Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Zombie Cookies Just Won't Die

CmdrTaco posted about 3 years ago | from the zombie-want-caaaaache dept.

Microsoft 189

GMGruman wrote in to say "Microsoft embarrassed itself last week when it got caught using 'zombie cookies' — a form of tracking cookies that users can't delete, as they come back to life after you've 'killed' them. Microsoft says it'll stop the 'aberrant' practice. But Woody Leonhard says you ain't seen nothing yet. It turns out HTML5 offers a technical mechanism to give zombie cookies a new lease on life — and the Web browsers' private-browsing features can't stop them."

cancel ×

189 comments

Sorry! There are no comments related to the filter you selected.

"Caught with hand in the cookie jar" joke here (4, Funny)

elrous0 (869638) | about 3 years ago | (#37177648)

Microsoft says it'll stop the abhorrent practice

Fixed that for them.

Actually, an even more accurate quote might be:

Microsoft "says" it'll stop the abhorrent practice

Re:"Caught with hand in the cookie jar" joke here (1)

ThisIsSaei (2397758) | about 3 years ago | (#37177766)

Bravo, sir.

Re:"Caught with hand in the cookie jar" joke here (1)

gomiam (587421) | about 3 years ago | (#37177770)

If aberrant [merriam-webster.com] is abnormal, why should they use abhorrent instead? It actually can be both at the same time, IMO.

Re:"Caught with hand in the cookie jar" joke here (0)

Anonymous Coward | about 3 years ago | (#37177848)

Abberant might imply that it was accidental or unintentional. It might be abberant, but it's definitely abhorrent.

Re:"Caught with hand in the cookie jar" joke here (3, Insightful)

dkleinsc (563838) | about 3 years ago | (#37177888)

That's the whole point: GP is arguing that this sort of practice is in fact quite normal, and that Microsoft will probably not stop just because of the bad press.

Re:"Caught with hand in the cookie jar" joke here (0)

Anonymous Coward | about 3 years ago | (#37178680)

Actually, the original quote is correct. Microsoft did, in fact, say it will stop the practice - whether it will follow through is another matter.

Using scare-quotes calls into questions whether Microsoft ever said they would stop, which is wrong. It does nothing to accentuate the point that Microsoft often says it will stop screwing its users when in fact it just keeps on screwing them.

Re:"Caught with hand in the cookie jar" joke here (-1)

Anonymous Coward | about 3 years ago | (#37178778)

grammar troll much?

Re:"Caught with hand in the cookie jar" joke here (2)

X0563511 (793323) | about 3 years ago | (#37178918)

I think you meant they will "stop" the practice. And by stop, they really mean continue without remorse.

Re:"Caught with hand in the cookie jar" joke here (0)

Anonymous Coward | about 3 years ago | (#37179254)

Hey... take it easy... Microsoft is not the enemy.
Windows is.

Keeps the "Re-install Windows" fix alive (4, Insightful)

billrp (1530055) | about 3 years ago | (#37177728)

which seems to be the most common solution that's offered on fix-your-own-windows-problems forums

Re:Keeps the "Re-install Windows" fix alive (0)

Anonymous Coward | about 3 years ago | (#37177860)

That's what I do. Well, I run Firefox with noscript and useragent switcher in linux, but it pretends to be running under Windows.

And by running it under linux, what I mean to say is that I run it inside a virtual machine that uses linux, but never remembers anything from previous boots.

So every boot is like a fresh install for me, and no supercookies work. Before you say my browser is unique, no, it isn't. I would have to turn javascript on for it to become unique, and sites like msn do not get javascript.

Re:Keeps the "Re-install Windows" fix alive (1)

encrufted (2439088) | about 3 years ago | (#37178856)

Paranoid much?

atmostfear inc. enacts oxygen rationing mandate (0)

Anonymous Coward | about 3 years ago | (#37177750)

just in time? by 2025 anyway. the system will be tested on the totally submerged population living down under southern hillary, in the 3X6 citizen bunkers. the oxygen supply will not be wasted on the southern hillarians, as they are used to a lot of hot air, & have consented to breath the untested synthetic oxygen, developed in an unproven manner, at a secret location. no problems are expected.

the hillarians still must (they have the new pay-per-flush toilets) believe that the crown royals will be victorious, & that they will be unsubmerged, to join us all, in the former state of utah, come hell or even higher water.

disarm. read the teepeeleaks etchings.

*nix fix (2, Insightful)

Anonymous Coward | about 3 years ago | (#37177772)

This is why it's nice to be able to rm -rf ~/.mozilla and rm -rf ~/.macromedia as a last-ditch effort.

Re:*nix fix (2)

camperdave (969942) | about 3 years ago | (#37178004)

True dat! I haven't seen a browser cookie survive a good re-partitioning and OS re-install.

Re:*nix fix (0)

Anonymous Coward | about 3 years ago | (#37178226)

Sweet!

Let me reinstall my OS now to kill those damn buggers. :>

Re:*nix fix (1)

UnknowingFool (672806) | about 3 years ago | (#37178350)

Well nuking something from orbit is the only way to be sure.

Re:*nix fix (3, Insightful)

Z00L00K (682162) | about 3 years ago | (#37179412)

Nuke the cookie servers then.

I just wonder what would happen if the cookie info returned was just some random garbage. Time to make a plugin to Firefox to handle that.

Re:*nix fix (1)

SydShamino (547793) | about 3 years ago | (#37178904)

Just wait until they are storing browser cookies in your laptop's battery firmware...

Re:*nix fix (2)

ArcherB (796902) | about 3 years ago | (#37179374)

This is why it's nice to be able to rm -rf ~/.mozilla and rm -rf ~/.macromedia as a last-ditch effort.

Rather than nuking it, why not just restore it to a previous, known good state...

rm -rf ~/.mozilla && rm -rf ~/.macromedia && cp ~/.mozillaGoodCopyWithBookmarksAndStuff ~/.mozilla -R

Proof that cookie alternatives are needed (0)

Anonymous Coward | about 3 years ago | (#37177822)

Cookies are a relic of the 90s. We need a new way of session-tracking that isn't so exploitable by advertisers. Oh wait, I've got it. Encryption. Your key is all you need.

Another reason for DIY Linux (0)

Anonymous Coward | about 3 years ago | (#37177828)

I know it's not for everyone but I'm so tired of Windows dramma...
I'm going to stick to my Linux box as for the HTML5 "hickup" *hit happens.

Just Set Up VMWare (1)

Greyfox (87712) | about 3 years ago | (#37177838)

And run your browser in VMWare, and wipe the VM you run your browser in clean when you exit. Or just don't browse the web anymore, since these shady practices are devaluing the platform as a whole. Which actually might be exactly what Microsoft wants...

Or run a live USB, and re-boot frequently (0)

Anonymous Coward | about 3 years ago | (#37178008)

http://unetbootin.sourceforge.net/

Re:Just Set Up VMWare (0)

Anonymous Coward | about 3 years ago | (#37178168)

The shady practices are the value. Not the value for "we the users", but the value for the folks that need to pay to keep their server running, their code written, and their internet connection on. "we the users" either deal with advertisers love of our data or deal with some form of micro-payments so our services stay on. I'm all for that; get rid of the adverts and charge me some small fee. I'll bet that gets rid of most of the trolls anyway.

Re:Just Set Up VMWare (1)

Eponymous Coward (6097) | about 3 years ago | (#37178926)

Why do advertisers on the web need to know who they are advertising to? They put ads on billboards and on television and only get a very coarse idea of who is seeing them.

Re:Just Set Up VMWare (0)

Anonymous Coward | about 3 years ago | (#37178492)

I can see where you're coming from on that one. :)

Not to be overzealous, but Microsoft is pretty much a Google equivalent when it comes to the "we'll do whatever we want when we want to and all of those little Humans will LIKE IT, damnit."

To extend what you're saying, I can definitely see a time not too far from now where every month (maybe every week?) will come a redesign of lifestyle based on the newest technology that requires less work, less thought, less fear, and less fear of "loss of valuable time" of the users.

Companies will just keep suing and patenting (followed by suing and patenting) to come up with the newest, most "necessary for survival" way of living that squeezes just another percentage of financial resources from individuals until..... One day, we may realize that the whole reasoning behind all of this was to "live an easy life where machines do the work for you" and the fight that ensued has lead to multiplication of profitability to achieve said life. Once said life has been obtained, where will the profit come from? We'll have to think of something else to work with instead of money.

Oh, wait, isn't that repetition? Humans are amazing. :>
 

Stop blaming the Sites (4, Insightful)

Anonymous Coward | about 3 years ago | (#37177840)

And start blaming your browser. If you enable "Private Browsing", and anything lives beyond that session, it can be nothing other than a browser bug.

Re:Stop blaming the Sites (4, Informative)

maxwell demon (590494) | about 3 years ago | (#37177930)

Flash is an external process and thus bypasses browser settings. It even works cross-browser: A "Flash cookie" (LSO) can e.g. be set in Firefox and then read in Opera.

For HTML5 features however, I have to agree with you.

Re:Stop blaming the Sites (3, Insightful)

Hatta (162192) | about 3 years ago | (#37178276)

Flash is an external process and thus bypasses browser settings

So disable it during private browsing. Better to have real security with some limited functionality than a false sense of security.

Re:Stop blaming the Sites (2)

Kunedog (1033226) | about 3 years ago | (#37178432)

Flash is an external process and thus bypasses browser settings.

Flash is an external process and thus bypasses browser settings

So disable it during private browsing. Better to have real security with some limited functionality than a false sense of security.

Some limited functionality? Do you realize how many surprise-birthday-planning sites require Flash?

Re:Stop blaming the Sites (1)

asdf7890 (1518587) | about 3 years ago | (#37178842)

Some limited functionality? Do you realize how many surprise-birthday-planning sites require Flash?

That is why people that know what they are doing get their content for surprise birthday planning via "trusted" private trackers not flash infected websites.

Re:Stop blaming the Sites (1)

ifrag (984323) | about 3 years ago | (#37178820)

So disable it during private browsing. Better to have real security with some limited functionality than a false sense of security.

Or how about run Flash in a temporary VM which can be immediately destroyed on exit? If there is a way to have security and functionality I'd prefer that.

Re:Stop blaming the Sites (1)

poofmeisterp (650750) | about 3 years ago | (#37178546)

FlashBlock is your friend.

Unfortunately, it won't cover things in Internet Explorer (duh) or things that you actually DO want to view that use Flash.

I don't care about Microsoft doing it. If YouTube (read: Google) does it with blatant intent to steal every bit of information they can...... Oh wait, nothing will happen.

People are too addicted to the things they want and can complain until their blood vessels burst, but they'll continue to use said service.

I'm sort of wasting logical time posting this. I said what I needed to. :)

Re:Stop blaming the Sites (0)

Anonymous Coward | about 3 years ago | (#37178846)

Kind of like Facebook.

I wish I could quite you... No, seriously, I would take a battle axe to your servers if I could.

Re:Stop blaming the Sites (1)

BitZtream (692029) | about 3 years ago | (#37178598)

So the browser shouldn't load the flash plugin, problem fucking solved. Next.

Yes, it can simply refuse to load flash until a version that plays nicely is made, its not hard, in fact, its really fucking easy actually.

Wrong Name (0)

Anonymous Coward | about 3 years ago | (#37177844)

If they'd just called it a "Jesus Cookie" no one would be complaining.

Re:Wrong Name (1)

Opportunist (166417) | about 3 years ago | (#37178180)

Then it would at least stay dead for three days.

Re:Wrong Name (2)

AliasMarlowe (1042386) | about 3 years ago | (#37178406)

If they'd just called it a "Jesus Cookie" no one would be complaining.

Then it would at least stay dead for three days.

And bugger off permanently after another 40 days or thereabouts.

Re:Wrong Name (1)

Dracos (107777) | about 3 years ago | (#37178352)

No functional difference there.

Re:Wrong Name (0)

Anonymous Coward | about 3 years ago | (#37178388)

Don't you get Jesus cookies at church? I think they call them wafers or something.

A question (3, Insightful)

jandersen (462034) | about 3 years ago | (#37177878)

Is there any good reason why one would want to use HTML5 at all? I mean, as a user? So far it all seems to be negative - a load of giving away user control and sovereignty over your own system, packaged as "Wow, cool new feature".

Re:A question (1)

maxwell demon (590494) | about 3 years ago | (#37177960)

Is there any good reason why one would want to use HTML5 at all?

At least if it's in HTML, plugins can do something against it. For Flash, there's little plugins can do.

Re:A question (0)

Anonymous Coward | about 3 years ago | (#37178340)

You could always, oh, I don't know... not install flash. Or use Flashblock if you actually want it on certain sites.

Re:A question (1)

BitZtream (692029) | about 3 years ago | (#37178636)

Really? A plugin can't just go around watching the flash directory and wipe out files as they are created?

Its not really that hard. Its a hack, but its entirely doable.

I swear to god, people have no creatativity when it comes to solving problems on computers these days.

Re:A question (0)

Anonymous Coward | about 3 years ago | (#37178234)

Is there any good reason why one would want to use HTML5 at all?

Because it mostly obsoletes Flash, thereby opening up lots of things to competition, and some of those competitors will be user-oriented rather than Adobe- and Adobe-customer oriented.

Once you stop using Flash it's easy to forget just how much of a scourge Flash was, but lots of people are still saddled with it and will remain so until they upgrade their tech.

Look at it this way: HTML5 has the capacity to be implemented in a way that it either good or evil, but Flash (and ActiveX) are only implemented once, which just happens to be evil. Anything that has only one implementation will always FUCK THE USER.

Re:A question (2)

The Moof (859402) | about 3 years ago | (#37178558)

a load of giving away user control and sovereignty over your own system, packaged as "Wow, cool new feature".

When Slashdot ran the article about the JavaScript + HTML5 music player, that was my first impression. I remember back when scripts reading local files was regarded as a security hole in the browser, not a "cool new feature."

Cool new feature vs. security hole (1)

tepples (727027) | about 3 years ago | (#37178676)

I remember back when scripts reading local files was regarded as a security hole in the browser, not a "cool new feature."

When the user explicitly consents to use of a specific local file or folder, it's a "cool new feature". When the user does not consent, it's a "security hole". Think of it as like a file upload control in an HTML form, but it works even when a web application is running offline from cache.

Re:A question (2)

tepples (727027) | about 3 years ago | (#37178632)

Is there any good reason why one would want to use HTML5 at all? I mean, as a user?

For one thing, the video, audio, and canvas elements mean not having to deal with Adobe's (historically?) inefficient and security-defective software. For another, CACHE MANIFEST and localStorage allow using a subset of a web application offline for a short period, such as on your laptop while riding the bus, while ceding less control over your system than you would if you were to install a native application.

Re:A question (1)

Anonymous Coward | about 3 years ago | (#37179180)

At least for the video and audio, both Flash and HTML5 are functionally inferior to just <a>'s to files. Windows Media Player can even stream such files without a problem. The only reason website developers want to use Flash is because it makes it hard (for the average user) to save the file locally, while in WMP that's just one click away.
Canvas as a replacement for Flash animation is not nearly fast enough yet; Brackenwood cannot, at least for the moment, be achieved with HTML5 canvas.

From the end-user's perspective, it would have been better if HTML5 had never been thought up, but it wasn't thought up for the end user. If browser vendors were serious about serving end users, they'd make all cookies opt-in by default, and similarly for HTML5 local storage and possibly even the browser cache (which is in essence a kind of local storage anyway).

No problem (5, Informative)

maxwell demon (590494) | about 3 years ago | (#37177880)

The "standard" Firefox plugins already take care of it.

No DOM storage without JavaScript, no Flash cookies without Flash -> NoScript
Most tracking cookies come from ad networks -> AdBlock Plus
Most tracking cookies come from third party domains -> RequestPolicy.
And if you get one anyway, you can also get rid of it -> BetterPrivacy.

Re:No problem (3, Interesting)

geminidomino (614729) | about 3 years ago | (#37178032)

Add in PasswordMaker to that list and you've pretty much summed up why I can never leave Firefox, no matter how batshit-loco the design team gets. :(

Re:No problem (0)

Anonymous Coward | about 3 years ago | (#37178822)

no matter how batshit-loco the design team gets. :(

Wait, the design team? What the fuck have they done? I can't keep up with all the nit-picky retarded stuff the Slashdot community is bitching about anymore. (Not that I particularly want to.)

It's nothing new (1)

badzilla (50355) | about 3 years ago | (#37177910)

HTML 5 local storage worries the hell out of me. It's nothing new though because Microsoft has had an almost identical "userdata persistence" feature since forever. Try this link in IE browser http://samples.msdn.microsoft.com/workshop/samples/author/persistence/userData_1.htm [microsoft.com]

Re:It's nothing new (1)

Dracos (107777) | about 3 years ago | (#37178438)

And when everybody freaks about LocalStorage and the browsers hamstring or disable it, the trackers will just fall back to using the HTML5 ping attribute which is near perfect for tracking people without cookies. It's one of the many reasons why HTML5 is broken and flawed, but nobody seems to care when there's video, audio, and canvas elements. The only inarguably good thing about HTML5 is the forms improvements.

Re:It's nothing new (1)

AliasMarlowe (1042386) | about 3 years ago | (#37178466)

HTML 5 local storage worries the hell out of me. It's nothing new though because Microsoft has had an almost identical "userdata persistence" feature since forever. Try this link in IE browser http://samples.msdn.microsoft.com/workshop/samples/author/persistence/userData_1.htm [microsoft.com]

Yet another reason to avoid IE, even in its newer (differently-evil) incarnations.

Re:It's nothing new (1)

Voline (207517) | about 3 years ago | (#37178538)

HTML 5 local storage worries the hell out of me.

Me, too. Safari has an "Advanced Preference" for "Database Storage" to allow "none before asking". I always say "no". But so far only Twitter's website wants to store data on my machine.

Chrome and Firefox don't seem to have a similar preference. I see reference to cache but not local storage or database storage which I think are the relevant terms, here.

To manage localStorage in Firefox 6 (2)

tepples (727027) | about 3 years ago | (#37178790)

To manage localStorage in Firefox 6, open the Options and go to Advanced > Network > Offline Storage.

Huh? (2)

The MAZZTer (911996) | about 3 years ago | (#37177940)

OK so the article cites localStorage as a problem, but Chrome at least treats it the same as cookies when clearing private data, and in incognito it shouldn't persist localStorage data across sessions (not sure about other browsers).

It also mentions that MS was sticking a JS file in the browser cache to recreate a cookie. This doesn't make sense since any file removed from the cache is just redownloaded, unless a custom version of the JS file is crafted for every client and is set to create a specific cookie value (but this isn't clarified in the article). But it sounds more like ETags are used, having nothing to do with the JS file being cached or not. I'm not sure how ETags work but I can't imagine they would be effective in incognito mode either since cache is never kept (and the article infers this is necessary).

Did I miss anything?

Re:Huh? (1)

Anonymous Coward | about 3 years ago | (#37178090)

It sounds like they generate a new js file every time it is served, but tell the browser that it can be cached for a long time, while at the same time claiming that it hasn't been modified in years so a new one won't be requested (with a new unique value).

The main problem I see with this approach is that a squid proxy for a school or other large organization would cache this js file and then feed it to everyone in the organization. Now you might have hundreds or thousands of people with a single id. This would be counter productive for Microsoft, but maybe worth it on the whole.

Before you say there is some value in linking all of these people - they were probably already linked by using the same ip address to begin with (the same squid cache).

Lets all embrace LYNX (0)

Anonymous Coward | about 3 years ago | (#37177950)

with vt100 flash like animations no one would notice the difference.

ZOMBIE BROWSERS (2)

roman_mir (125474) | about 3 years ago | (#37177974)

I am sorry, but just talking about cookies doesn't go far enough to describe what is happening here. It is about zombie browsers, that are just building in more and more functionality to turn your computer into a device that is not controlled by you, but is controlled by various special interests.

On the other hand you, as a user, are clearly not the customer of a browser developer company. The customers seem to be the advertisers, CAs, anybody that wants to control what you are doing. You, as a user, are a product. We used to say this about FB and such, but isn't this also true about browsers?

There needs to be a way for the user to control what is happening on his machine, otherwise it's not a general purpose computer, but some proprietary gadget that you have there. If this is not clear to the browser developers then there will be more forks built that will be Freer for the users, but there also maybe something else done, like a VM to control all of this run away software. Start it in a VM and when you are done, kill that VM and there is no cookie.

Re:ZOMBIE BROWSERS (3, Interesting)

geekmux (1040042) | about 3 years ago | (#37178288)

I am sorry, but just talking about cookies doesn't go far enough to describe what is happening here. It is about zombie browsers, that are just building in more and more functionality to turn your computer into a device that is not controlled by you, but is controlled by various special interests.

From tablets to cell phones, tell me something I don't know. A lack of control down into the lower levels of these types of devices has been lacking for some time now.

There needs to be a way for the user to control what is happening on his machine, otherwise it's not a general purpose computer, but some proprietary gadget that you have there...

Uhhh, yeah..which is exactly their intent with this design. In much the same way that human voice interaction is dying, so is the "personal" computer. What the hell do you need "flexibility" for when every device will be reduced to a pseudo-tablet in the near future, with everything moving to the "cloud"? Allow the functionality, introduce multiple attack vectors and nightmares for support. Lock it down, and you piss off the user community who gets pissed off every time they get a virus or malware infection. Of course, they got infected because they want flexibility.

Since we already know why you should draw a line, the question is where do you draw the line.

Re:ZOMBIE BROWSERS (0)

Anonymous Coward | about 3 years ago | (#37178590)

On the other hand you, as a user, are clearly not the customer of a browser developer company. The customers seem to be the advertisers, CAs, anybody that wants to control what you are doing. You, as a user, are a product. We used to say this about FB and such, but isn't this also true about browsers?

We say that about Facebook, Google, newspapers and television because it's the plain truth: the money that these companies make comes from advertisers, and the advertisers give them this money in exchange for users' eyeballs. Users pay nothing, advertisers pay everything, therefore advertisers are the customers.

With browsers, it's more complicated.

Chrome, being from Google...probably true, in a convoluted way. Firefox, funded partially by donations but also by Google referrals...partly true. MSIE and Safari are funded (mostly) by the sale of software and hardware, respectively, so mostly false. Opera...heck, how does Opera make money these days?

Re:ZOMBIE BROWSERS (2)

poofmeisterp (650750) | about 3 years ago | (#37179016)

You're 100% correct.

enableHumor();

Let me ask the question that creates a loopback to itself over and over (especially in the USA): "Where do I $BUY$ the browser that doesn't allow any of this and enables me to view an ad-free Internetzzz?"

"Wait, you meant that only YOUR ads wouldn't show? But your advertisement said your browser blocked advertisement if I bought it! Weird wording sold your product, you crafty people, you. Okay, so how do I get a version that really blocks all ads? Oh, an add-on. Weird installing an 'add-on' to block 'ads', but okay... Wait, the add-on isn't compatible with the version I bought??? So what do I do now? I need help because I'm a stupid person that can't figure all of this stuff out. Oh, I $BUY$ your next version and that will let me add this add-on ad-blocking addition? What's that? Your new version is available TODAY? Sweet. I NEED it TODAY! I'll $BUY$ it now!!! Alright, I bought it. Now how to I add the add-on? You don't recommend it? Well, I'll add it on anyway. Okay, it's added on and the ads are blocked. WAIT, they're blocked to your competitors and a few other entities of your own choosing only? Why did I $BUY$ this? Oh, no! I'm so disappointed. I guess I'll just call my lawyer and see what they have to say about this because that's all I know how to do to make it in this world." :)

Re:ZOMBIE BROWSERS (0)

Anonymous Coward | about 3 years ago | (#37179042)

There needs to be a way for the user to control what is happening on his machine, otherwise it's not a general purpose computer, but some proprietary gadget that you have there.

It's called open source.

why I use Linux (1)

JustNiz (692889) | about 3 years ago | (#37178016)

Microsoft disgust me. After decades of this sort of deceitful behaviour, it is evidently still too much to expect Microsoft to actually do the 'right thing' in the first place.

Even without any sort of ethics, they're also too stupid to actually learn their lesson that all these scams that Microsoft repeatedly perpetrate on their own customers always eventually get discovered and backfire with far more loss of face and therefore sales than presumably they gain from doing the thing in the first place.

Re:why I use Linux (0)

Anonymous Coward | about 3 years ago | (#37178110)

You think this is because of Microsoft?

Hardly. The focus on Microsoft is...deceptive at best, as it ignores how the practice is done by hundreds of others, and they work on any number of other platforms.

You think using Linux makes you safe? Not unless you're taking considerably more steps to protect yourself. You probably aren't, because you'd rather just hate Microsoft.

Not that this is a scam, or perceived as a real problem outside of a small segment of hyper-paranoid nutbars, because sites like Facebook thrive on the whole issue of destroying privacy.

Re:why I use Linux (0)

Anonymous Coward | about 3 years ago | (#37178252)

Isn't it ironic that I don't use Linux in part because many of its users are assholes like you? Grow up.

Re:why I use Linux (1)

d.the.duck (2100600) | about 3 years ago | (#37178508)

That would make you an imbecile. There is a superior product but I refuse to use it because of the user base. I guess you aren't using any OS then.

Re:why I use Linux (0)

BitZtream (692029) | about 3 years ago | (#37178780)

That would make you an imbecile.

Not really, but your reply also makes you an asshole.

He never said it was a superior product.

It would be rather retarded for anyone to blindly state 'Linux is a superior product' without any sort of specifications, that makes you an asshole, and an ignorant one at that. For instance, your superior product is effected in the exact same way as EVERY OTHER FUCKING OS SINCE THE OS HAS NOTHING TO DO WITH IT in this cause. The problem discussed here works perfectly fine in Firefox on Linux, so your superior product ... isn't.

So now that you've just shown us how you're an asshole, and he's got a pretty valid point about avoid Linux cause it has a lot of douche bag asshole losers, why don't you just shut the fuck up and crawl back in your hole in the wall down in mommies basement.

Fucking ignorant newbies.

Re:why I use Linux (0)

Anonymous Coward | about 3 years ago | (#37179104)

Mod up!

I agree and do the same. Integrity is important. If a company is pulling anti-customer tricks somewhere, you can't trust (or fund) them anywhere.

HTML5 FUD (0)

Anonymous Coward | about 3 years ago | (#37178034)

That HTML5 fud is such rubbish. There's nothing about local storage that makes it immune to private browsing protection. When people start exploiting it, privacy protection will come. It's just data on the disk. Zombie cookies are something else entirely, based on server-side tracking data.

It's depressing how many people write about internet technology seemingly without knowing the difference between client and server.

Speking of abhorrent... (4, Insightful)

kaizendojo (956951) | about 3 years ago | (#37178148)

Why is it that the only company mentioned here is Microsoft, when in fact the original research article shows this to be a lot more wide spread by some big names - none of which were mentioned here. From the Stanford article (http://cyberlaw.stanford.edu/node/6695): "We also examined a series of URL lists (spreadsheet) that contain 15,511 entries. The URLs and interest segments range greatly. Some URLs are for a landing page; others are for a specific page. Some interest segments are broad; others are fine-grained. A few example segments:


Segment 758: discount sites including Groupon and eBay Daily Deals Segment 876: sites about coffee, including Dunkin' Donuts, Folgers, and Starbucks Segments 984-989: home improvement sites including Home Depot and Grainger Segment 2701: pages about the Ford Fiesta Several interest segments are highly sensitive:

Segment 760: pages about getting pregnant and fertility, including at the Mayo Clinic Segment 2640: pages about menopause, including at the NIH and the University of Maryland Segment 2014: pages about repairing bad credit, including at the FTC Segment 2265: pages about debt relief, including at the FTC and the IRS"

Please folks - If you're going to bring this to our attention, how about leaving your obvious biases aside and tell the whole story so we can be truly informed? That we we can all be aware of just how widespread an issue this is instead of just another "Microsoft is Evil" piece.

Re:Speking of abhorrent... (1)

Tim C (15259) | about 3 years ago | (#37178502)

Actually, nobody said anything about anything abhorrent, the word used was aberrant [cambridge.org] . Of course if they had done as you ask, that really would be aberrant behaviour round here...

Re:Speking of abhorrent... (0)

Anonymous Coward | about 3 years ago | (#37178616)

oh simmer down with all your "rational" talk, you.

Re:Speking of abhorrent... (1)

poofmeisterp (650750) | about 3 years ago | (#37179144)

Please folks - If you're going to bring this to our attention, how about leaving your obvious biases aside and tell the whole story so we can be truly informed?

Indirect quote (*snort*):

*temper tantrum*
"Because there's no ca$h in that!!!! I want money and I'm gonna say what I want to get that from you, you person who is easily deceived by want, you. My daddy taught me that!" :)

private-browsing features can't stop them (1)

Ex Machina (10710) | about 3 years ago | (#37178186)

Can't you setup browsers to prompt to create local storage?

"zombie cookies" means Flash cookies (5, Interesting)

Sloppy (14984) | about 3 years ago | (#37178362)

Can't you setup browsers to prompt to create local storage?

The article does a major disservice to everyone (and I wish we could mod it down) by making up the term "zombie cookies." This new bullshit term hides what's going on and makes us all a little bit stupider. All I have to do to answer your question, is tell you what the article is really about. Instead of making up a bullshit term to confuse you, I'll use a descriptive term.

Ready?

Flash Cookies. The article is about websites caught using Flash cookies instead of browser cookies.

See, asshole-who-wrote-the-article, that wasn't hard. Flash cookies. Now instead of misleading people into thinking their browsers have a problem with cookies and other local storage, people see that the real problem they have with their browsers is plugins, which allows them to run native code that totally bypasses all the browsers' policies.

Flash cookies. Watch all the questions disappear .. but oops .. all the traffic to the fucking article disappears too, since people don't have to click through, read the first article that makes the weird reference to zombies, then click through to another article that explains WTF "zombie cookies" are about.

Slashdot should not have linked to this piece of shit.

Re:"zombie cookies" means Flash cookies (1)

macshit (157376) | about 3 years ago | (#37178618)

Flash Cookies. The article is about websites caught using Flash cookies instead of browser cookies.

See, asshole-who-wrote-the-article, that wasn't hard. Flash cookies.

Soooooo, can't you just delete the Flash cookie directory? That seems like it'd nuke 'em pretty good...

Re:"zombie cookies" means Flash cookies (1)

Inda (580031) | about 3 years ago | (#37178758)

TFA was also talking about HTML5 and its ability to perform local storage.

Was the article that shit? Have I really been duped? Twice?

Re:"zombie cookies" means Flash cookies (5, Insightful)

BitZtream (692029) | about 3 years ago | (#37178880)

It actually wasn't about flash cookies.

It was about using browser cache as storage medium by doing some neat tricks on the server to get the browser to keep a javascript file in cache, which inturn functions as a cookie when used by various pages that reference it.

Page requests cookie.js, the server then serves cookie.js with a cache expiry of a hundred years into the future, and says it hasn't changed in a hundred years either.

Your browser caches it and then doesn't request a new copy for a 100years, why should it, it was told the file isn't going to change.

The data in the file now serves as a unique ID which can be used to associate your browsing habits.

THAT IS A ZOMBIE COOKIE. It has nothing to do with flash. This isn't new, a friend of mine and I discovered this years ago by accident due to a bug in a web app we were working on.

Re:"zombie cookies" means Flash cookies (1)

the_humeister (922869) | about 3 years ago | (#37179348)

Why not just clear the cache every one in a while then?

Noobs (0)

Anonymous Coward | about 3 years ago | (#37178202)

Yeah... cause it's so difficult to disable cookies, Flash, JavaScript and this newfangled HTML5 storage by default and only enable them on sites where they're needed, and use a good URL filter.

Hasn't anyone heard of AdBlock? Or better yet, Opera, which can do all of this without extensions.

Extreme measures? (2)

neokushan (932374) | about 3 years ago | (#37178250)

A lot of commenters here seem to be taking what I would consider as extreme measures in order to avoid these cookies. Running your browser in a VM which resets each time you close it? Installing numerous addons (I see someone listed 4 you need to install to cover yourself)? Does anyone else not think that perhaps instead of avoiding the issue, it should be tackled head on?

What I mean is - if this is such a serious issue, why are we standing by just letting it happen when we could be petitioning the various standards committees, plugin developers and browser manufacturers to do something about it? The so-called zombie cookie (or Supercookie) exists because we let it exist. It's clearly an exploit in the way various technologies work together and it should be treated as such, i.e. patched until it can't be done any more.

Furthermore, any company that uses this tactic should be taken to court since it's a clear and deliberate violation of privacy. I.e. if I decide to delete a cookie, I'm making it explicitly clear that I want it gone - I'm opting OUT, so keep it that way.

Re:Extreme measures? (0)

Anonymous Coward | about 3 years ago | (#37178398)

Just because it is the right thing to do, does not mean that it is legally required for companies to do. Laws lag behind technology by a few decades.

Re:Extreme measures? (1)

PPH (736903) | about 3 years ago | (#37179294)

And not every web site is run by a law abiding or standards compliant entity (company or individual). Or an entity within our legal jurisdiction. I mean, look at the problems we had getting people to adopt the evil bit [wikipedia.org] standard.

what is this "users can't delete"? (0)

Anonymous Coward | about 3 years ago | (#37178256)

It's a file on my damn disk. I somehow really doubt they have found a way to make it immune to "rm".

Why is technical illiteracy of even the most basic operations of computers so rampant these days?

Problems with HTML5 (2)

Toonol (1057698) | about 3 years ago | (#37178274)

I'm mostly glad to see the implementation of HTML5 everywhere, but it has some problems.

People thought that you could get rid of a lot of annoyances by increasing HTML5's capabilities to become more on par with Flash. Flash could be ditched. However, all it really means is that all the nuisances that were made in Flash (animated and noisy ads, commercials, persistent cookies, etc.) will now be made in HTML.

Flash wasn't really the problem... it was just one of the vectors FOR the problem. Now, HTML5+Javascript will take Flash's place in the eyes of marketers and spammers everywhere.

Re:Problems with HTML5 (1)

BitZtream (692029) | about 3 years ago | (#37178932)

This has absolutely 0 to do with HTML5 and works in any browser since (and including) Netscape Navigator.

It does not however get around private browsing (at least not by itself, current flash implementations would allow it to do so however)

Re:Problems with HTML5 (0)

Anonymous Coward | about 3 years ago | (#37178988)

Flash wasn't really the problem... it was just one of the vectors FOR the problem.

But with HTML 5, web browsers can better filter the obnoxious behaviour. With Flash, you either allow a Flash movie or you don't.

Sandbox it! (0)

Anonymous Coward | about 3 years ago | (#37178290)

It's easy to deal with these zombie cookies. All you need is to use a sandbox when you browse. Two products came to mind. I always use sandboxie when I browse or running untrusted program. I also use virtualbox.

zombie cookie = old-timey virus (0)

Anonymous Coward | about 3 years ago | (#37178304)

What's the difference between a zombie cookie and an old-timey virus from back in the day? Why is it somehow okay for companies to infect user's computers with viruses but it's not okay for "bad guys" to do it?

Malware (0)

Anonymous Coward | about 3 years ago | (#37178338)

I believe that these type of cookies (the one that stay on your system without your permission and are next to impossible to remove) should be classified as malware. I don't want it on my computer, they insist on putting it on my computer, and I can't get rid of it. If that isn't malware, then its the same garbage by another name.

Re:Malware (0)

Anonymous Coward | about 3 years ago | (#37178600)

"next to impossible to remove"

Please don't spread FUD and technical illiteracy. They are no more difficult to remove than any other file. Anyone with even a halting familiarity with the operation of a computer should be able to do it.

Please stop with the glorification of stupidity.

Make your own supercookie (1)

watermark (913726) | about 3 years ago | (#37178482)

This reminded me of an old Slashdot article about Evercookie http://samy.pl/evercookie/ [samy.pl]

Diff? (1)

fuzzyfuzzyfungus (1223518) | about 3 years ago | (#37178486)

Please correct me if I am wrong on this; but it would seem that, in principle, it would be quite tractable to generate a 'local persistence profile' tracing the activity generated by loading a URL as a series of addition, deletion, and modification operations to the state that existed before the URL was loaded(in the same way the various browsers' dev tools allow you to trace the network activity and script execution associated with loading a URL). With that, the user would have broad power(limited largely by their desire not to wade through a massively complex interface) to immediately roll back all changes made on exit, on leaving the site, or on some schedule. Wrapping that in an interface simple enough to be used and powerful enough to be useful would be a bit tricky; but you'd have an extremely granular revision-control style record to work with, which would make adding a few basic features comparatively simple(ie. "All changes that occur when running in Porn Mode are reverted on exit" or "all changes that occur when I load evil.com are reverted when I navigate away from evil.com".)

It would even be doable, probably through the use of site-specific addons developed by the knowledgable, to selectively roll back certain changes but not others(ie. if webmailfoo writes a cache of my last 30 days of email to a local store, I don't want to roll that back; but I do want to roll back the changes made by the fooad network...) or even to programmatically modify locally stored data(that aren't cryptographically signed, or otherwise protected from any tampering other than deletion...)

The local threat certainly isn't getting any easier or less complex; but it is, at least, a software problem. It's the remote threat that you really have to worry about. Covering your tracks against a reasonably smart remote agent turns out to be pretty difficult, and you can't(legally) just go and purge their systems.

Don't know about HTML5, but... (1)

marian (127443) | about 3 years ago | (#37178776)

I just change the permissions on my cookies file to read only.

You gotta (0)

Anonymous Coward | about 3 years ago | (#37178812)

Shoot them in the head and destroy the brain.

Fake Cookies (1)

retroworks (652802) | about 3 years ago | (#37178870)

Invisibility is futile. We need fake cookies, or randomly collected cookies, so that the advertising value of a cookie falls, i.e. "information inflation". Sure, Vehix knows now that I was car shopping, but what if EVERYONE had a copy of the Vehix search on their Html? What if in addition to the car I was really searching for, my browser held a record of every other car I wasn't interested in? Why can't we just run a random program, searching for random words, in the background, loading up on Zombie cookies from everywhere? "I'm Spartacus" http://retroworks.blogspot.com/2010/09/simpler-ideas-cookie-camouflage-digital.html [blogspot.com]
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>