Company Bypasses Cookie-Deleting Consumers

[Wazoo]

Company Bypasses Cookie-Deleting Consumers

http://www.techweb.com/wire/ebiz/160400719

United Virtualities is offering online marketers and publishers technology that attempts to undermine the growing trend among consumers to delete cookies planted in their computers.

The New York company on Thursday unveiled what it calls PIE, or persistent identification element, a technology that's uploaded to a browser and restores deleted cookies. In addition, PIE, which can't be easily removed, can also act as a cookie backup, since it contains the same information.

........

United Virtualities's PIE helps combat this consumer behavior by leveraging a feature in Flash MX called local shared objects. Flash MX is a Macromedia Inc. application for developing multimedia Web content, user interfaces and Web applications. The technology runs on a Flash Player that the company says is deployed on 98 percent of Internet-capable computers.

When a consumer goes to a PIE-enabled website, the visitor's browser is tagged with a Flash object that contains a unique identification similar to the text found in a traditional cookie. In this way, PIE acts as a cookie backup, and can also restore the original cookie when the consumer revisits the site.

While consumers have learned to delete cookies, most are unaware of shared objects, and don't know how to disable them.

--------

For its part, Macromedia has posted on its website instructions for disabling shared objects uploaded to browsers

(Noting of course, that some double-speak is found there also ... for instance, the data stored via Flash is only used by the Flash player, not shared with the rest of the Internet <g>)

[Jeff G.]

That's discouraging news.

[Bumpkin]

It'll be interesting to see how long it takes for someone to create a Firefox plugin to kill this off. I guess the only other way to avoid this new critter is to not allow flash.

I wish there was a "don't allow anything" button in browsers, it'd be easier to instruct my mom (and other clueless users).

Anyone know of an online client list of these yo-yo's so I can just block them?

[rooster]

In a talk originally to have been presented alongside his colleague David Maynor, Errata Security CEO Robert Graham demonstrated for a standing-room-only crowd how he was able to use a tool called Hamster and Ferret to sniff the wireless airwaves for the URLs of Web 2.0 sites.

http://www.news.com/8301-10784_3-9755575-7.html

Since we all know Wazoo and the mods have a lot of spare time on their hands, I'll risk posting a link to an article about the Black Hat Conference in this thread. The subject of cookie related vulnerabilities appears to be as close as a SC dilettante can get to where it should appear.

[Farelf]

http://www.news.com/8301-10784_3-9755575-7.html

Since we all know Wazoo and the mods have a lot of spare time on their hands, I'll risk posting a link to an article about the Black Hat Conference in this thread. The subject of cookie related vulnerabilities appears to be as close as a SC dilettante can get to where it should appear.

Well, relevant to cookies, not the Flash objects which was the topic subject. Incidentally, the site you reference tries to set cookies (well, at least it asks) but something in there also seems to try to contact some pestware included in Unwanted Parasites. Passingly ironic.

[silentlarry]

Hands-down funniest quote in the TechWeb article

The black hat spin doctor:

Mookie Tanembaum, founder and chief executive of United Virtualities, says the company is trying to help consumers by preventing them from deleting cookies that help website operators deliver better services.

Oh yes please help me!

Help us all! .... wanker.

[rconner]

Hands-down funniest quote in the TechWeb article

The black hat spin doctor:

Oh yes please help me!

Help us all! .... wanker.

War = Peace

Lies = Truth

and now:

Spying = Helping

Orwell was right, he just had the date wrong.

-- rick

[Farelf]

... Spying = Helping

Orwell was right, he just had the date wrong.

(Zango is) "committed to creating a content economy built on a foundation of safe and ethical practices by protecting consumer privacy while offering a fulfilling and high-value content experience." (quoted in http://en.wikipedia.org/wiki/Zango - my browser (well, probably, my hosts file), most prudently, won't let me visit the actual Z site). Yes, Orwell was right about the doublethink but the foregoing is more closely aligned to Pohl and Kornbluth's Gravy Planet/The Space Merchants. Unfortunately, they got the date wrong too (23rd century).

Incidentally, anyone tempted to look at that site is advised to look at http://www.siteadvisor.com/sites/zango.com first.

[turetzsr]

Hands-down funniest quote in the TechWeb article

The black hat spin doctor:

Mookie Tanembaum, founder and chief executive of United Virtualities, says the company is trying to help consumers by preventing them from deleting cookies that help website operators deliver better services.

Oh yes please help me!

Help us all! .... wanker.

...Well, I can't say I totally agree with you. Admittedly, it would be less rude to explain the advantages of PIE and ask users if they wish to use it rather than to just do it but I don't see this as unambiguously "wanker"-esque.

[rooster]

Well, relevant to cookies, not the Flash objects which was the topic subject. Incidentally, the site you reference tries to set cookies (well, at least it asks) but something in there also seems to try to contact some pestware included in Unwanted Parasites. Passingly ironic.

Just about every news-type site I know tries to set cookies. My interest in that piece stems from some posts I made on a Windows XP NG 18+ months ago where my paranoia about cookies was depreciated.

The url you cited is just a Windows-centric crib sheet on using hosts files to interdict irritants like doubleclick et. al. Unless I'm mistaken, I wouldn't categorize the site as pestware. But you would know better than I would.

[Farelf]

...The url you cited is just a Windows-centric crib sheet on using hosts files to interdict irritants like doubleclick et. al. Unless I'm mistaken, I wouldn't categorize the site as pestware. ...

Ah, the list is more than that, it contains known infector sites for trojan downloaders and other malware.

Yes, the hosts file is a Window thing, in which service it overrides addresses in the DNS, preventing access to the listed sites by redirecting any Internet connection attempts back to the local machine (including both on-line redirects to websites on the list and any attempts by resident applications to connect to websites on the list). While trojans mutate rapidly, their vectors (the listed infector sites included) do so at a far more manageable pace, it is said. Not that the news.com site in your original post is "viral" AFAICT.

The list is Windows-centric in its hosts file format certainly but it is also useful as a reference beyond that.

You are right, the list includes/is mostly mere cookie-related irritants and disturbers of privacy and even "good" sites will offer/try to impose cookies which are intended for collection by some of the listed connections (mostly to do with "ad-aware" applications I think).

Cookies are a great tool for spyware/profiling and (conceivably, though the US Govt says not) worse, anyone depreciating (or deprecating) your general concerns about them might not be fully up to date concerning their black hat utilization (why else, according to Wikipedia, do lots of countries - including the US - seek to regulate, and enforce the regulation of, their use?) - or they might have a foot in the other camp. But cookies are probably not as bad as many might believe.

[Wazoo]

Yes, the hosts file is a Window thing, in which service it overrides addresses in the DNS, preventing access to the listed sites by redirecting any Internet connection attempts back to the local machine (including both on-line redirects to websites on the list and any attempts by resident applications to connect to websites on the list).

Just a bit of technical correction. When a DNS look-up is required, Windows will look first at the 'Hosts' file. If that file exists and there is a match of the URI/URL found, then the Host listed IP Address is used as the DNS result, typically the 127.0.0.1 loop-back address such that any further service request to that URI/URL doesn't actually leave the local computer.

Depending on the version and configuration of Windows involved, the next step for a DNS check is to use a lovally-running DNS look-up service/database. Failing to find a local DNS service or data associated with the requested URI/URL, then the defined DNS Host (usually one's ISP's DNS server) is queried. If no 'answer' is found there, then the DNS request starts marching upstream until a DNS server is actually contacted that does know where the URI/URL is actually located (by IP Address)

The point being, I am arguing over/about the "overrides addresses" description. More truthful is that use of the Hosts file causes a (matched) DNS query to "fail locally to a locally defined result" ..... I use the word 'failed' based on that an actual DSN 'provider' is never contacted.

Cookies are a great tool for spyware/profiling and (conceivably, though the US Govt says not) worse, anyone depreciating (or deprecating) your general concerns about them might not be fully up to date concerning their black hat utilization (why else, according to Wikipedia, do lots of countries - including the US - seek to regulate, and enforce the regulation of, their use?) - or they might have a foot in the other camp. But cookies are probably not as bad as many might believe.

There is an entire world out there of cookies, types of cookies, use of cookies, etc. For instance, the general historical debates, arguments were about the plain old standard cookie that is stored on the user's hard drive. However, the news.com article referenced in this Topic is actually referencing a 'session' cookie that is by definition only live during the user's browser session ... meaning that when one logs out of the site involved or closes down the browser, the 'session' cookie dies/disappears. However, as stated, the contents and use of the 'session' cookie can lead to the hijacking problem.

[rconner]

The point being, I am arguing over/about the "overrides addresses" description. More truthful is that use of the Hosts file causes a DNS query to "fail locally to a locally defined result" .....

The Windows notion of the "hosts" file was essentially adapted from the Unix /etc/hosts file, which works the same way. If you wanted (or needed) to do this sort of thing in *nix or in Mac OS X (which is really also a *nix), you could also edit /etc/hosts (though you might have to be root in order to do this, since this file is protected).

-- rick

[Wazoo]

The Windows notion of the "hosts" file was essentially adapted from the Unix /etc/hosts file, which works the same way. If you wanted (or needed) to do this sort of thing in *nix or in Mac OS X (which is really also a *nix), you could also edit /etc/hosts (though you might have to be root in order to do this, since this file is protected).

That's it .. make me laugh even harder. Networking over a half-dozen buildings together, mostly through the use of 2400-baud modems (a couple of 9600-baud high speed out-of-band boxes), using iNTEL 286 and 386 based systems (do I dare mention 8MHz and 10MHz cpu clock speeds?) .. the 'funny' part was using Microsoft's licensed version of SCO's product ... Microsoft XENIX .... With each new relase of a newer and better MS-DOS, it was funny to see that they simply kept adding in powers that were already existent in the XENIX OS ... yet continuing to confuse and hose up things, like removing the ability to change the preference of "\" for "/" .. (if nothing else, call it 'ease of typing') .... changing the definition of and the way some 'commands' worked, such as 'find' ....

Anyway, then came Windows and all sorts of things went wierd <g>

[Farelf]

Thanks both

... use of the Hosts file causes a DNS query to "fail locally to a locally defined result" ...

... as stated, the contents and use of the 'session' cookie can lead to the hijacking problem.

*nix users generally considering themselves less of a target, "safer out of the box", limited range of vulnerabilities which are anyway fixed more quickly, running generally safer applications etc.

...If you wanted (or needed) to do this sort of thing in *nix or in Mac OS X (which is really also a *nix), you could also edit /etc/hosts ...

Yeah, I was wondering about that very un-M$ DOS "hosts" without an extension and even the \etc\ "folder" name. Another side of the muddling convergence (be it ever so reluctant) that Wazoo chuckles about (and the lucky sod had 2400 baud modems - think ours were 960 - yeah baud not bytes/sec - or something, back in the XT days). Don't get me started on command line editing.