×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Researchers Expose Tracking Service That Can't Be Dodged

Soulskill posted more than 2 years ago | from the advertising-arms-race dept.

Privacy 173

Worf Maugg writes with this excerpt from Wired: "Researchers at U.C. Berkeley have discovered that some of the net's most popular sites are using a tracking service that can't be evaded — even when users block cookies, turn off storage in Flash, or use browsers' 'incognito' functions. The service, called KISSmetrics, is used by sites to track the number of visitors, what the visitors do on the site, and where they come to the site from — and the company says it does a more comprehensive job than its competitors such as Google Analytics."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

173 comments

more importantly... (5, Informative)

alphatel (1450715) | more than 2 years ago | (#36933560)

The data collected can be used to track the user over several sites, as the "cram cookies" are persistent through browsing sessions. The only way to remove them is to clear all browser cache data on close and restart the browser. Sounds like privacy invasion to me - although ISPs forced to log user activity [slashdot.org] is far more damning than these transgressions.

Re:more importantly... (0)

bistromath007 (1253428) | more than 2 years ago | (#36933668)

Wouldn't that mean over several views, not several sites?

And even more importantly, how does this qualify as "tracking?" I don't see anything in the description of this thing that suggests it looks at what other sites you go to (aside from how you got to theirs, which is hardly an issue) or what you do on them.

This sounds to me like just a way for devs to examine how their site is used so they can make it more efficient and useful. Calling it "tracking" is practically a smear unless the summary is wholly inaccurate.

Re:more importantly... (4, Interesting)

slyborg (524607) | more than 2 years ago | (#36933816)

How about actually reading the article?

Kissmetrics has a single identifier that is used and tracked across all sites that use it for an identifiable visitor. It would be stupidly easy to aggregate this data and get a complete profile of a person, esp. considering the sites using it - what shows they watch, when they watch them, what music they listen to and when, combined with geolocation data, where they do these things, and for sites with subscriptions, they will have credit card information and home location and contact information. The researchers have no way of knowing if such information is sold between sites, but if there was no "tracking" application to it, why is the identifier not unique between sites?

Re:more importantly... (1, Interesting)

Pieroxy (222434) | more than 2 years ago | (#36933932)

ok, so how do they collect their data if it is not through cookies?

Re:more importantly... (1)

Anonymous Coward | more than 2 years ago | (#36934158)

Using a JS file in the browser cache. (You could have figured that out yourself.)

Re:more importantly... (2)

icebraining (1313345) | more than 2 years ago | (#36934264)

Have you RTFA? The image is quite informative: they put an user id both in a JS file and on that file's ETag. So when the user goes to a different site that also uses KISSmetrics, it'll ask for the same JS file and send the ETag/userid (in the 'If-None-Match' header).

Re:more importantly... (4, Insightful)

asdf7890 (1518587) | more than 2 years ago | (#36934330)

I feel a plugin coming on that will randomise the ID reported this way. Or submits misleading results from sites that are not using the service. Or even shares IDs between users so the tracked information becomes one large blob that doesn't identify the actions of any one person/group...

Re:more importantly... (2)

FrankSchwab (675585) | more than 2 years ago | (#36935424)

or perhaps a plugin that blocks execution of javascript by default, and only executes it on sites that the user "whitelists" or on request. We could call it "NoScript".

Re:more importantly... (1)

RobbieThe1st (1977364) | more than 2 years ago | (#36935608)

Hm, yea. Actually, I wonder: With NoScript, JS isn't run, but is it cached anyway? If so, it wouldn't solve the problem. If not... Great!

Re:more importantly... (0)

Anonymous Coward | more than 2 years ago | (#36934278)

Basically they are keeping the cookie not you.
It looks like your only hope is a proxy.

Re:more importantly... (0)

Anonymous Coward | more than 2 years ago | (#36934324)

Think web logs all being routed to a central location.

If you have access to usage logs from the servers, you have something better than a cookie.
Combined with IP addresses, usage patterns, and persistent server-side identification (say logging into hulu), your web usage patterns can be easily filtered and categorized.

Honestly I'm only surprised this hadn't been reported on earlier. Reason to have multiple devices on seperate network segments to help break up your browsing patterns. Only works if you keep which websites you visit isolated between devices though.

Re:more importantly... (1)

Anonymous Coward | more than 2 years ago | (#36933692)

Just add a line to your hosts files redirecting the KISS***** domains to 127.0.0.1.
A good hosts file can be downloaded from MVP just google for it.

Re:more importantly... (1)

JonySuede (1908576) | more than 2 years ago | (#36934034)

0.0.0.0 fail faster

Re:more importantly... (0)

Anonymous Coward | more than 2 years ago | (#36934446)

Or just configure your firewall... I can't believe people are still abusing /etc/hosts for this purpose.

Because of layered security & speed (-1)

Anonymous Coward | more than 2 years ago | (#36935618)

Now, I invite you to disprove every point I made here:

http://yro.slashdot.org/comments.pl?sid=2356916&cid=36935570 [slashdot.org]

* OK? I would like to see you disprove the 20++ points I put down there!

(They're ALL in favor of HOSTS files usage that benefits end-users for both added SPEED, SECURITY, & even to a degree, added "anonymity" as well, plus their hard-earned dollars spent for online time BANDWIDTH as well for them being maximized as well by using HOSTS in combination with a GOOD DNSBL filtering DNS server (listed there for security's sake), & other layered security methods too!)

APK

P.S.=> Good luck - you'll NEED it (because many, Many, MANY others who are "anti-HOSTS file" have tried here over time and on countless other forums... & failed, everytime!)

... apk

Re:more importantly... (5, Informative)

Em Adespoton (792954) | more than 2 years ago | (#36934134)

Or, since the i.js and j.js scripts are usually hosted on the domain you're browsing, just follow KISSmetric's own recommendation:

For consumers who do not wish to be tracked by KISSmetrics, the freely available AdBlock Plus extension will prevent their information from being tracked by KISSmetrics. Learn more about AdBlock Plus.

Between HOSTS, & javascript only (-1)

Anonymous Coward | more than 2 years ago | (#36935570)

WHERE YOU ABSOLUTELY NEED IT (Opera allows for this, in its "by site" preferences, or using NoScript on FF)?

* Well, then? You are NOT "trackable" by this...

Beating DNSBL logging can be "blown by" as well by hardcoding your favs. into your HOSTS file (but it won't beat deep packet inspection, NOR defend vs. BGP exploits, but encryption can hinder DPI even)...

Some folks noted TOR, but that slows you down (not as bad as anonymous proxies do though)... new NEWS/NewsFlash:

TOR has "weaknesses" with apps that have "hardcodes" to certain DNS servers (there are those, like Windows Update for instance, as perhaps NOT the "best example" since for the most part it's a good thing, but it is one)....

Plus, face it: IF you *THINK* those highly anonymous proxies &/or TOR endpoints do NOT have a HIGH %-age of them setup by law enforcement nowadays? You're OUTTA YOUR MIND!

(That's the 1st thing I'd do were I out to 'track & control' wrongdoers online - I'd setup honeypots by the truckload!)

NOW, You KNOW I have to post this now also, as I always do, in favor of HOSTS files & "layered security" over things like AdBlock, DNS Servers, & even Firewalls + Antivirus/AntiSpyware alone:

Now?

20++ ADVANTAGES OF HOSTS FILES OVER DNS SERVERS &/or ADBLOCK ALONE for added layered security:

1.) HOSTS files are useable for all these purposes because they are present on all Operating Systems that have a BSD based IP stack (even ANDROID) and do adblocking for ANY webbrowser, email program, etc. (any webbound program).

2.) Bad news: ADBLOCK CAN BE DETECTED FOR: See here on that note -> http://arstechnica.com/business/news/2010/03/why-ad-blocking-is-devastating-to-the-sites-you-love.ars [arstechnica.com]

HOSTS files are NOT BLOCKABLE by websites, as was tried on users by ARSTECHNICA (and it worked, proving HOSTS files are a better solution for this because they cannot be blocked & detected for, in that manner), to that websites' users' dismay:

PERTINENT QUOTE/EXCERPT FROM ARSTECHNICA THEMSELVES:

----

An experiment gone wrong - By Ken Fisher | Last updated March 6, 2010 11:11 AM

http://arstechnica.com/business/news/2010/03/why-ad-blocking-is-devastating-to-the-sites-you-love.ars [arstechnica.com]

"Starting late Friday afternoon we conducted a 12 hour experiment to see if it would be possible to simply make content disappear for visitors who were using a very popular ad blocking tool. Technologically, it was a success in that it worked. Ad blockers, and only ad blockers, couldn't see our content."

and

"Our experiment is over, and we're glad we did it because it led to us learning that we needed to communicate our point of view every once in a while. Sure, some people told us we deserved to die in a fire. But that's the Internet!"

Thus, as you can see? Well - THAT all "went over like a lead balloon" with their users in other words, because Arstechnica was forced to change it back to the old way where ADBLOCK still could work to do its job (REDDIT however, has not, for example). However/Again - this is proof that HOSTS files can still do the job, blocking potentially malscripted ads (or ads in general because they slow you down) vs. adblockers like ADBLOCK!

----

3.) Adblock doesn't protect email programs external to FF, Hosts files do. THIS IS GOOD VS. SPAM MAIL or MAILS THAT BEAR MALICIOUS SCRIPT, or, THAT POINT TO MALICIOUS SCRIPT VIA URLS etc.

4.) Adblock won't get you to your favorite sites if a DNS server goes down or is DNS-poisoned, hosts will (this leads to points 4-7 next below).

5.) Adblock doesn't allow you to hardcode in your favorite websites into it so you don't make DNS server calls and so you can avoid tracking by DNS request logs, hosts do (DNS servers are also being abused by the Chinese lately and by the Kaminsky flaw -> http://www.networkworld.com/news/2008/082908-kaminsky-flaw-prompts-dns-server.html [networkworld.com] for years now). Hosts protect against those problems via hardcodes of your fav sites (you should verify against the TLD that does nothing but cache IPAddress-to-domainname/hostname resolutions via NSLOOKUP, PINGS, &/or WHOIS though, regularly, so you have the correct IP & it's current)).

6.) HOSTS files protect you vs. DNS-poisoning &/or the Kaminsky flaw in DNS servers, and allow you to get to sites reliably vs. things like the Chinese are doing to DNS -> http://yro.slashdot.org/story/10/11/29/1755230/Chinese-DNS-Tampering-a-Real-Threat-To-Outsiders [slashdot.org]

7.) HOSTS files will allow you to get to sites you like, via hardcoding your favs into a HOSTS file, FAR faster than DNS servers can by FAR (by saving the roundtrip inquiry time to a DNS server & back to you).

8.) AdBlock doesn't let you block out known bad sites or servers that are known to be maliciously scripted, hosts can and many reputable lists for this exist:

GOOD INFORMATION ON MALWARE BEHAVIOR LISTING BOTNET C&C SERVERS + MORE (AS WELL AS REMOVAL LISTS FOR HOSTS):

http://www.mvps.org/winhelp2002/hosts.htm [mvps.org]
http://someonewhocares.org/hosts/ [someonewhocares.org]
http://hostsfile.org/hosts.html [hostsfile.org]
http://hostsfile.mine.nu/downloads/ [hostsfile.mine.nu]
http://hosts-file.net/?s=Download [hosts-file.net]
https://zeustracker.abuse.ch/monitor.php?filter=online [abuse.ch]
https://spyeyetracker.abuse.ch/monitor.php [abuse.ch]
http://ddanchev.blogspot.com/ [blogspot.com]
http://www.malware.com.br/lists.shtml [malware.com.br]
http://www.stopbadware.org/ [stopbadware.org]
Spybot "Search & Destroy" IMMUNIZE feature (fortifies HOSTS files with KNOWN bad servers blocked)

And yes: Even SLASHDOT &/or The Register help!

(Via articles on security (when the source articles they use are "detailed" that is, & list the servers/sites involved in attempting to bushwhack others online that is... not ALL do!)).

2 examples thereof in the past I have used, & noted it there, are/were:

http://it.slashdot.org/comments.pl?sid=1898692&cid=34473398 [slashdot.org]
http://it.slashdot.org/comments.pl?sid=1896216&cid=34458500 [slashdot.org]

9.) AdBlock & DNS servers are programs, and subject to bugs programs can get. Hosts files are merely a filter and not a program, thus not subject to bugs of the nature just discussed.

10.) Hosts files don't eat up CPU cycles like AdBlock does while it parses a webpages' content, nor as much as a DNS server does while it runs. HOSTS file are merely a FILTER for the kernel mode/PnP TCP/IP subsystem, which runs FAR FASTER & MORE EFFICIENTLY than any ring 3/rpl3/usermode app can.

11.) HOSTS files are EASILY user controlled, obtained (for reliable ones -> http://www.mvps.org/winhelp2002/hosts.htm [mvps.org] ) & edited too, via texteditors like Windows notepad.exe or Linux nano (etc.)

12.) With Adblock you had better be able to code javascript to play with its code. With hosts you don't even need source to control it (edit, update, delete, insert of new entries via a text editor).

13.) Hosts files are easily secured via using MAC/ACL &/or Read-Only attributes applied.

14.) Custom HOSTS files also speed you up, unlike anonymous proxy servers systems variations (like TOR, or other "highly anonymous" proxy server list servers typically do, in the severe speed hit they often have a cost in) either via "hardcoding" your fav. sites into your hosts file (avoids DNS servers, totally) OR blocking out adbanners - see this below for evidence of that:

---

US Military Blocks Websites To Free Up Bandwidth:

http://yro.slashdot.org/story/11/03/16/0416238/US-Military-Blocks-Websites-To-Free-Up-Bandwidth [slashdot.org]

(Yes, even the US Military used this type of technique... because IT WORKS! Most of what they blocked? Ad banners ala doubleclick etc.)

---

ADBANNERS SLOW DOWN THE WEB: -> http://tech.slashdot.org/article.pl?sid=09/11/30/166218 [slashdot.org]

and people do NOT LIKE ads on the web:

---

PEOPLE DISLIKE ADBANNERS: http://yro.slashdot.org/yro/08/04/02/0058247.shtml [slashdot.org]

---

ADBANNERS SLOW DOWN THE WEB:

http://tech.slashdot.org/article.pl?sid=09/11/30/166218 [slashdot.org]

---

Advertising Network Caught History Stealing:

http://yro.slashdot.org/story/11/07/22/156225/Advertising-Network-Caught-History-Stealing [slashdot.org]

---

15.) HOSTS files usage lets you avoid being charged on some ISP/BSP's (OR phone providers) "pay as you use" policy http://yro.slashdot.org/story/10/12/08/2012243/FCC-Approving-Pay-As-You-Go-Internet-Plans [slashdot.org] , because you are using less bandwidth (& go faster doing so no less) by NOT hauling in adbanner content and processing it (which can lead to infestation by malware/malicious script, in & of itself -> http://apcmag.com/microsoft_apologises_for_serving_malware.htm [apcmag.com] ).

16.) If/when ISP/BSP's decide to go to -> FCC Approving Pay-As-You-Go Internet Plans: http://yro.slashdot.org/story/10/12/08/2012243/FCC-Approving-Pay-As-You-Go-Internet-Plans [slashdot.org] your internet bill will go DOWN if you use a HOSTS file for blocking adbanners as well as maliciously scripted hacker/cracker malware maker sites too (after all - it's your money & time online downloading adbanner content & processing it)

Plus, your adbanner content? Well, it may also be hijacked with malicious code too mind you:

---

Ad networks owned by Google, Microsoft serve malware:

http://www.theregister.co.uk/2010/12/13/doubleclick_msn_malware_attacks/ [theregister.co.uk]

---

Attacks Targeting Classified Ad Sites Surge:

http://it.slashdot.org/story/11/02/02/1433210/Attacks-Targeting-Classified-Ad-Sites-Surge [slashdot.org]

---

Hackers Respond To Help Wanted Ads With Malware:

http://it.slashdot.org/story/11/01/20/0228258/Hackers-Respond-To-Help-Wanted-Ads-With-Malware [slashdot.org]

---

Hackers Use Banner Ads on Major Sites to Hijack Your PC:

http://www.wired.com/techbiz/media/news/2007/11/doubleclick [wired.com]

---

Ruskie gang hijacks Microsoft network to push penis pills:

http://www.theregister.co.uk/2010/10/12/microsoft_ips_hijacked/ [theregister.co.uk]

---

Major ISPs Injecting Ads, Vulnerabilities Into Web:

http://it.slashdot.org/it/08/04/19/2148215.shtml [slashdot.org]

---

Users Know Advertisers Watch Them, and Hate It:

http://yro.slashdot.org/yro/08/04/02/0058247.shtml [slashdot.org]

---

Two Major Ad Networks Found Serving Malware:

http://tech.slashdot.org/story/10/12/13/0128249/Two-Major-Ad-Networks-Found-Serving-Malware [slashdot.org]

---

THE NEXT AD YOU CLICK MAY BE A VIRUS:

http://it.slashdot.org/story/09/06/15/2056219/The-Next-Ad-You-Click-May-Be-a-Virus [slashdot.org]

---

NY TIMES INFECTED WITH MALWARE ADBANNER:

http://news.slashdot.org/article.pl?sid=09/09/13/2346229 [slashdot.org]

---

MICROSOFT HIT BY MALWARES IN ADBANNERS:

http://apcmag.com/microsoft_apologises_for_serving_malware.htm [apcmag.com]

---

ISP's INJECTING ADS AND ERRORS INTO THE WEB: -> http://it.slashdot.org/it/08/04/19/2148215.shtml [slashdot.org]

---

ADOBE FLASH ADS INJECTING MALWARE INTO THE NET: http://it.slashdot.org/article.pl?sid=08/08/20/0029220&from=rss [slashdot.org]

---

London Stock Exchange Web Site Serving Malware:

http://www.securityweek.com/london-stock-exchange-web-site-serving-malware [securityweek.com]

---

Spotify splattered with malware-tainted ads:

http://www.theregister.co.uk/2011/03/25/spotify_malvertisement_attack/ [theregister.co.uk]

---

As my list "multiple evidences thereof" as to adbanners & viruses + the fact they slow you down & cost you more (from reputable & reliable sources no less)).

17.) Per point #16, a way to save some money: ANDROID phones can also use the HOSTS FILE TO KEEP DOWN BILLABLE TIME ONLINE, vs. adbanners or malware such as this:

---

Infected Androids Run Up Big Texting Bills:

http://it.slashdot.org/story/11/03/01/0041203/Infected-Androids-Run-Up-Big-Texting-Bills [slashdot.org]

---

AND, for protection vs. other "botnets" migrating from the PC world, to "smartphones" such as ZITMO (a ZEUS botnet variant):

http://www.google.com/search?hl=en&source=hp&q=ZITMO&btnG=Google+Search [google.com]

---

It's easily done too, via the ADB dev. tool, & mounting ANDROID OS' system mountpoint for system/etc as READ + WRITE/ADMIN-ROOT PERMISSIONS, then copying your new custom HOSTS over the old one using ADB PULL/ADB PUSH to do so (otherwise ANDROID complains of "this file cannot be overwritten on production models of this Operating System", or something very along those lines - this way gets you around that annoyance along with you possibly having to clear some space there yourself if you packed it with things!).

18.) Adblock blocks ads in only 1-2 browser family, but not all (Disclaimer: Opera now has an AdBlock addon (now that Opera has addons above widgets), but I am not certain the same people make it as they do for FF or Chrome etc.).

19.) Even WIKILEAKS "favors" blacklists (because they work, and HOSTS can be a blacklist vs. known BAD sites/servers/domain-host names):

---

PERTINENT QUOTE/EXCERPT (from -> http://www.theregister.co.uk/2010/12/16/wikileaks_mirror_malware_warning_row/ [theregister.co.uk] )

"we are in favour of 'Blacklists', be it for mail servers or websites, they have to be compiled with care... Fortunately, more responsible blacklists, like stopbadware.org (which protects the Firefox browser)...

---

20.) AND, LASTLY? SINCE MALWARE GENERALLY HAS TO OPERATE ON WHAT YOU YOURSELF CAN DO (running as limited class/least privlege user, hopefully, OR even as ADMIN/ROOT/SUPERUSER)? HOSTS "LOCK IN" malware too, vs. communicating "back to mama" for orders (provided they have name servers + C&C botnet servers listed in them, blocked off in your HOSTS that is) - you might think they use a hardcoded IP, which IS possible, but generally they do not & RECYCLE domain/host names they own (such as has been seen with the RBN (Russian Business Network) lately though it was considered "dead", other malwares are using its domains/hostnames now, & this? This stops that cold, too - Bonus!)...

Still - It's a GOOD idea to layer in the usage of BOTH browser addons for security like adblock, &/or NoScript (especially this one, as it covers what HOSTS files can't in javascript which is the main deliverer of MOST attacks online & SECUNIA.COM can verify this for anyone really by looking @ the past few years of attacks nowadays), for the concept of "layered security"....

It's just that HOSTS files offer you a LOT MORE gains than Adblock does alone (as hosts do things adblock just plain cannot & on more programs, for more speed, security, and "stealth" to a degree even), and it corrects problems in DNS (as shown above via hardcodes of your favorite sites into your HOSTS file, and more (such as avoiding DNS request logs)).

ALSO - Some more notes on DNS servers & their problems, very recent + ongoing ones:

BIND vs. what the Chinese are doing to DNS lately? See here:

http://yro.slashdot.org/story/10/11/29/1755230/Chinese-DNS-Tampering-a-Real-Threat-To-Outsiders [slashdot.org]

---

SECUNIA HIT BY DNS REDIRECTION HACK THIS WEEK:

http://www.theregister.co.uk/2010/11/26/secunia_back_from_dns_hack/ [theregister.co.uk]

(Yes, even "security pros" are helpless vs. DNS problems in code bugs OR redirect DNS poisoning issues, & they can only try to "set the DNS record straight" & then, they still have to wait for corrected DNS info. to propogate across all subordinate DNS servers too - lagtime in which folks DO get "abused" in mind you!)

---

DNS vs. the "Kaminsky DNS flaw", here (and even MORE problems in DNS than just that):

http://www.scmagazineus.com/new-bind-9-dns-flaw-is-worse-than-kaminskys/article/140872/ [scmagazineus.com]

(Seems others are saying that some NEW "Bind9 flaw" is worse than the Kaminsky flaw ALONE, up there, mind you... probably corrected (hopefully), but it shows yet again, DNS hassles (DNS redirect/DNS poisoning) being exploited!)

---

Moxie Marlinspike's found others (0 hack) as well...

Nope... "layered security" truly IS the "way to go" - hacker/cracker types know it, & they do NOT want the rest of us knowing it too!...

(So until DNSSEC takes "widespread adoption"? HOSTS are your answer vs. such types of attack, because the 1st thing your system refers to, by default, IS your HOSTS file (over say, DNS server usage). There are decent DNS servers though, such as OpenDNS, ScrubIT, or even NORTON DNS (more on each specifically below), & because I cannot "cache the entire internet" in a HOSTS file? I opt to use those, because I have to (& OpenDNS has been noted to "fix immediately", per the Kaminsky flaw, in fact... just as a sort of reference to how WELL they are maintained really!)

---

DNS provider decked by DDoS dastards:

http://www.theregister.co.uk/2010/11/16/ddos_on_dns_firm/ [theregister.co.uk]

---

Ten Percent of DNS Servers Still Vulnerable: (so much for "conscientious patching", eh? Many DNS providers weren't patching when they had to!)

http://it.slashdot.org/it/05/08/04/1525235.shtml?tid=172&tid=95&tid=218 [slashdot.org]

---

DDoS Attacks Via DNS Recursion:

http://it.slashdot.org/it/06/03/16/1658209.shtml [slashdot.org]

---

DNS ROOT SERVERS ATTACKED:

http://it.slashdot.org/it/07/02/06/2238225.shtml [slashdot.org]

---

TimeWarner DNS Hijacking:

http://tech.slashdot.org/article.pl?sid=07/07/23/2140208 [slashdot.org]

---

DNS Re-Binding Attacks:

http://crypto.stanford.edu/dns/ [stanford.edu]

---

DNS Server Survey Reveals Mixed Security Picture:

http://it.slashdot.org/it/07/11/21/0315239.shtml [slashdot.org]

---

Photobucket's DNS records hijacked by Turkish hacking group:

http://www.zdnet.com/blog/security/title/1285 [zdnet.com]

---

Halvar figured out super-secret DNS vulnerability:

http://www.zdnet.com/blog/security/has-halvar-figured-out-super-secret-dns-vulnerability/1520 [zdnet.com]

---

BIND Still Susceptible To DNS Cache Poisoning:

http://tech.slashdot.org/tech/08/08/09/123222.shtml [slashdot.org]

---

DNS Poisoning Hits One of China's Biggest ISPs:

http://it.slashdot.org/it/08/08/21/2343250.shtml [slashdot.org]

---

HOWEVER - Some DNS servers are "really good stuff" vs. phishing, known bad sites/servers/hosts-domains that serve up malware-in-general & malicious scripting, botnet C&C servers, & more, such as:

Norton DNS -> http://nortondns.com/ [nortondns.com]
ScrubIT DNS -> http://www.scrubit.com/ [scrubit.com]
OpenDNS -> http://www.opendns.com/ [opendns.com]

(Norton DNS in particular, is exclusively for blocking out malware, for those of you that are security-conscious. ScrubIT filters pr0n material too, but does the same, & OpenDNS does phishing protection. Each page lists how & why they work, & why they do so. Norton DNS can even show you its exceptions lists, plus user reviews & removal procedures requests, AND growth stats (every 1/2 hour or so) here -> http://safeweb.norton.com/buzz [norton.com] so, that ought to "take care of the naysayers" on removal requests, &/or methods used plus updates frequency etc./et al...)

HOWEVER - There's ONLY 1 WEAKNESS TO ANY network defense, including HOSTS files (vs. host-domain name based threats) & firewalls (hardware router type OR software type, vs. IP address based threats): Human beings, & they not being 'disciplined' about the indiscriminate usage of javascript (the main "harbinger of doom" out there today online), OR, what they download for example... & there is NOTHING I can do about that! (Per Dr. Manhattan of "The Watchmen", ala -> "I can change almost anything, but I can't change human nature")

HOWEVER AGAIN - That's where NORTON DNS, OpenDNS, &/or ScrubIT DNS help!

(Especially for noob/grandma level users who are unaware of how to secure themselves in fact, per a guide like mine noted above that uses "layered-security" principles!)

ScrubIT DNS, &/or OpenDNS are others alongside Norton DNS (adding on phishing protection too) as well!

( & it's possible to use ALL THREE in your hardware NAT routers, and, in your Local Area Connection DNS properties in Windows, for again, "Layered Security" too)...

---

SLASHDOT USERS EXPERIENCING SUCCESS USING HOSTS FILES QUOTED VERBATIM:

---

"Ever since I've installed a host file (http://www.mvps.org/winhelp2002/hosts.htm) to redirect advertisers to my loopback, I haven't had any malware, spyware, or adware issues. I first started using the host file 5 years ago." - by TestedDoughnut (1324447) on Monday December 13, @12:18AM (#34532122)

FROM http://tech.slashdot.org/comments.pl?sid=1907528&cid=34532122 [slashdot.org]

"I also use the MVPS ad blocking hosts file." - by Rick17JJ (744063) on Wednesday January 19, @03:04PM (#34931482)

"I use ad-Block and a hostfile" - by Ol Olsoc (1175323) on Tuesday March 01, @10:11AM (#35346902)

"^^ One of the many reasons why I like the user-friendliness of the /etc/hosts file." - by lennier1 (264730) on Saturday March 05, @09:26PM (#35393448)

"I use a custom /etc/hosts to block ads... my file gets parsed basically instantly ... So basically, for any modern computer, it has zero visible impact. And even if it took, say, a second to parse, that would be more than offset by the MANY seconds saved by not downloading and rendering ads. I have noticed NO ill effects from running a custom /etc/hosts file for the last several years. And as a matter of fact I DO run http servers on my computers and I've never had an /etc/hosts-related problem... it FUCKING WORKS and makes my life better overall." - by sootman (158191) on Monday July 13 2009, @11:47AM (#28677363) Homepage Journal

"I do use Hosts, for a couple fake domains I use." - by icebraining (1313345) on Saturday December 11, @09:34AM (#34523012) Homepage

"They've been on my HOSTS block for years" - by ScottCooperDotNet (929575) on Thursday August 05 2010, @01:52AM (#33147212)

"Better than an ad blocker, imo. Hosts file entries: http://www.mvps.org/winhelp2002/hosts.htm [mvps.org] [mvps.org]" - by TempestRose (1187397) on Tuesday March 15, @12:53PM (#35493274)

"I'm currently only using my hosts file to block pheedo ads from showing up in my RSS feeds and causing them to take forever to load. Regardless of its original intent, it's still a valid tool, when used judiciously." - by Bill Dog (726542) on Monday April 25, @02:16AM (#35927050) Homepage Journal

"you're right about hosts files" - by drinkypoo (153816) on Thursday May 26, @01:21PM (#36252958) Homepage

"put in your /etc/hosts:" - by Anonymous Coward on Friday December 03, @09:17AM (#34429688)

---

Then, there is also the words of respected security expert, Mr. Oliver Day, from SECUNIA.COM to "top that all off" as well:

A RETURN TO THE KILLFILE:

http://www.securityfocus.com/columnists/491 [securityfocus.com]

Some "PERTINENT QUOTES/EXCERPTS" to back up my points with (for starters):

---

"The host file on my day-to-day laptop is now over 16,000 lines long. Accessing the Internet -- particularly browsing the Web -- is actually faster now."

Speed, and security, is the gain... others like Mr. Day note it as well!

---

"From what I have seen in my research, major efforts to share lists of unwanted hosts began gaining serious momentum earlier this decade. The most popular appear to have started as a means to block advertising and as a way to avoid being tracked by sites that use cookies to gather data on the user across Web properties. More recently, projects like Spybot Search and Destroy offer lists of known malicious servers to add a layer of defense against trojans and other forms of malware."

Per my points exactly, no less... & guess who was posting about HOSTS files a 14++ yrs. or more back & Mr. Day was reading & now using? Yours truly (& this is one of the later ones, from 2001 http://www.furtherleft.net/computer.htm [furtherleft.net] (but the example HOSTS file with my initials in it is FAR older, circa 1998 or so) or thereabouts, and referred to later by a pal of mine who moderates NTCompatible.com (where I posted on HOSTS for YEARS (1997 onwards)) -> http://www.ntcompatible.com/thread28597-1.html [ntcompatible.com] !

---

"Shared host files could be beneficial for other groups as well. Human rights groups have sought after block resistant technologies for quite some time. The GoDaddy debacle with NMap creator Fyodor (corrected) showed a particularly vicious blocking mechanism using DNS registrars. Once a registrar pulls a website from its records, the world ceases to have an effective way to find it. Shared host files could provide a DNS-proof method of reaching sites, not to mention removing an additional vector of detection if anyone were trying to monitor the use of subversive sites. One of the known weaknesses of the Tor system, for example, is direct DNS requests by applications not configured to route such requests through Tor's network."

---

There you go: AND, it also works vs. the "KAMINSKY DNS FLAW" & DNS poisoning/redirect attacks, for redirectable weaknesses in DNS servers (non DNSSEC type, & set into recursive mode especially) and also in the TOR system as well (that lends itself to anonymous proxy usage weaknesses I noted above also) and, you'll get to sites you want to, even IF a DNS registrar drops said websites from its tables as shown here Beating Censorship By Routing Around DNS -> http://yro.slashdot.org/story/10/12/09/1840246/Beating-Censorship-By-Routing-Around-DNS [slashdot.org] & even DNSBL also (DNS Block Lists) -> http://en.wikipedia.org/wiki/DNSBL [wikipedia.org] as well - DOUBLE-BONUS!

APK

P.S.=> SOME MINOR "CAVEATS/CATCH-22's" - things to be aware of for "layered security" + HOSTS file performance - easily overcome, or not a problem at all:

A.) HOSTS files don't function under PROXY SERVERS (except for Proximitron, which has a filter that allows it) - Which is *the "WHY"* of why I state in my "P.S." section below to use both AdBlock type browser addon methods (or even built-in block lists browsers have such as Opera's URLFILTER.INI file, & FireFox has such as list as does IE also) in combination with HOSTS, for the best in "layered security" (alongside .pac files + custom cascading style sheets that can filter off various tags such as scripts or ads etc.) - but proxies, especially "HIGHLY ANONYMOUS" types, generally slow you down to a CRAWL online (& personally, I cannot see using proxies "for the good" typically - as they allow "truly anonymous posting" & have bugs (such as TOR has been shown to have & be "bypassable/traceable" via its "onion routing" methods)).

B.) HOSTS files do NOT protect you vs. javascript (this only holds true IF you don't already have a bad site blocked out in your HOSTS file though, & the list of sites where you can obtain such lists to add to your HOSTS are above (& updated daily in many of them)).

C.) HOSTS files (relatively "largish ones") require you to turn off Windows' native "DNS local client cache service" (which has a problem in that it's designed with a non-redimensionable/resizeable list, array, or queue (DNS data loads into a C/C++ structure actually/afaik, which IS a form of array)) - mvps.org covers that in detail and how to easily do this in Windows (this is NOT a problem in Linux, & it's 1 thing I will give Linux over Windows, hands-down). Relatively "smallish" HOSTS files don't have this problem (mvps.org offers 2 types for this).

D.) HOSTS files, once read/loaded, once GET CACHED, for speed of access/re-access (@ system startup in older MS OS' like 2000, or, upon a users' 1st request that's "Webbound" via say, a webbrowser) gets read into either the DNS local caching client service (noted above), OR, if that's turned off? Into your local diskcache (like ANY file is), so it reads F A S T upon re-reads/subsequent reads (until it's changed in %WinDir%\system32\drivers\etc on Windows, which marks it "Dirty" & then it gets re-read + reloaded into the local diskcache again). This may cause a SMALL lag upon reload though, depending on the size of your HOSTS file.

E.) HOSTS files don't protect vs. BGP exploits - Sorry, once it's out of your hands/machine + past any interior network + routers you have, the packets you send are out there into the ISP/BSP's hands - they're "the Agents" holding all the keys to the doorways at that point (hosts are just a forcefield-filter (for lack of a better description) armor on what can come in mostly, & a bit of what can go out too (per point 18 above on "locking in malware")). Hosts work as a "I can't get burned if I can't go into the kitchen" protection, for you: Not your ISP/BSP. It doesn't extend to them

F.) HOSTS files don't protect vs. IP addressed adbanners (rare) &/or IP address utilizing malwares (rare too, most used domain/host names because they're "RECYCLABLE/REUSEABLE"), so here, you must couple HOSTS files w/ firewall rules tables (either in software firewalls OR router firewall rules table lists)... apk

Re:Between HOSTS, & javascript only (1)

RobbieThe1st (1977364) | more than 2 years ago | (#36935616)

APK, is that you?

Of course it is... apk (-1)

Anonymous Coward | more than 2 years ago | (#36935662)

I challenge ANYONE to disprove the 20++ points in favor of HOSTS for end users I put out in the link you responded to... they're all backed by facts as well!

(Because I have done this challenge here, and others spots online, & many times before - all/every naysayer failed, and all they had in the end was adhominem attacks directed my way out of "FruStRaTiOn"... pitiful! I've had nearly 16++ yrs. to think that list out is why, because it works for all I noted in it, no questions asked)

* So, if you're being your usual self (& yes, I have you bookmarked as "attacking me" before Robbie)?

Go for it...

Try to disprove the 20++ points in favor of HOSTS file usage for end users benefit in added security, speed, & even bandwidth maximization + some added "anonymity" possibles (vs. DNS log tracking) that HOSTS files give folks that I put up in that post of mine you just replied to...

APK

P.S.=> Good luck - you will NEED it, badly!

... apk

Tracking Service That Can't Be Dodged (1)

Anonymous Coward | more than 2 years ago | (#36933574)

Ghostery claims to block KISSmetrics fully...

I blocked it (0)

Anonymous Coward | more than 2 years ago | (#36933582)

I checked my privoxy config and I have apparently been blocking this for a long time.

MOST importantly... (1)

gestalt_n_pepper (991155) | more than 2 years ago | (#36933594)

Where can I get software to defeat it? Or a clear enough description that would allow me to write that software?

Re:MOST importantly... (0)

Anonymous Coward | more than 2 years ago | (#36933628)

Especially for Firefox 5.x, preferable as add-on.

Re:MOST importantly... (3, Informative)

ColdWetDog (752185) | more than 2 years ago | (#36933704)

Where can I get software to defeat it? Or a clear enough description that would allow me to write that software?

According to a link [kissmetrics.com] in the TFA (directly from KissMetrics), just use AdBlock Plus.

Seems to take a bit of wind out of the summary's sails.

Re:MOST importantly... (1)

TheLink (130905) | more than 2 years ago | (#36934068)

Yeah I use noscript and adblockplus. I did a search in my browser's cookies for km_ and I didn't find anything. So I don't think their tracking stuff is that "undodgeable".

Google and Facebook are more likely to be able to track you despite you trying to avoid it. Their stuff is "everywhere". If you use their services and go somewhere else but somehow still load stuff (images/scripts) from their servers (or servers they can get info from) they know who you are and what IP you are currently using. Even if you are using Tor. One hundred other people might be using the same Tor IP, but over time they can narrow things down if they want - people have habits. If they see you login to facebook/gmail from a Tor IP and then see that IP hit a few other sites around that time, and if it keeps happening then they can figure out you are the one who visits those sites.

If you don't keep changing your IP and flushing your cookies etc at the same time[1], Google will be able to give you a unique ID and link that to what you search for and a zillion other things.

And if you use noscript and log on to facebook/google using the same browser you use to visit other sites, you'd probably have enabled scripting for facebook and google, and noscript will not block their stuff even if the "main page/url" is not a google/facebook domain.

If noscript allowed users to limit a list of allow/deny script decisions to be tied to a domain/domain pattern then it'll be harder for unwanted scripts to run when the main page is some other site.

[1] IIRC Google Chrome sets a new cookie with Google every time you flush everything. And even if you use firefox, if you're not careful you just have to visit google and they can just set another cookie and link it to "might be the same guy as 'old cookie'" because you're using the same IP address.

Re:MOST importantly... (2)

Nursie (632944) | more than 2 years ago | (#36934216)

Adblock can help you with the loading of facebook stuff on other sites, if you want.

I have mine set up to only allow content of any sort to be loaded from facebook.com (or the fbcdn sites) if I'm actually browsing those sites.

Google, more difficult I guess, I may not want to block everything from them when it's not first party.

Re:MOST importantly... (1)

asdf7890 (1518587) | more than 2 years ago | (#36934366)

I don't think there is an equivalent for Google yet, but there are several options for blocking Facebook having anything to do with the sites you visit (other than facebook itself). Both adblock and script block have relevant options, for instance.

If you don't want to use adblock or scriptblock, or use a browser that they do not support so can't use them even if you want to, then there is this plugin: http://webgraph.com/resources/facebookblocker/ [webgraph.com] - there are versions for Firefox, Chrome, Opera and Safari.

RequestPolicy (4, Informative)

traindirector (1001483) | more than 2 years ago | (#36935136)

Google and Facebook are more likely to be able to track you despite you trying to avoid it. Their stuff is "everywhere". If you use their services and go somewhere else but somehow still load stuff (images/scripts) from their servers (or servers they can get info from) they know who you are and what IP you are currently using.

That's what RequestPolicy [requestpolicy.com] is for. You can control what images/scripts/content from other domains gets loaded on a site-by-site basis in a way similar to Noscript. It's great in addition to Noscript (not as a replacement).

For example, when you load Slashdot with RequestPolicy turned on, you don't get any of the static content like images/css because that all seems to be stored on fsdn.com. You can easily select the RequestPolicy icon and tell it to allow requests from slashdot.org to fsdn.com. In a similar manner, you can let google.com load scripts and content from google.com while preventing other domains from doing so.

It's really the only way to prevent client-side tracking services that haven't yet hit the blacklists. It's more than the average user would be willing to do, but if you really want to stop tracking or you're just interesting in seeing which CDNs and how many off-domain resources sites use, it's worth checking out.

Javascript tracking? lol (1, Informative)

Anonymous Coward | more than 2 years ago | (#36933596)

It seems their tracking is using some javascript code. Noscript. No problem.

Re:Javascript tracking? lol (1)

Anonymous Coward | more than 2 years ago | (#36933632)

You obviously didn't read the article. etags aren't javascript based, they're part of the browser caching mechanism. Even if you block the cookie creation script, which allows sites hosting the scripts to recreate the cookies, the actual tracking service is still tracking you.

Re:Javascript tracking? lol (4, Informative)

larry bagina (561269) | more than 2 years ago | (#36933728)

Maybe you read a different article. The one I read had almost no technical information, but did have a link to KiSSMetric's explanation [kissmetrics.com], which states:

When i.js loads, we set ETags and HTTP headers to tell the browser to cache the value of i.js for as long as possible. We also set the person’s random identity in a first-party cookie and as a third-party cookie on our domain (i.kissmetrics.com).

Blocking the javascript files (or blocking cookies and the ETag header) would eliminate the tracking.

Re:Javascript tracking? lol (1)

icebraining (1313345) | more than 2 years ago | (#36934270)

The first image in TFA is very clear, it shows a piece of JS with the ID, and you can see that it's exactly the same as the ETag.

Re:Javascript tracking? lol (1)

Anonymous Coward | more than 2 years ago | (#36933764)

eTags aren't special. They have been known about since forever.

Pretty sure browsers clear them on cache-clearance too.
If not, shame on browser makers. Every single thing a site is capable of saving should be capable of being deleted, regardless of how small it is.

Re:Javascript tracking? lol (1)

Anonymous Coward | more than 2 years ago | (#36934448)

I use the "Modify Headers" firefox add-on to filter the If-Match, If-None-Match, If-Modified-Since etc. headers, because they can all be used to store cookie-like bits of data. This has been known about for a while.

The documentation for evercookie lists the methods it uses for tracking: http://samy.pl/evercookie/ [samy.pl]

But most of all, Samy is my hero.

Re:Javascript tracking? lol (1)

RobbieThe1st (1977364) | more than 2 years ago | (#36935644)

So, for me this is like a session-cookie, if it even gets loaded: I have my FF cache folder symlinked to a folder in my ram-backed /tmp/ folder(does provide a speed-increase). On shutdown it gets wiped, there goes all my eTags, js and other cached files.

Re:Javascript tracking? lol (1)

TheGratefulNet (143330) | more than 2 years ago | (#36934300)

javascript tries to hide what its doing in plain site. I disable js for most sites. its evil.

flash also exists MOSTLY to deliver ads. I have flash disabled and hard linked to /dev/null. no way any flash cookies are saved on my system.

if I need to view youtube (rarely) I use the cli util 'youtube-dl'. nice side effect: I get to KEEP a local copy of the video, should the 'job creators' (...) decided to pull the content back at some point in the future.

not even installing the flash plugin for the web saves you SO MUCH HASSLE. it amazes me that sheeple just enable all the plugins for 'media' and happily store whatever remote sites want them to. javascript is a security weakness. really hate sites that try to obscure what they are doing (are you reading this, yahoo, google and all the rest of you pig fucker companies out there?)

Re:Javascript tracking? lol (0)

Anonymous Coward | more than 2 years ago | (#36934598)

Some of us sheeple like to watch youtube. But I shall now stop, for O how I fear being seen disapprovingly in your eyes.

Oh wait, I have the same reaction everyone else does: fuck off, pompous nerd.

Re:Javascript tracking? lol (0)

Anonymous Coward | more than 2 years ago | (#36934790)

Seconded. Science has established that it's impossible to use the term "sheeple" without being a smug cunt whose destiny is to be technically correct and rarely invited to parties a second time.

Why do you need Javascript or Flash for YouTube? (1)

SuperKendall (25149) | more than 2 years ago | (#36934992)

Some of us sheeple like to watch youtube.

You do I (sometimes), but I use only HTML5 video tags to do so... no javascript (or Flash) required.

No Different Than Cameras in a Store... (0)

Anonymous Coward | more than 2 years ago | (#36933610)

It tracks your presence and where you go on THEIR site. If you don't like it then don't go there.

Re:No Different Than Cameras in a Store... (1)

hedwards (940851) | more than 2 years ago | (#36934370)

The difference is that you can see the cameras in the store as you walk in, you don't necessarily get to see the tracking mechanisms when you browse the web.

Re:No Different Than Cameras in a Store... (1)

LVSlushdat (854194) | more than 2 years ago | (#36935252)

It tracks your presence and where you go on THEIR site. If you don't like it then don't go there.

Be MORE than happy to, gimme a list of the sites using this shit and I'll be damned sure not to go there....

Ghostery FTW (3, Informative)

blindbat (189141) | more than 2 years ago | (#36933624)

You can use Ghostery to block this and many other tracking scripts. http://www.ghostery.com/download [ghostery.com]

Any free software equivalents to Ghostery? (1)

ciaran_o_riordan (662132) | more than 2 years ago | (#36934050)

It's a real pity that Ghostery isn't free software.

It has a look-but-don't-touch licence for the source code. Being able to look is better than nothing, but if no one can modify or fork it, then it's unlikely that anyone's reading the source code at all. I wouldn't trust my privacy to something with no community or third-party oversight.

Here's gnu.org's list of free, mozilla-compatible add-ons:
http://www.gnu.org/software/gnuzilla/addons.html [gnu.org]

For privacy, there's only really Noscript and Requestpolicy.

Re:Ghostery FTW (0)

Anonymous Coward | more than 2 years ago | (#36934196)

And find that many sites you may use regularly won't work properly anymore.

Not a huge deal but annoying none-the-less.

Re:Ghostery FTW (0)

Anonymous Coward | more than 2 years ago | (#36934288)

You can use Ghostery to block this and many other tracking scripts.

http://www.ghostery.com/download [ghostery.com]

Or you can put their domain in your /etc/hosts files:

127.0.0.1 www.kissmetrics.com
127.0.0.1 trk.kissmetrics.com
127.0.0.1 i.kissmetrics.com
127.0.0.1 kissmetrics.com

Re:Ghostery FTW (1)

ugen (93902) | more than 2 years ago | (#36934586)

Mod this up. Ghostery is the answer. They deterministically block 100s of trackers (by essentially refusing to load javascript/pages/what have you from their sites/of specific appearance etc).
Blocks KISSmetrics just fine. Nothing to see here.

Re:Ghostery FTW (1)

Arrogant-Bastard (141720) | more than 2 years ago | (#36935204)

Ghostery is unacceptable, as it's not free AND open-source. Nobody who cares about their privacy and security should use an inferior product like this.

Can't Be Dodged (-1)

Anonymous Coward | more than 2 years ago | (#36933638)

This can be dodged by disabling javascript, like everyone already does, who cares about privacy.

When a person visits a site that is using the KISSmetrics Javascript API, two javascripts are loaded:

      1. t.js
      2. i.js

Re:Can't Be Dodged (1)

0123456 (636235) | more than 2 years ago | (#36933674)

This can be dodged by disabling javascript, like everyone already does, who cares about privacy.

I also appear to have dodged it by having their servers blocked in /etc/hosts. Not sure at which point I did that.

Re:Can't Be Dodged (0)

BitterOak (537666) | more than 2 years ago | (#36933980)

This can be dodged by disabling javascript, like everyone already does, who cares about privacy.

I also appear to have dodged it by having their servers blocked in /etc/hosts. Not sure at which point I did that.

Blocking access to the KISSmetric site is only a temporary solution as it will do nothing to solve the underlying security problem which this site is exploiting. There's nothing to prevent other services from springing up which do much the same thing. This is a problem which must be solved in the browser.

Re:Can't Be Dodged (0)

JMJimmy (2036122) | more than 2 years ago | (#36934526)

I don't know anyone who disables javascript. I disable scripts on an individual basis when I can see they're up to no good (ads/tracking/etc) but more often than not now sites require javascript just to load.

There are always ways to dodge it.. (2)

DrBuzzo (913503) | more than 2 years ago | (#36933706)

There are always ways. It only depends on how much effort you want to put into it. You could use proxy servers to mask IP and change them frequently or even jump from one free wifi hotspot to another. You could repeatedly purge all your cache, cookies, history etc after every site you visit. You could use multiple computers. You could write scripts to send your browser clicking thousands of links and visiting thousands of pages to obscure the actual surfing behavior.

If worst comes to worst, you could travel across the country, nomadically roaming between random libraries, public internet terminals and wifi hotspots, each time using a different browser, operating system and site logins. Or you could just start using paper to get your information again.

Re:There are always ways to dodge it.. (0)

Anonymous Coward | more than 2 years ago | (#36933790)

... Or you could just start using paper to get your information again.

Holy crap! There's midget porn on paper?!

Re:There are always ways to dodge it.. (1)

gl4ss (559668) | more than 2 years ago | (#36933846)

yes, most porn on internet originally originated from paper publications. midget, animal, everything.
in such, it's the internet that proved to everyone that yeah, sexual stuff does happen. you no longer needed to go to a city with a sleaze district to know.

anyways, if sites are dynamically created, it's easy enough to make every link ride POST information or a trailing argument in the url which can used for tracking a particular users link journey through the site. how it would be news I don't know though.

Re:There are always ways to dodge it.. (1, Insightful)

BitterOak (537666) | more than 2 years ago | (#36933960)

There are always ways. It only depends on how much effort you want to put into it. You could use proxy servers to mask IP and change them frequently or even jump from one free wifi hotspot to another. You could repeatedly purge all your cache, cookies, history etc after every site you visit.

If you RTFA, you'll see that this service is using persistent storage on your computer that is NOT contained in your cache, cookies, or browser history. Even using a DIFFERENT BROWSER on the same computer (i.e. Firefox, then Chrome) this site can track you and link your sessions. I regard this a as a browser bug, and it needs to be fixed in the browser. We can't rely on legislation or promises of good behavior from website operators to fix this problem. It really needs to be fixed in the browser, or, if it is a Flash issue, it needs to be fixed in Flash. I hope a patch comes out for Firefox soon!

Re:There are always ways to dodge it.. (0)

Anonymous Coward | more than 2 years ago | (#36934346)

Sure, there are ways to dodge it, but honestly browsing the web shouldn't be some sort of cloak and dagger affair. I just want to get information without people invading my privacy. That should be something guaranteed by law. In a public library you don't need to sign your name at the door, unless you want to keep the book for a few days. People should be able to inform themselves without being monitored.

Antivirus/FBI (1)

Anonymous Coward | more than 2 years ago | (#36933750)

So when are the antivirus companies going to block it?, its clearly malware, and are the FBI going to investigate them for "hacking" ?

Can't be dodged by the lay man (1)

Urd.Yggdrasil (1127899) | more than 2 years ago | (#36933766)

Taking a quick look at the JavaScript they use there doesn't appear to be anything particularly unusual going on such as browser fingerprinting [eff.org], or even as encompassing as evercookie [samy.pl] which can be easily defeated using built in browser options. The only thing that seems different about it is that it attempts to use more storage techniques than other tracking services, browser local storage , e-tag tracking, and ie userdata storage in addition to the common browser and flash cookies. To say that it "can't be dodged", while possibly true for the average user, doesn't hold for anyone who knows how to configure their browser for greater privacy.

It CAN be dodged (2)

kitserve (1607129) | more than 2 years ago | (#36933792)

According to the KISSmetrics site [kissmetrics.com]:

For consumers who do not wish to be tracked by KISSmetrics, the freely available AdBlock Plus extension will prevent their information from being tracked by KISSmetrics.

Now, I'm no fan of tracking or advertising, but TFS/A sounds like scaremongering to me, I fail to see how this service is any more "unblockable" than other analytics providers such as Google. Moreover, since many people are signed into Google all the time for things like Gmail, I'd say Google has the capability to tie a lot more personal information to a site visitor in Google Analytics.

That's not to say that Google share said information with GA account holders, but then KISSmetrics claim not to share personally identifiable information either:

KISSmetrics has never, and will never, share personally-identifiable customer information with any third party sites.

Re:It CAN be dodged (1, Insightful)

jfengel (409917) | more than 2 years ago | (#36933858)

If I'm understanding their site correctly, it's also blocked by NoScript (or, for that matter, just turning JavaScript off).

There are many sites that are useless without Javascript, but it's hardly surprising to me that allowing a general-purpose programming language to run on your browser creates privacy problems. Many of those sites don't really need Javascript, and I block as much JS as possible. I've walked away from sites rather than turn on JS; that's both my loss and theirs.

Re:It CAN be dodged (1)

psyclone (187154) | more than 2 years ago | (#36934770)

But most noscript users allow the "same domain" as the site they are visiting, so the page is usable (navigation, ajax, etc). If i.js and j.js are hosted on the same domain you are visiting (not 3rd party hosted) then noscript may not help you. Even those users that are super-strict about allowing scripts will often temporarily-allow a subdomain for the purpose of using the site. A few temp-allows between some major sites will thus lead to you being tracked across those sites.

Evercookie also has this (0)

Anonymous Coward | more than 2 years ago | (#36933814)

Evercookie [samy.pl]
Isn't it wonderful?

Posting this in hopes that those who create the browsers read it (again).
All of those things should be capable of being cleared by a user from the options menu.
It might not be a large size, but multiplied a 1000+ times, it starts to gain size.

As more and more storage methods get added to web browsers, there NEEDS to be a decent file manager for them.
It is simply shocking that there are no decent methods of accessing this data without having to go through a hell of a time with extensions and various external readers to even get to them.
I know the File API is being worked on just now, but it can't be stressed enough that there needs to be better access to stored files from websites.
Every browser should have a Files page in there options, with access to all content saved by sites, just in exactly the same way that cookies have been since as long as I can remember.
If you guys seriously expect the web-as-an-app age to take off, THIS IS A MUST.

unnamed websites (0)

Anonymous Coward | more than 2 years ago | (#36933860)

The wired article says that it won't name the other prominent websites. One that is named in the report: foxnews.com. By searching my own cookies I found that moveon.org was using it as well. Just open your cookies file and search for "km_ai" to see who else has used it.

ACOOKIE (1)

mbone (558574) | more than 2 years ago | (#36933870)

Looking at my cookies, I see a bunch from different sites which are all called ACOOKIE and all start "C8ctAD" and have other long string matches in the content.

I wonder if this is doing the same thing.

Cache + noscript = can't track me (0)

Anonymous Coward | more than 2 years ago | (#36933908)

Can't track me if I don't bother visiting their site and just view their content through a cache and use noscript

How to use this for good. (0)

Anonymous Coward | more than 2 years ago | (#36933916)

If they used this data and released to the World for FREE, we could find out which websites are the most popular and maybe the best - like porn!

Hey! What's a Slashdot thread without a web technology article being related to porn? Hmmmmmm?

For those too lazy to look for themselves: (4, Informative)

couchslug (175151) | more than 2 years ago | (#36933956)

"How KISSmetrics Tracking Works

KISSmetrics uses a variety of technologies to track people across the various browsers and computers they use. In doing so, we provide our customers a full view into how their customers interact with their websites.

Sites who use KISSmetrics may choose to provide us with personally identifiable information for their customers, or they may choose to use anonymized identities.

Sites have always had the option of using one of our server-side APIs, which do not set cookies or use any other means of identification. As of July 2011, sites may also choose to use only traditional cookie-based KISSmetrics tracking, which means that user information would be cleared whenever the consumer cleared their browser cookies.

For consumers who do not wish to be tracked by KISSmetrics, the freely available AdBlock Plus extension will prevent their information from being tracked by KISSmetrics. Learn more about AdBlock Plus.
The Technical Details

When a person visits a site that is using the KISSmetrics Javascript API, two javascripts are loaded:

        t.js
        i.js

t.js is the same for all people who visit a specific site (t.js is unique to each KISSmetrics customer).

i.js returns a unique âoeidentityâ for each person. This identity is just a random set of characters â" it does not contain an email address, name, IP address, or anything else that would be useful for identifying a person outside of KISSmetrics.

When i.js loads, we set ETags and HTTP headers to tell the browser to cache the value of i.js for as long as possible. We also set the personâ(TM)s random identity in a first-party cookie and as a third-party cookie on our domain (i.kissmetrics.com).

This means that if a person clears their browser cache or cookies, the random identity is likely to persist and that person will keep being âoeknownâ as a consistent random identity. If the random identity persists in one of these methods, we will reset the others so they all share that same random identity.

We do not use CSS or other versions of the technique known as history knocking.

The cached value for i.js is unique to a person, regardless of which site they are visiting. This means that to KISSmetrics, we know a single person by the same randomly-generated identity whether theyâ(TM)re visiting customer site A or customer site B. However, there is no way for our customers to access each others' data or know anything about a person's activities on other sites.

This is similar to credit card purchases â" Store A knows what you bought at Store A with your Visa. Store B knows what you bought at Store B with your Visa. Visa knows what you bought on Store A and Store B, but does not share that information between vendors. Just like Visa, KISSmetrics does not share any information about your interactions with Site A with Site B or with any third parties.
The Privacy Details

KISSmetrics has never, and will never, share personally-identifiable customer information with any third party sites.

KISSmetrics has never, and will never, share anonymous customer activity of what people did on customer Aâ(TM)s site with customer B.

Person data is available to the KISSmetrics customer for the lifetime of their relationship with KISSmetrics. When a customer ends their relationship with KISSmetrics, they may request that their data be deleted within 30 days.

If you have questions, weâ(TM)re happy to answer them at privacy@kissmetrics.com."

Re:For those too lazy to look for themselves: (0)

Anonymous Coward | more than 2 years ago | (#36934114)

People don't read press releases like this because they can't trust them at all.

The cached value for i.js is unique to a person, regardless of which site they are visiting. This means that to KISSmetrics, we know a single person by the same randomly-generated identity whether theyâ(TM)re visiting customer site A or customer site B. However, there is no way for our customers to access each others' data or know anything about a person's activities on other sites.

Contradicted by the article:

[Image of identical user IDs in different cookies]

So that makes it possible, the researchers say, for any two sites using KISSmetrics to compare their databases, and ask things like “Hey, what do you know about user 345627?” and the other site could say “his name is John Smith and his email address is this@somefakedomainname.com and he likes these kinds of things.”

Let's mess with them (1)

Anonymous Coward | more than 2 years ago | (#36934354)

Get everyone to set their key to the same value. >:D

"This guy's been on 2,500 websites every 6 seconds!"

Re:For those too lazy to look for themselves: (0)

Anonymous Coward | more than 2 years ago | (#36934542)

So it sounds like they store your unique ID in cookies and the browser cache, but then they say it persists if you clear your cookies and cache? How?

Just more proof of what a joke our government is (0)

grimharvest (724023) | more than 2 years ago | (#36933958)

It's bad enough when the government invades our privacy wantonly, but they'll also let corporations do it at will. And not even over security concerns, but for revenue. Meanwhile we're all treated like suspects to a crime by one bill after another from Congress, and the collusion of the ISPs.

How I block it... (0)

Anonymous Coward | more than 2 years ago | (#36933992)

1. AdBlockPlus
2. NoScript
3. Flash is set to NOT store any data at all
4. Firefox set to dump cache, cookies, everything... at browser close

Here is my KISSmetrics for kissmetrics.com... (2)

bgspence (155914) | more than 2 years ago | (#36934062)

goto http://www.kissmetrics.com/how-it-works [kissmetrics.com] and get tracked:

{!-- KISSmetrics for kissmetrics.com -->
{script type="text/javascript">
    var _kmq = _kmq || [];
    function _kms(u){
        setTimeout(function(){
            var s = document.createElement('script'); var f = document.getElementsByTagName('script')[0]; s.type = 'text/javascript'; s.async = true;
            s.src = u; f.parentNode.insertBefore(s, f);
        }, 1);
    }
  _kms('//i.kissmetrics.com/i.js');_kms('//doug1izaerwt3.cloudfront.net/bd3a8adc30561f08e0ccb9ad3120aa1d14b25d05.1.js');
{/script>

with my htttp://i.kissmetrics.com/i.js :
var KMCID='IEkB3hUXZTz9zHRV1r51WjJJlB8';if(typeof(_kmil) == 'function')_kmil();

Re:Here is my KISSmetrics for kissmetrics.com... (2)

bgspence (155914) | more than 2 years ago | (#36934192)

Then the good stuff is here:

'//doug1izaerwt3.cloudfront.net/bd3a8adc30561f08e0ccb9ad3120aa1d14b25d05.1.js

It can be blocked easily.. (0)

Anonymous Coward | more than 2 years ago | (#36934080)

Quote from the KISSmetrics how it works [kissmetrics.com] section: "When a person visits a site that is using the KISSmetrics Javascript API, two javascripts are loaded".

Guess what? My SeaMonkey browser is using the NoScript [noscript.net] plugin. This prevents the initial execution of java applets, javascript, flash and so on.

So if I want to opt out from this completely (just like I did with Google analytics) I simply tell NoScript to distrust anything from kissmetrics.com. Just like I did for google-analytics.com. Happy tracking!

How these researchers managed to come up with "it cannot be evaded" while immediately mentioning the AdBlock plugin in the same section is way beyond me.

site that is using the KISSmetrics Javascript API (1)

John Hasler (414242) | more than 2 years ago | (#36934112)

So there you go. NoScript->no KISSmetrics. "Can't be dodged"? Nonsense. For those who canot live without JS it should be trivial for a plugin to detect and delete their scripts. As usual the evil "tracking" requires the active cooperation of your browser.

Re:site that is using the KISSmetrics Javascript A (1)

John Hasler (414242) | more than 2 years ago | (#36935512)

> ...it should be trivial for a plugin to detect and delete their scripts.

And in fact Ghostery already does so.

Try this (0)

Anonymous Coward | more than 2 years ago | (#36934188)

#echo "120.0.0.1 i.kissmetrics.com" >> /etc/hosts

don't legislate technology - target behaviour (2)

feepcreature (623518) | more than 2 years ago | (#36934236)

This sort of thing is why the EU's half-witted privacy rules on cookies miss the point.

The thing to control is the tracking of users (particularly without their consent), and the storage and onward transmission/sale of user-information - not some particular technology that is being used to do that at any given stage in the evolution of the web.

Of course, if your legislative process is owned by the corporate world, or your voters believe in the rights of corporations, rather than citizens, that is unlikely to happen.

Re:don't legislate technology - target behaviour (1)

John Hasler (414242) | more than 2 years ago | (#36934978)

Nobody has any tracking information about you that your browser didn't actively give them, and your browser is entirely under your control.

Re:don't legislate technology - target behaviour (0)

Anonymous Coward | more than 2 years ago | (#36935014)

This sort of thing is why the EU's half-witted privacy rules on cookies miss the point. ....and that's by design, not by accident.

EU's privacy rules were created to please the public and makes it look like they acted, but they also got handsome rewards from corporate interests.

Next up

LEWP, Law Enforcement Work Party. http://register.consilium.europa.eu/pdf/en/11/st07/st07181.en11.pdf

8. Cybercrime

        The Presidency of the LEWP presented its intention to propose concrete measures towards creating a single secure European cyberspace with a certain ”virtual Schengen border” and ”virtual access points” whereby the Internet Service Providers (ISP) would block illicit contents on the basis of the EU ”black-list”. Delegations were also informed that a conference on cyber-crime would be held in Budapest on 12-13 April 2011.

The STASI did not die. It was only renamed.

Google Analytics blocked by too many. (1)

HKcastaway (985110) | more than 2 years ago | (#36934260)

On our site we did a comparison between our local stats and Google analytics, we found that so many people are blocking them ithere was a skew that fluctuated between 5 to 15% from day to day....

We now run OWA which does a pretty good job.

*cant* be defeated? (1)

nurb432 (527695) | more than 2 years ago | (#36934430)

1 - Anonymous redirection, something like TOR
2 - Forbid anything of theirs to run on your computer.

And then, for #3. Find out who is using it and boycott their companies products/services.

Win for iOS? (1)

devleopard (317515) | more than 2 years ago | (#36934488)

The main trick used was to persistently store data via Flash. The article did say that other persistent storage techniques were used (SQLite, localStorage, etc .. technologies iOS has as well) but one less, and a very commonly used technique, is rendered useless if you're on an iPhone or iPad.

You're already using unblockable tracking (3, Informative)

devleopard (317515) | more than 2 years ago | (#36934546)

It's called a web browser.

EFF has shown that you free transmit all sorts of info, that taken as a whole, can uniquely identify you. [slashdot.org]

Visit it yourself [eff.org] and see where you're at: it told me my fingerprint was unique out of over 1.6M browsers already checked.

You can block pieces - such as using NoScript, or Tor - but then you only *reduce* your uniqueness

Re:You're already using unblockable tracking (2)

schwnj (990042) | more than 2 years ago | (#36934680)

That's what I thought this article would be about. It looks to me that the font list provides the most identifying information. Anyone know a way to tell your browser to not report your installed fonts?

Haha! (1)

warrax_666 (144623) | more than 2 years ago | (#36935584)

I went to that site and it said


Your browser fingerprint appears to be unique among the 1,684,880 tested so far.

HAHA! ... Wait, what?

Not a big deal. (0)

Anonymous Coward | more than 2 years ago | (#36935088)

the persistent tracking can only be avoided by erasing the browser cache between visits

Problem solved:

http://news.cnet.com/i/tim/2010/12/07/12_04_10_DoNotFollow_Firefox1.jpg

List or didnt happen.... (0)

Anonymous Coward | more than 2 years ago | (#36935186)

Somebody wanna post a list of sites using this so we know to avoid those sites???

Darn it! (0)

93 Escort Wagon (326346) | more than 2 years ago | (#36935310)

I was kind of hoping this was Google's doing - I was looking forward to the hilarity of watching Slashdotters' verbal and logical contortions while attempting to explain why it's actually a good thing...

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...