a back end database, well shielded from crackers, etc. For example, on one e-commerce site I designed, the cookie "knew" who you were, but in order to place a credit card order, you had to validate certain information within an encrypted page, even though the user had already "registered" their information (including the c.c. #) into the database via the web. We also included a fraud detection program designed to stop the c.c. # generators from ever being able to spoof an order. And folks, it just wasn't that hard to do!!

    I agree with previous posters. The Novell CEO was trying to sell proprietary software, and claiming to have been attacked by the "poison cookie" monster in order to do so.

  • In all fairness, it's actually a fairly cool idea. It was designed from the ground up to give end-users control over their own electronic identities, and control who can see and retreive what information. And it's designed with multiple profiles for each user in mind. All the information is encrypted and stored in NDS on Netware, Solaris, NT or Linux (current platforms). The idea is that user info would be stored in a lock-box that you have to give someone permission to retreive. The NDS admin can't see the content, assuming there aren't any encryption problems. I agree that the article is a little goofy, and it's a stretch for him to make the cookie claim, but it doesn't detract from the overall idea, which I suspect a lot of companies aren't going to like because it puts the customer in control.
  • by Effugas ( 2378 ) on Friday December 03, 1999 @05:49AM (#1483374) Homepage
    A user rings

    "Do you know why the system is slow?" they ask

    "It's probably something to do with..." I look up today's excuse ".. clock speed"


    I'm feeling very uncomfortable here. I mean...I've grown up worshipping the BOFH [iinet.net.au]...and now...what doth my eyes detect, but...

    A Bastard Chief Executive Operator From Hell?

    You know, some strange part of me wants to see this as a complement.

    The odds that Mr. Schmidt purchased something from such a fly by night operation that the credit card number was embedded in the cookie so low, that it stretches the imagination beyond repair to consider the idea that that same operation would ever have the technical desire or even knowledge to use Novell's new DigitalMe software!

    Of course, he could have just been tricked by a *real* BOFH... "GEEK! HOW DID MY CREDIT CARD NUMBER GET TAKEN!" "Mmmm. Cookie." "I knew those things were trouble!" "Mmm. Oreo. Chips Ahoy. Yum."

    Seriously, there's a gigantic amount of irony embedded in Novell proposing that their DigitalMe system would improve consumer privacy. Consider: Most sites that require state don't require your identity, pretty much because it takes time to get somebody to reveal who they are, and attention spans are small. Look how much traffic The New York Times loses from people too lazy to even lie on a form--MTV may have done more for consumer privacy than any other company in history.

    Novell's DigitalMe changes that. Assuming the infrastructure is such that any site that wants to do trustable-state transactions(which is really what Schmidt and Novell is trying to sell) actually has enough DigitalMe access to not have to worry about Yet Another Single Point of Failure, DigitalMe lets the user disclose every piece of information the user could possibly expose in the click of a "OK, tell 'em whatever they want to know."

    Heh, Novell--Suddenly everyone's finding out a hell of alot more about you!

    And the worst part? Unlike that paltry $50 liability had, you'll never know what people are doing with your personal information. I find it interesting that in a place that espouses freedom and individuality so much, people don't own their identities.

    Yours Truly,

    Dan Kaminsky
    DoxPara Research
    http://www.doxpara.com

  • If secure data is being store in the cookie, why not encrypt it. The server can have the keys to encrypt and decrypt the contents of the cookie. Then if somebody gets your cookie file they still have to crack the encryption of the cookie itself.

    The only potential issue I can see with this is the possibility that the limited size of the cookies may make decent grade encryption too big. I'm not certain though.

    Personally I like the use of cookies as a session token for server-side session management. The only thing stored on the client is a one-use session ID which expires. Thus, even if somebody could get your cookie file, they'd have to take the session ID and use it within say 15 minutes, otherwise it would be totally useless. To further prevent fraud, you can link the session ID with the IP address, which eliminates all but the most complex hijackings that I can think of.

    ---

  • I use a program called At Guard to deal with cookies. It does not just block those I do not want, but also allows me (upon visiting a site for the first time) to accept cookies from sites I wish to use them on (i.e. Slashdot.org). The program also has some nice firewall and add blocking features.
    http://www.atguard.com/
  • by account_deleted ( 4530225 ) on Friday December 03, 1999 @05:57AM (#1483379)
    Comment removed based on user account deletion
  • You pointed out the "Oops" if you bookmark a session. Doesn't matter if they do. The sessions (at least from a java perspective) time out - so the session logic should send back and "invalid session" response page. That's one reason why you should not bookmark the page. peace. JOe...
  • Sure, you could rant and rave about how bad cookies suck - but what would you do without shopping carts, user preferences, and *GASP* slashboxes?

    Actually cookies DONT'T suck at all... the implementation by braindead web-developers sucks... I mean think about it...

    why have a cookie with all that info, just return a GID-style string that is unique for you and keep all the state info on your own goddamn server, just asking the end user for his/her/its ID?? no more problems.
  • by Dicky ( 1327 ) <slash3@vmlinuz.org> on Friday December 03, 1999 @06:08AM (#1483390) Homepage
    This, unfortunately, is one of the larger and more worrying misuses of cookies. There are actually a relatively small number of companies online who 'do' banner ads. The large sites (C|net, /., Yahoo, etc.) do their own banners, and smaller sites usually don't have banners, but most medium-sized sites use one of the small number of banner ad agencies.

    The problem is that the agency can track you across multiple sites. If you visit www.site1.com, you can only get a cookie which will be sent back to that server, right? WRONG. While you were at www.site1.com, you viewed a banner from ad.doubleclick.net (for example). The problem is that when you visit www.site2.com, which should not be able to 'see' the cookie from www.site1.com, you took another banner from ad.doubleclick.net. This means that Doubleclick can track you between sites, which is a bad thing. I also saw something (this morning, I think, but I can't remember where) saying that companies are sending HTML mail which downloads an image which sets a cookie. The agency then has your e-mail address associated with a cookie, giving them (potentially at least) a lot more information about you. Not a problem for me, of course, since I use Pine for mail :-)

    I have no problem at all with certain sites using cookies. I am currently (since earlier on this week) using Junkbuster [junkbuster.com], and I have it set to allow cookies from Slashdot, LinuxToday, Amazon, and a couple of stock sites. If anyone else wants to send me a cookie, they can ask me and I'll decide on each individual case. At least I have the choice.

  • by abram_fettig ( 88038 ) on Friday December 03, 1999 @06:12AM (#1483393) Homepage
    This kind of blatant FUD seems like sour grapes to me:
    "Maybe my company hasn't proven itself to be a major force in the internet, but that's only because we didnt want to be anyway! The internet runs on BAD TECHNOLOGY! Sure, e-commerce has exploded in the past two years, but everyone buying things on line is a FOOL! How childish of all of you for thinking that you could implement key internet standards without Novell! All you web developers should have been patient enough to wait for us!"

    "That's OK though, we forgive you. And what's more, we have lovingly designed a system that will eliminate those pesky security headaches forever. Just sign up for our new INSTA-SECURE service and we'll take care of all your problems! For just a small monthly fee, we'll store all your customer's secure data on OUR server! To sign up, visit our secure site NOW! Just make sure that you enable cookies first..."

    Perhaps you think I'm kidding with that last "enable cookies" comment. But I'm not! The following was cut-and-pasted from the shop.novell.com [novell.com] website just moments ago:
    Warning
    It has been determined that you have disabled cookies in your browser. ShopNovell requires cookies be enabled before you continue. For more information on this subject, please see Store Policies at shop.novell.com/shopnovell/help.html
  • ...I look up today's excuse...

    Offtopic slightly, I know, but here's the shamless plug, and pointer, to the BOFH Excuse server [wisc.edu].

    Cheers.

  • I protect my privacy by linking my Netscape cookies files to /dev/null (the infamous bit- bucket).
    Netscape never knows the difference!


    Well, I had never thought of doing that (being a relative newbie to Linux at home and having the powers to explore UNIX as a system), and yes, it certainly does seem to be a wonderful solution, with the small exception that here at least, each new pages requires me to log in again. A small price to pay I guess! Thanks for the suggestion.
  • Besides this, most any company that I would do online business with has the integrity & knowledge to NOT store credit card information in my cookie. Very few do so.

    I agree, I've never seen any cookies storing cc numbers. I've seen userids, email addresses, zip codes, all sorts of stuff, but never cc numbers.

    If any website is storying cc numbers, or anything else which is sensitive, we should publicly scold them until they do. Anyone got URL's to check out?

  • by gorilla ( 36491 ) on Friday December 03, 1999 @06:17AM (#1483397)
    I personally prefer having my cookies unencrypted. I go in every so often and clean out the ones I don't want. If they were encrypted, then I couldn't do this.
  • As a web developer who does this kind of stuff, I can tell you that 99% of places only use cookies for that reason - keeping state.

    Quite frankly, this is the only way to keep state after you close you browser. Rob is right - if you like personalization, etc. then you better like cookies.

    more your ~/.netscape/cookies file and see what is in there. Mine is over 20K and all it is is user id serial numbers.

    The other thing to note with cookies is that many places use temporary cookies - stored in RAM only and never stored on your hard drive. They terminate when your close your browser.
  • Sounds like a great idea. I assume you intend a company to market these cards? Would they be free, or would you have to pay an annual fee?

    The business logic of the poor adoption of smart cards has been that they're currently too expensive. Nobody will pay $5 just for a card, especially if there are a number of different entities that each expect you to get your own card. As an example, they have "SpeedPass" at my local gas station. It's a smart card that's in a keychain, you wave it at the pump instead of having to get out a credit card. This is a free service. I don't think anybody would pay for the card. Because then they would be worry about if they lost the card, or it got worn out, or whatever. When it's free they can always get a new one.

    So, smart cards won't be truly adopted until they're "relatively" free (maybe a cost of $1 or something could be eaten by other fees). As for who sponsors/provides them, the question turns to one of identification. Traditionally you rely on a government agency to provide your identification (passport, driver's license, birth certificate...) so it's logical to extend that into this arena. But again, people will go bananas if you start talking about the government being involved in such a thing when it relates to the web.

    Who knows. Maybe some enterprising company will figure out a way to market the cards as essentially free, but then sell the readers. The trick there would be in fostering the adoption of the card/standard. You'd need to get all kinds of retailers on board that use your card, so that people would get use out of it. This has been tried numerous times with a variety of "electronic cash" methods, but none have really caught on that I know of.

  • Cold Fusion (by allaire) lets you designate the life of a cookie. so it will either expire after a predetermined time, or as soon as your browser closes.
  • When I started writing my own HTTP server I decided to try a new way of keeping sessions without using cookies. URL's looked like this:

    http://www.wherever.com/ss.asdf98cs/some/path/fi le.html

    I tested it for months. Pros:

    - No cookies at all.
    - Very reliable. Session state is retained without problems.
    - Works even in Lynx.

    Cons:

    - Search engines record the URL with the session ID. Although the session ID is invalid after only a short time, it's quite ugly.
    - When people would try to tell each other what URL to visit, they would try to pronounce the session ID.
    - Absolute links always cause the browser to ignore the ID. Solution: dynamic HTML or no absolute links.
    - The browser reveals the session ID to other sites when the user follows a link there. The ID is even recorded in the referrer log.
    - Browser redirects are required. However, cookie solutions often face the same problem.

    Eventually, I decided that cookies were a better solution for our purposes and switched over.

    One thing that people need to understand, however, is that there are cookies that never make it to the user's hard drive. It puzzles me that browser makers put all cookies in the same category. The Best Way, at this time, to keep session state is to send a cookie to the user's browser that is never stored anywhere but in memory.
  • Novell announced [techweb.com] an NDS product at Comdex called eDirectory that is OS independent and will run on Linux. And it sells for $2/user.
  • www.kburra.com [kburra.com] has a Win95/WinNT shareware utility called Cookie Pal which will let you police and control cookies on a site-by-site basis.


    ...phil
  • The history file can be cleared, and I think it can be turned off, I'm not sure if it can be or how to do it. Just clear history when you close yourbrowser, I know for sure IE4 for windows lets you, I think it will even do that automatically if you want.
  • Comment removed based on user account deletion
  • Speaking as someone who doesn't know much about NDS, is there anything that NDS does that LDAP doesn't?

    Given the choice between something propriatary & something open, I know which way I'd lean.

  • The reason this shit has failed in the past, and will fail in the future is two-fold.

    This logic implies that "Those who do not study history are doomed to repeat it" is incorrect. That industry does not learn from its mistakes. This might be true, I don't know. I don't think it is. You're welcome to. There's no real way to tell if it's an absolute truth, now is there?

    First, every company will get into an endless Beta-VHS standards war seeking to control the standard and therefore the royalties.

    And by this logic, we would never have settled on the magnetic stripe card, would we? Somewhere along the line competing plcaes like Visa and Mastercard got together enough to agree on the format. Why is it so unbelievable a stretch that this couldn't happen with smart cards, which are often compared very closely to magnetic stripe cards? There's a darwinistic element to the introduction of a standard, no question about it. And we all know that it's not usually the technically superior standard that wins. But a standard does usually emerge. It's not an endless battle.

    Second, this type of "universal profile" turns people off.

    Define "people" in this case. You forget that most people out there are not freedom fighters. They are consumers. More than that, they are lazy, cheap consumers. It's cost-benefit analysis. What am I giving up by having the card? What benefit does the card give me? If people perceive that the card makes life easier, they are likely to use it. If you don't wnat to use it, fine. I know people that don't use ATM cards for many of the reasons you list. Fine. But that hasn't stopped them from becoming very popular.

    d

  • First, you don't have to throw 10^16 numbers at a CC checker to get a valid one. Look at the first 4 digits, use them. Then make up digits for the rest such that all the digits match the checksum. The checksum is supposed to catch typos and transpositions and such, but it is pretty lame...


    #include<stdlib.h>

    intluhn_ok(
    char*inp
    ){
    return((luhn(inp)%10) ==0);
    }

    intluhn(
    char*inp
    ){
    staticint x[2][10]= {0,1,2,3,4,5,6,7,8,9,0,2,4,6,8,1,3,5,7,9};
    char* p;
    int s =0;
    int sum =0;
    char c;

    if((inp==NULL)|| (*inp=='\0'))return -1;/*biteme, doughboy!*/
    for(p=inp;*p !='\0';++p){}
    do{
    c=*--p;
    if((c<'0')|| (c>'9'))continue;
    sum+=x[s][c-'0'];
    s^=1;
    }while(p!=inp);
    returnsum;
    }

  • more your ~/.netscape/cookies file and see what is in there.

    Hmmmm. Let's see. Three cookies for the NYTimes site. One for Slashdot. One for Gist (an online TV guide)

    That's it.

    If all developers ever cared about were state, then cookies that do not persist when the browser was closed or ones with short termination dates would be necessary. Why can't I be the one to determine how long cookies are kept? As it is, I decline cookies unless *I* have a reason to keep it. Any sight that presents me with too many cookies dialogs does not get revisited.
  • you should see a doctor to get treatment for your paranoia.

    "I remove all cookies during boot up each time and I NEVER KEEP sensitive personal info on my PC."

    If I were you I would unplug the computer, lock the door and be afraid for the rest of my life. Not taking part in society is excellent defense against Big Brother. But seriously, what's the big deal with cookies? Only the site that created them can access them and they might as well store it serverside if there really is something worth storing. Cookies are mostly for your convenience so with deleting them you only give yourself extra trouble.

    Moving privacy sensitive data to a central place gives you more privacy because you know who leaked information when something goes wrong. In my view your privacy sensitive data should be legally protected (i.e. you can sue when somebody illegally accessess it).

    "Because some of us prefer that BIG BROTHER does not know everything we do and when and at what time...."

    I suppose you're not that paranoid that you don't store your money in a bank. I.e. anytime you make a payment with your creditcard (online/offline) that information is registered anyway.

    "Any other behavior is just proof of evolution in action...the stupid shall be fleeced :)"

    *sarcasm* Ok we an über mensch posting here.*/sarcasm* Just because you learned to operate a computer doesn't make you any smarter. In fact the smart let geeks like you do the monotonous work of operating a computer since they have better things to do.
  • MSIE lets you assign sites to "trusted" and "restricted" zones, which is better than Netscape, but a per-URL scheme would be much nicer. Probably too late to get it into the first release of Mozilla, though it'd be a nice add-on project.

    Incidentally, I've found lynx's cookie handling fairly good; you at least have the site granularity, which is nice.
  • even browser type (although Konqueror allows you to change that).

    Umm.. heh. Can someone please explain to me what you gain out of changing this information? I can't see any possible gain, but there are tons of drawbacks. Specifically, web pages that dynamically generate content based on the browser string will be generating content that either doesn't work in your browser, or is meant for sub-standard browsers (hence you'll be missing out on features or content that might necessarily be limited to more capable browsers).

    So what's the rush to change this text?
  • Thus, pass 10^16 numbers to one of the sites,

    Not even that many. 10^14, tops. The first digit identifies the type of card (Visa, Amex, MC, etc) and the last digit is a checkdigit. (I used to know the formula for the checkdigit, since I coded software to check it, but that was years ago).

    And I believe the next few digits after the first identify the issuing bank, so one could probably make educated guesses about that.

    Not that there aren't a zillion other ways to just go ahead and steal real CC numbers, if one is so inclined.
  • by Fastolfe ( 1470 ) on Friday December 03, 1999 @07:29AM (#1483444)
    There is really no legitimate reason to have cookies in the first place

    Are you just totally ignoring what everyone's been saying? Cookies are quite necessary to preserve state information between web site requests and visits.

    I personally love the fact that I can re-visit outpost.com and not have to enter my address in every time I want to order something. I like being able to pick out a book or two from Amazon, set them aside, and come back in a week to complete the order. It's all about convenience, and I'm sorry, but outpost.com doesn't spam me, so I don't really see where you get off labelling all cookie users as evil conspirators that want to spam you.

    There are quite legitimate uses, and the only real way I can see them being abused has been discussed on Slashdot ad nauseum in that they could possibly be exploited to track your movements between cooperating sites. The only marketing-related way they're being used today is to try and "target" those banner ads that you see to your tastes. The banner ads are still there, mind you, but now they're advertising stuff you're interested in.
  • Wouldn't this be nice?

    No, not really.

    My company has a large number of business units, each with their own web site, and we've worked to setup a shared profile system so that, once you've told us something once, you don't have to tell us again. Wouldn't it be good if this extended to multiple businesses?

    No.

    Don't you think it's a pain in the ass to have to continually identify yourself and set up preferences on every site you want?

    Yes. I don't want to identify myself to every website that I visit. Frankly, moist sites I visit once and never return. Neither do I want prefeences set at every website that I visit. Most sites aren't as configurable as /.

    My point is that, with a self contained smart card, you can have a level of control over the information that you provide. It's the card that has the brains.

    My point is that I have the brains. I don't want a smart card giving out any information on me. I don't need the card. If I want to lie to a site and tell them that I am a 75 year old lesbian mother of three, I will do so. I don't need your smart card and I don't want it.
  • Replace the COOKIES.DAT file in Netscape or Opera with a COOKIES.DAT directory.

    Tell your browser to accept all cookies. Did this several months ago with no problems.

    There's probably an equivalent for MSIE, but since I don't use it, I don't know what it is.
    y2k info - http://www.ecis.com/~alizard/y2k.html

  • No. Its not a great idea. In return for me giving information to anybody, I expect to get something in return. I also expect that there should be some reason I should have to give info to get what I get in return. I don't want to give everybody my information, and if I have the choice of whether I give or not, I don't want it to be an all or nothing proposition.

    I usually browse the web with cookies turned off and only turn them on when I need to to look at a site, or if doing so would really make my life easier. I usually delete most of my cookies daily, except for a few sites which I use often and having cookies will save some state which I want saved.

    I often sign up for something on the web using false information. Why should I let my free email service know anything about me other than my real name so they can tell people who I send mail to, who it is from? Maybe they want to know my income and marital status, but they won't get it just because they can target ads at me better. If I buy something, they get my address and credit card, but no more. Certainly not my real phone number.

    I can't believe anybody would use a system where they say "here, take my info and share it. Shaft me for all I worth, please!!!"
  • You may have the brains, but I'm not sure where you apply them. You took from my post that I was somehow not attempting to solve the problem, but instead trying only to get all the information into one place where it would still be fully accessible. I never said "identify yourself to every website you visit" or "set preferences at every website". As a matter of fact, for your "most sites I visit once" argument I specifically said that you could/would set up an "anonymous" mode where the card was completely off.

    Read what I wrote again, and you'll see that you still get to use your brain. All the card does it regulate and structure the flow of information. You still get to set up the whole "trust" mechanism. If you trust no one, and it sounds like you don't, then don't use the thing. But you must not be a customer many places, though, because I would think that you'd be willing to identify yourself to a web site in order to get a look at your stock portfolio, or the status of your new order of blowup dolls.

    As for pretending to be a 75yr old lesbian, your personal life is your business. Sounds to me like wearing a different disguise to the supermarket every week so that nobody recognizes you as a regular shopper, though. Kinda pointless. But if that's where you want to spend your time and energy, more power to ya. I'm just trying to spend mine coming up with ways that might actually benefit both people and industry. It can happen, ya know.

  • The article sure looked like a shameless plug to me. And sure, many people have posted comments to the effect that users have gotta store their preferences somewhere, BUT:

    I've seen poor implementation of cookies lead to server B looking at cookies that had been set and should only have been readable from server A. I've gotten spam because of it. Blame the Webmasters? Sure, but I'll stick to blaming the browsers. They ought to have more fine-grained control over cookies. Why, even IE4 (*suppresses gag reflex*), on which I am typing this post, only offers "cookies on" or "cookies off." What about "prohibit cookies from server foo.bar.com" or "foo.bar.com can only read foo.bar.com's cookies?" Then, the users who still wanted loads of customizable preferences could leave everything on and not worry about it, while people like me could turn on just enough cookies to keep our favorite tech support sites from barfing in a cookie-less environment.

    Hope some browser writer is listening somewhere (or better, a knowledgeable user of an existing browser I don't know about).

    Bye all....
    --unDees

  • "Has anyone who uses the above argument ever gone dumpster diving for CC numbers?"

    Yup.

    "f Sears throws all their receipts through a shredder, are you really going to be able to sift through that mess and find one good number?"

    Having worked at a mall before, I can assure you that most places (not all) do very little in the interest of CC security. None (that I saw) even owned a shredder, much less used one.

    As an example, the place where I worked threw the carbons out with the trash. The trash went into the dumpster. Within the span of ten minutes, I promise I could dig up 50+ CC numbers out of one bag of trash. (if I could stand the smell :-)

    And it's worse during the holidays. :-p


    Jedi Hacker (Apprentice) and Code Poet
  • I also saw something (this morning, I think, but I can't remember where) saying that companies are sending HTML mail which downloads an image which sets a cookie. The agency then has your e-mail address associated with a cookie, giving them (potentially at least) a lot more information about you. Not a problem for me, of course, since I use Pine for mail :-)

    The essay on HTML enabled e-mail and cookies is at:
    http://www.tiac.net/users/smiths/p rivacy/cookleak.htm
  • I just dont get it.
    if they want state, why use a stateless protocol like http?

    why not iiop (that is stateful, no?)?
    Why not a protocol like ftp or ssh (if you're a security nut) which is stateful?

    Hack over hack over hack.. the statelessness of HTTP was a performance hack... the cookies are a statefulness hack... junkbuster is a stateless stateful statelessness hack...
  • Just create a session ID and pass it in the the URL. Also, associate an IP address with the session ID.

    To avoid problems with bookmarking, expire them after an hour.

    I do this on a bunch of different sites, and it works great, with no cookies. -Loopy

  • The thing to remember with cookies is that the information comes from the server.
    The thing to remember about cookies is that the server giving you the cookie may come belong to scumbag banner companies like DoubleClick that wants to track your browsing. You movements between sites that serve ads from the same scumbag banner provider can be tracked quite easily.
    Cookies are only a problem for the ultra-paranoid.
    Bullshit. If you want to know the nefarious possibilities, see this chapter [photo.net] from Philip and Alex's Guide to Web Publishing. [photo.net]. Scroll down to the heading "I want to know the age, sex, and zip code of every person who visited my site so that I can prepare a brochure for advertisers."

    If not wanting my browsing habits tracked this way makes me "ultra-paranoid", sign me up.

  • I don't want to give everybody my information... I usually browse the web with cookies turned off...

    When are people going to get it through their heads that cookies can only return information the server sends to you? The only way cookies are going to "give" your information to a site is if you already told the site your information in the first place.

    Why should I let my free email service know anything about me other than my real name...?

    Maybe so they can pay for the free email service? Didn't anyone ever tell you There Ain't No Such Thing As A Free Lunch?
  • The thing to remember about cookies is that the server giving you the cookie may come belong to scumbag banner companies like DoubleClick that wants to track your browsing.

    Question: Would you pay to visit all of the websites you visit? And I do mean all of them, from Slashdot to cNet to Yahoo to some two-bit page on GeoCities?

    The reason I ask is that banner advertising is what pays for an awful lot of the web today. Unless the page is promoting a company's product (making the whole page one big ad) or supporting a company's product (you already paid for the page), banner advertising is the only alternative to charging for access.

    If banner ads go away, then you will lose all of your free web pages. Web content providers will instead start charging for access. That will require you to -- guess what -- identify yourself to facilitate payment. And that identification process will be far more in-depth, involved, and intrusive then any banner ad from Doubleclick.

    I am not saying this makes what Doubleclick does right or wrong. I am just wondering if you have considered the consequences of your actions, or if you are simply hoping for a free lunch, like so many people seem to do.

    Be careful what you wish for. You might just get it.
  • I do not accept cookies. They can be harvested by any number of means... I would be quite willing to enter my passwd each time I make a submission...

    Interesting to note that the techniques for skimming cookies off net traffic can also skim that same password and user ID.

    What's that, you say? Encrypt the password? Well, sure... but why not just encrypt the cookie instead?

    Anyone who says "cookies are not needed" has obviously never done any programming. Without persistent, state information, computer programming is just about useless. Oh, sure, you can do one-way content delivery that way, but I, for one, want the web to be something a bit more interactive then a glorified TV broadcast.

    I really get a kick out of the fact that you don't want people tracking you, but you post your email address in a public forum. Yah.

    There are issues with cookies that make them less then perfect (to put it mildly), but treating them with extreme paranoia and fear is rather an over-reaction.
  • if they want state, why use a stateless protocol like http? why not iiop (that is stateful, no?)?

    Of course! Why didn't I think of that? I'll just surf on over to Amazon.com using my IIOP-based web browser and...

    Oh.
  • Okay, so cookies are flawed. They're insecure and undiscriminating. But that isn't really the problem here. Online stores, plain and simple, should NOT store your CC info there. Why would they? The rest of your data (full name, address, etc.) is stored on their servers. All they should need is some randomly generated, IP address-tagged session id or customer id. Nevertheless, I am willing to accept the guy's assertion that there is some website that stored his CC num in a world-readable format.

    If I ran a conventional store, and you bought something with a credit card, I could xerox 200 pieces of paper with the number on it and post them on telephone poles. This does NOT mean we need to blame telephone poles! Credit cards, not cookies, are the dangerously flawed technology we need to cope with here. You have a 20- or so digit number, which anyone can use to spend your money any number of times, for anything and for any amount of money, without your approval? Suddenly, cookies sound rather benign in comparison.
  • That's the point. Why are we using the web for commerce? It was never meant for state-dependent operations.

  • You have to remember that a lot of these web sites out there need to track their users surfing habits. It's called Demographics and Marketing.
    They can very easily track my surfing at their site without cookies, and they absolutely don't have to track my surfing habits between sites. If they want demographic information, they can bloody well do it the old-fashioned way by surveying their customers. A damn site better than spying on them, no?
    It's not like tracking customers was new with the internet. Radio Shack directly asks you for your information at the checkout counter.
    But the guy at Radio Shask is not following me around the mall to see what other stores I visit. And I know when they try to collect my info and can tell them "No." C'mon folks, there's no reason the guy at Rat Shack needs my phone number to sell me a headphone cable, or the lady at Home Depot needs my zip code when I buy some plywood. All they need to know is that the cash in my hand is legal tender. I've never had a problem in declining to answer their questions.
    If people are really scared about cookies then simply turn them off and use sites that don't require cookies.
    Better yet, use Junkbuster [junkbuster.com] to accept cookies only from sites you choose. And you remove annoying banner ads too - whadda deal.
  • That's the point. Why are we using the web for commerce? It was never meant for state-dependent operations.

    Because it is there. It exists. It can be used.

    CORBA is nice, fun, elegant, cool, whatever, but you cannot use it because it isn't available to the target market.

    An inferior solution that works will always win over a superior solution that does not exist.

    (It is also worth pointing out that a lot of things are used for purposes they were never intended. Thus do we evolve.)
  • The reason I ask is that banner advertising is what pays for an awful lot of the web today... banner advertising is the only alternative to charging for access.
    I expect that banner ads will eventually die, as advertisers are discovering that they're pretty ineffective. Clickthru rates are dropping, and ad blocking programs are becoming more popular (go Junkbuster [junkbuster.com]!).

    Fortunately, there are other possible sources of website revenue - sponsored links, merchandizing (get those /. tee shirts), affiliate programs, and voluntary contributions (works for NPR and PBS stations) come to mind.

    If banner ads go away, then you will lose all of your free web pages.
    Supported by advertizing != free. Just on the basic level, if Coke runs a banner ad on a site, where do you think the money for their ad budget comes from? It's figured into the cost of every can of carbonated caffeinated sugar you buy from them. Then there's the cost of your time to download the ad. Harder to measure is the psychological cost of being engulfed the sea of advertizing that encourages the culture of consumption in which we dwell.
    That will require you to -- guess what -- identify yourself to facilitate payment.
    Nope. Anonymous digital cash is a solved problem.
  • I am replying twice to one message, because two threads have sprung into existence. The other should be very close after this one (I cannot link them both to each other, unfortunately (chicken-and-egg problem)).

    Anonymous digital cash is a solved problem.

    I'm intrigued. Could you provide some more info on this? In particular, I generally see information technology leading to very easy tracking (to wit, the whole Doubleclick cookie issue). How does anonymous digital cash work?
  • I expect that banner ads will eventually die, as advertisers are discovering that they're pretty ineffective.

    Could be. Alternatively, consider highly targeted banner ads. I deliberately fill out a survey giving the advertiser demographics information, such that they can target their ads to
    the sorts of things I am interested in. My interest goes up, clickthroughs increase, sales benefit.

    Now, why would I fill out such a survey, you ask? Well, one the purposes of advertising is to inform potential customers of your product or service, whereas they may have been in the dark before. That is a useful thing, to me. If I am going to be bombarded with ads, at least they could be relevant ads.

    I have to wonder just how "ineffective" banner ads really are. I see 'em. I read some of them. I even click interesting ones from time to time. Sometimes I learn something, sometimes I close the window in disgust, occasional I bookmark a site for future investigation. This works better, for me, then ads on the side of a bus, where I cannot easily remember the company or investigate their product.

    there are other possible sources of website revenue

    Okay...

    sponsored links

    Sponsorship is just another way of saying "advertising", is it not? Sponsors will likely want an attractive, thing to get my attention, no? How is that different from a banner ad?

    merchandizing (get those /. tee shirts)

    I somehow doubt Slashdot could be funded on the income from T-shirt sales. :-)

    affiliate programs

    You mean like, "Link to our online store, and you get a kickback"? Frankly, I find those sorts of agreements more insidious then advertising. With ads, you see a product of possible interest and get the chance to evaluate it. The content provider gets their money regardless. With affiliate programs, I am locked into a choice. What if the affiliate provides lousy service? Do I use them anyway, and support my preferred content-provider? Or do I leave the C.P. out in the cold and use my preferred online store (or whatever)?

    voluntary contributions (works for NPR and PBS stations)

    Riiiight. Voluntary contributions are never enough. You think NPR and NPTV aren't funded through your tax dollars? There are too many things of possible interest to possibly get supported through donations. No, I don't buy it. Sorry. I want more then two channels worth of National Public Internet.

    Supported by advertizing != free

    Good point. Touche. However, supported by advertising is also not the same as paying cash.

    Harder to measure is the psychological cost of being engulfed the sea of advertizing that encourages the culture of consumption in which we dwell.

    Oh, please. I'm not going to crawl into a hole and isolate myself from the rest of the world just because I might fall in with a trend. :-)

    Anonymous digital cash is a solved problem.

    Very interesting. See my post at #215 [slashdot.org] for a seperate thread on this.
  • In my experience, JavaScript is an excellent way to pass some of the server-side processing on to the client, not to mention all the client-side tricks which can make your job much easier.

    I'd personally like to do mostly script-free sites, or at least offer script-free alternatives, but clients simply will not pay for that - it's their business to address the great majority of browsers, and that quite often means neglecting alternative browsers (or any other than the strict mainstream) and users who customize their browser config.

    In other words, it's a no-win situation for an architect to suggest - "you want to spend how much money addressing the needs of how few users?". You start losing proposals if you end up playing technology pedant like this, and unfortunately consulting is the game of winning, not losing, proposals.

    A lot of the cutting-edge UI stuff relies on javascript, but the core functionality shouldn't. IMHO, of course. But clients pay for as much eye-candy as they can afford, and because it tends to attract repeat visitors it is a strategy that works. I disapprove of it on personal and puritanical grounds, but it does pay the rent :).


    --
  • How does anonymous digital cash work?
    It's reasonably complicated; consult Applied Cryptography or the Cyphernomicon [oberlin.edu] for details. But the basic mechanism involves blinded digital signatures.

    I'll try to give a paper and envelopes version of a simple scheme; replace the envelopes with blinding (a reversable encryption operation on a message that allows a blinded message to be signed without the signer knowing its contents) and physical signatures with digital ones. IANA crytographer, so I invite correction on this.

    I want to send you an anonymous money order. I write up 100 of them, each of the form "This is money order [random large id string]; pay to bearer $42." and place each one in an envelope. I go to the bank with all 100. They choose 99 of them to open and see that they're all for $42. So they have a high degree of certainty that the one they didn't pick is also for $42. They sign the envelope with a special ink that stains through onto the money order, and take my $42 (plus a handling fee, no doubt). I take the envelope, open it, and send you the money order. You cash it for $42. The id string uniquely identifies each order and prevents double spending.

    More complicated algorithms allow the tracking of counterfiters while leaving legitimate transactions private, but they make my head hurt.

After the last of 16 mounting screws has been removed from an access cover, it will be discovered that the wrong access cover has been removed.

Working...