subject:"evercookies."

Re: evercookies.

2016-08-28 Thread Richard Z

On Sat, Aug 27, 2016 at 08:48:58AM -0700, stan wrote:
> On Sat, 27 Aug 2016 12:10:26 +0200
> Richard Z  wrote:
> 
> 
> > Firefox is doing this. You have to disable the spyware called "safe
> > browsing" to get rid of it. And yes, it has been exploited by
> > intelligence agencies around the world and may submit every single
> > URL you visit to google if they want it.
> > 
> > https://bugzilla.mozilla.org/show_bug.cgi?id=368255
> > 
> 
> That was an interesting read.  Thanks.
> 
> I actually run nightly compiled locally, with a .mozconfig that turns
> off lots of firefox capability that I don't need, and is just attack
> surface for me.  I don't have safe-browsing enabled, but I don't have
> it disabled explicitly either, so it must be a default setting. I'll
> compile it out from now on. Safe-browsing! Talk about double speak.

it is indeed enabled by default. Perhaps Fedora should disable that
default. I can't remember when it ever warned me about a malicious
site but it certainly causes extra traffic and additional spying 
opportunities.

> In that bugzilla the google guy noted the hostility to google.

he also never answered valid concerns mentioned in the thread. It would 
have been quite easy to avoid many concerns and the later confirmed 
abuse of this cookie: just set the cookie against a different domain or 
the precise subdomain as requested in comment 16 and asked repeatedly 
again later in the thread. This would mean the cookie would be sent
only for requests to safe-browsing and not for any other connection 
anywhere in google world (search,maps,mail, youtube...). 
This would have also reduced the network traffic they were so 
anxious about so it doesn't make sense technically to require 
a cookie against the main domain.
The answer in comment 17 is less than convincing imho. I don't think
the author of that comment is quite as naive about computer security
and privacy as he pretends there.

The good news however is that the cookie now seems to sandboxed,
https://bugzilla.mozilla.org/show_bug.cgi?id=897516
although I haven't looked into the code if it is really enabled
now.
Some concerns remain, it appears impossible to expire this cookie
and in principle a sophisticated attacker may still be able to get
a complete list of the URLs that are visited - it will be only
slightly more work to connect it with a particular user.

> Of course, google have woven themselves so successfully into the web,
> they probably don't need this data to perfectly identify a browser
> everywhere it goes.  :-)

google is not the only once who could be abusing this data.

Richard

-- 
Name and OpenPGP keys available from pgp key servers
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://lists.fedoraproject.org/admin/lists/users@lists.fedoraproject.org
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: evercookies.

2016-08-27 Thread stan

On Sat, 27 Aug 2016 12:10:26 +0200
Richard Z  wrote:

> Firefox is doing this. You have to disable the spyware called "safe
> browsing" to get rid of it. And yes, it has been exploited by
> intelligence agencies around the world and may submit every single
> URL you visit to google if they want it.
> 
> https://bugzilla.mozilla.org/show_bug.cgi?id=368255
> 

That was an interesting read.  Thanks.

I actually run nightly compiled locally, with a .mozconfig that turns
off lots of firefox capability that I don't need, and is just attack
surface for me.  I don't have safe-browsing enabled, but I don't have
it disabled explicitly either, so it must be a default setting. I'll
compile it out from now on. Safe-browsing! Talk about double speak.

In the meantime, I can just turn it off in preferences.

And your answer clears up what I was seeing in the umatrix log.  There
were lots of entries for safe-browsing.google.com.  And I even saw the
cookie get recreated there, after self-destructing cookies had removed
it, as a persistent-cookie.

In that bugzilla the google guy noted the hostility to google.  But it
has to be admitted that this is definitely a conflict of interest for
them.  They make more money, the more they know about the person they
are serving the ad to.  So, a promise to not use data goes against
their business incentives.  Sort of like adblock plus selling exceptions
to their ad blocking to ad providers.

Of course, google have woven themselves so successfully into the web,
they probably don't need this data to perfectly identify a browser
everywhere it goes.  :-)
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://lists.fedoraproject.org/admin/lists/users@lists.fedoraproject.org
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: evercookies.

2016-08-27 Thread Richard Z

On Tue, Aug 23, 2016 at 09:03:02AM -0700, stan wrote:
> On Tue, 23 Aug 2016 20:05:31 +0930
> Tim  wrote:
> 
> > Allegedly, on or about 22 August 2016, William Mattison sent:
> > > "evercookies"  
> 
> 
> > As users, we get sick of cookies (and related shit), and disable them.
> > The evil bastards decide that they will not obey and make it harder
> > and harder to avoid these things.  Essentially, they are hacking our
> > computers, and I'm of the mind that they should get jail time for
> > that.
> > 
> 
> So, this brought evercookies to my attention.  I noticed that even when
> offline, there was a google cookie in my cookie directory, even though
> google is not whitelisted.  So, I deleted it.  And, lo and behold, it
> came back.  Like that old song, "The very next day, the cat came back,
> 'cause it couldn't stay away."
> 
> This makes me suspect that google is using something like an
> evercookie.  I have self-destructing cookies plugin, delete lso cookies,
> have html5 storage turned off, keep the cache cleared, and yet, there
> it is, while I'm offline.


Firefox is doing this. You have to disable the spyware called "safe browsing"
to get rid of it. And yes, it has been exploited by intelligence agencies 
around the world and may submit every single URL you visit to google if
they want it.

https://bugzilla.mozilla.org/show_bug.cgi?id=368255

Richard

-- 
Name and OpenPGP keys available from pgp key servers
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://lists.fedoraproject.org/admin/lists/users@lists.fedoraproject.org
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: evercookies.

2016-08-25 Thread Robin Laing


On 24/08/16 20:51, William Mattison wrote:

(I'm replying to the entire discussion as of Wednesday evening US
Mountain time.)

I'm now wondering if evercookies can really be fully blocked.  I do
want to block what I reasonably can.  But as was pointed out, a lot
of wanted web functionality needs cookies.  So now I'm mainly focused
on getting them deleted when I close a tab or the browser.

* My Firefox is set to never remember history.  It clears all
"regular" cookies, cache, and browsing history when I exit Firefox,
right?  What about evercookies?

* Fingerprinting was mentioned.  Wikipedia has two relevant
fingerprinting articles: device (browser) fingerprinting and graphic
fingerprinting.  The device fingerprinting article makes this curious
statement: "Recently such fingerprints have proven useful in the
detection and prevention of online identity theft and credit card
fraud.  In fact, device fingerprints can be used to predict the
likelihood users will commit fraud based on their signal profile,
before they have even committed fraud." So now we're stuck in a
love-hate relationship with fingerprinting.  Having experienced
credit card fraud at least 3 times, I want what those two Wikipedia
sentences mention.  But I hate commercial sites tracking, profiling,
and targeting me.  I also understand that the advertising is needed
to have "free" content on the web.  I accept "generic"
(non-personalized) advertising that is not intrusive and not
deceptive.  The rest actually affects me opposite of what the
advertiser intents: it pushes me away!  So what / how much
fingerprinting to allow vs. try to block?

* Does NoScript block evercookies or the fingerprinting parts of
allowed scripts?

* I recently looked at Adblock Plus, and saw the same
conflict-of-interest noted by others in this discussion.  I will look
at the alternatives mentioned in this discussion.  I also saw the
separate "Browser Privacy" topic started by Drew.  I've since turned
off html5 storage, and will study the other recommendations there.

* It seems CCleaner is for windows but not Linux.  I am indeed
looking for windows-7 solutions, but I'm also looking for Fedora
solutions.  How can I clean out evercookies on my Fedora
workstation?

* Stan - In your last message on this topic, you implied you are
abandoning Adblock Plus and said you are using "tracking blockers".
Which?

Thank-you, everyone. Bill.


Cookies are one of my pet peeves.  I have tried to avoid them as much as 
possible.  I don't see any cookies on my account so I may be doing 
something right.


Better Privacy is supposed to help clear out super cookies.  As it 
states, these are long term cookies.


Cookie Controller was recommended to control cookies when Firefox
removed the "Ask Me Every Time" privacy feature.  I have not found it to
be as good as "Ask Me Every Time".

Being that the cookies re-appear when off-line, makes me think that the
cookies are evercookies or another app that uses Firefox and stores a
cookie on the system.

A plugin that I have used is "Modify Headers".  You can make your 
browser look like it is on a Windows machine and Microsoft Edge from 
your Firefox.


I also clear my history and cache on logout.  Also do this from time to 
time during my sessions which in many cases last between reboots for 
kernel updates.


There are some sites that are a problem with the tools I use and in most 
cases, I just avoid them.  For some, I need access so I have a separate 
account just for those situations where the whole browser directory is 
deleted after use.  Mainly shopping sites which have a tendency to use 
many third party sites.


Robin

--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://lists.fedoraproject.org/admin/lists/users@lists.fedoraproject.org
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: evercookies.

2016-08-25 Thread stan

On Thu, 25 Aug 2016 02:51:56 -
"William Mattison" wrote:

> (I'm replying to the entire discussion as of Wednesday evening US
> Mountain time.)

[snip]

> * Stan - In your last message on this topic, you implied you are
> abandoning Adblock Plus and said you are using "tracking blockers".
> Which?

Privacy Badger. In fact, I've come to rely on it almost exclusively
for active tracking denial. My reasoning is that surreptitious
tracking is virus like. That is, the people doing it are actively
evolving their attacks, and disregarding user preferences. So any fixed
response is always one generation behind the bad guys. Privacy Badger
is a form of AI, that looks for behavior that indicates tracking,
rather than "making a list, and checking it twice". So, when a new
tracker appears, it learns and automatically blocks it. I haven't
looked at the code, so I don't know how sophisticated the algorithm is
- given time and effort, I think it could become *very* sophisticated;
intercepting javascript calls to determine who's calling, checking
content creation, etc. Evercookies are like a real virus in that they
*have* to do certain things if they are to survive, so blocking those
things, or looking for them and removing them, will kill an evercookie.

I also use self-destructing cookies and better privacy and no
google analytics plugins. Ten seconds after I close a site, all cookies
exclusive to that site are deleted. I have html5 local storage turned
off, so I don't allow third parties to store data on my computer that
way. I also have self-destructing cookies set to clear the local cache
after a few minutes of inactivity (they suggest a few seconds, I think).

I don't run flash. Sometimes a little inconvenient, but most sites are
moving away from it. And in a few years (2018), when all the patents on
mpg have expired (I think there are only two left), html5 will be able
to use mpg as the fallback, and that will displace even more flash.
Flash also seems to have regular security breaches.

This link has a conversation about evercookies, and blocking them. It
isn't very optimistic reading. One of the responses suggests using a
technique very like what Drew Samson suggested, and took it further by
using TOR, and remapping the MAC address of the virtual environment. A
bridge too far for me. At some point, the mitigating measures become
too burdensome.

I notice that the suggestion of using private browsing got a downvote,
but everything I've read suggests that this does block evercookies.

http://security.stackexchange.com/questions/38101/how-can-i-protect-myself-from-evercookies

I used to use ghostery and noscript, and I think noscript definitely
helps with blocking google and facebook, since it doesn't allow their
ubiquitous content to run unless manually enabled. And I used to see
ghostery blocking lots of sites - but it uses a static list of sites,
sites which are trackers and good to block, but only as up to date as
their information. I find privacy badger blocking the things I want
blocked when I look. Noscript also keeps unwanted video from running
when visiting sites. Hmmm, I've almost talked myself into enabling
it again. :-) Maybe I'll try the uMatrix that Ahmad Samir suggested.

I've been checking for where google is storing the data that re-creates
their cookie after I delete it. I haven't found it yet, but I'll keep
looking. It's the only cookie that does re-create itself, so that's
an indication that what I'm doing is mostly working. Google has lots of
smart people working there, so they could have taken the evercookie
idea and moved it in new directions. And they could have put back
doors into chrome and firefox. I doubt that they use the evercookie
name or code, they'll have obfuscated it, perhaps made it part of a
legitimate function call.

I wonder how well creating a git, or other, repository around
the .mozilla directory and doing diffs before and after browsing would
work for finding hidden content? Or using the signature in the cookie,
and doing a grep of the .mozilla directory, looking for that sequence.
Ideas to try. The arms race continues.
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://lists.fedoraproject.org/admin/lists/users@lists.fedoraproject.org
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Evercookies & other malware: A different approach

2016-08-25 Thread Drew Samson

As I've been contemplating this over the last few days it occurred to me 
tools to deal with this effectively are readily at our disposal. The 
bullet-proof way to deal with this is related to what I wrote a few days 
ago. As I mentioned, I do my web browsing inside virtualbox and 
virtualbox has what are called immutable images. I can make my vm disk 
read-only and it's easy to do. I know this is not a viable solution for 
some, however for those who are able to go this route it really doesn't 
matter what gets loose or written to obscure locations since it'll all 
be wiped out after a restart. Hence: no tracking and no malware 
possible...persistently anyway.


I also looked into other ways this may be accomplished from within the 
OS itself. I haven't implemented or experimented with this since what 
works for me takes all of 5 minutes yet I list it so that perhaps it may 
be helpful in giving someone else a solution that works for them.


Tool: firejail & firectl - from their page...

*"Firejail* is a SUID program that reduces the risk of security breaches 
by restricting the running environment of untrusted applications using 
Linux namespaces  and seccomp-bpf 
. It 
allows a process and all its descendants to have their own private view 
of the globally shared kernel resources, such as the network stack, 
process table, mount table."


It also has a ready template for Firefox.
https://firejail.wordpress.com/
The latest version: 0.9.42-rc1 released 7/21/16

https://lwn.net/Articles/671534/firejail review
http://www.pcreview.co.uk/threads/firejail.4069760/ another review

I'm not sure if this would prevent tracking however since I haven't used 
the tool and don't know if it's easy to "reset" the environment once an 
app closes. I also considered a permissions-based approach yet after 
considering it it doesn't seem much different than using a gui plugin: 
if a browser doesn't have permission to write a cookie or run a script 
it would probably respond just like the gui tools banning the same.


Also let me be clear my "bulletproof" comment above was only in the 
context of malware; not protection from a hacker/cracker since if they 
were able to jump out of the vm into the host...then obviously they've 
also left the ro env.


hth.

Drew



--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://lists.fedoraproject.org/admin/lists/users@lists.fedoraproject.org
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: evercookies.

2016-08-25 Thread Tim

Allegedly, on or about 25 August 2016, William Mattison sent:
> I'm now wondering if evercookies can really be fully blocked.  I do
> want to block what I reasonably can.  But as was pointed out, a lot of
> wanted web functionality needs cookies.  So now I'm mainly focused on
> getting them deleted when I close a tab or the browser. 

If you're allowing them during a session, you are being databased.  Even
if you dump them at the end, they've managed to do their trick.  You'd
pretty much have to wipe and burn every time you go to another website
to avoid being tracked.  And the point of the evercookies kind of
techniques is to keep on tracking you, no matter how often you break the
link.

I dare say that using a search engine is probably the worst of the lot.
It's going to get the widest view of what you do, as opposed to
individually loading up your news site, then wiping and clearing,
opening up your shopping site, then wiping and clearing, etc.

Of course, your need for privacy differs from the next person, so that
will affect how far you're going to combat it.  One person's sick of
advertising, or certain types of advertising, another person want to
avoid being defrauded, another person's trying not to get killed by
their monstrous government...

-- 
[tim@localhost ~]$ uname -rsvp
Linux 3.9.10-100.fc17.x86_64 #1 SMP Sun Jul 14 01:31:27 UTC 2013 x86_64

Boilerplate:  All mail to my mailbox is automatically deleted, there is
no point trying to privately email me, I only get to see the messages
posted to the mailing list.

If you are not the intended recipient, why are you reading their email?
You bastard!


--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://lists.fedoraproject.org/admin/lists/users@lists.fedoraproject.org
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: evercookies.

2016-08-25 Thread Tim

Tim:
>> a. Not that it's the DNS protocol, but a DNS server, that was
>> implicated.  DNS servers can keep access logs, too.

Joe Zeff:
> And, to be equally blunt, you were asserting that DNS servers could be 
> used to set evercookies on your machine and I was refuting that claim. 

Not I...  The information comes from someone else, originally.  I did
explain how, though.

> And even if they do keep logs, they won't do you much good unless you 
> know exactly what IP address to search for, which won't be of any help 
> if your target's on the road using various free WiFi hotspots, or 
> sharing a connection (and IP) with several other people, such as in an 
> office environment.  I won't say that you can't build up a profile of a 
> specific person that way, but I doubt that cost effective in terms of 
> targeting advertising.

The majority of users, at this point, will probably be using a fixed
device.  Either their PC at home, or their mobile phone, on their own
phone service provider.  Either stands a good chance of always having
the same IP, or some other way of fingerprinting them.

And considering just how widespread google is, for instance, you can go
to *almost* *any* website, and there'll be some google content
incorporated into it (virtually every website I looked at yesterday).
Just like doubleclick used to be.  Making it all the more easy to keep
tabs on you.

It's a trivial databasing exercise, if you're familiar with actual
relational databases, rather than flat spreadsheet barebones types of
databases that people use from day to day.

One database of DNS queries from one IP.
Another database of websearches from one IP.
Get the computer to join the dots for the overlapping records.

It's what databasing used to be about - what things in this set of
records co-relate to things in this other set of records (relational
databasing), as opposed to just pull up the single file on John Doe and
read his record (flat files).  Then carry on and do the same co-relation
exercise across some other records.

Since it's actually a trivial thing (co-relating records when you're the
world's biggest database), I say it would be cost effective, if you're
actually trying to drive sales from the advertising, rather than just
throw advertising at someone that's going to be ignored.  Particularly
when you're making the advertiser pay per advert, they want value for
their money, and want their adverts to go to likely customers.

-- 
[tim@localhost ~]$ uname -rsvp
Linux 3.9.10-100.fc17.x86_64 #1 SMP Sun Jul 14 01:31:27 UTC 2013 x86_64

Boilerplate:  All mail to my mailbox is automatically deleted, there is
no point trying to privately email me, I only get to see the messages
posted to the mailing list.

Long ago I gave up on using Windows (TM) [Tantrum Machine], and I've
never regretted it.


--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://lists.fedoraproject.org/admin/lists/users@lists.fedoraproject.org
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: evercookies.

2016-08-25 Thread George N. White III

On Wed, Aug 24, 2016 at 10:08 PM, Tim  wrote:

>
> You really do have to be one of the tinfoil hat brigade, never logging
> in, using things like TOR, stealing other people's WiFi, changing IPs,
> etc., all of the time to be able to avoid that kind of big brother
> watching (in the Orwellian sense)
>
>
Not to mention never shopping online, giving email to vendors, joining
loyalty
programs, etc.   There are downsides, such as being told you can't have
electricity or phone service because you don't have a credit history.  I'm
not that extreme, but I do try to minimize my profile.

I once had the bank take money from my account to pay credit bills for
some other person using my name.  I tried to check my credit history and
was told I didn't exist, and ended up dealing with the security people at
the
credit bureau.  If you have a  very low profile, it is easy for bad guys to
steal
your identity.

Your internet footprint is now part of your identity and messing with it
with
could have unintended consequences.

-- 
George N. White III 
Head of St. Margarets Bay, Nova Scotia
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://lists.fedoraproject.org/admin/lists/users@lists.fedoraproject.org
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: evercookies.

2016-08-24 Thread Joe Zeff


On 08/24/2016 07:51 PM, William Mattison wrote:

* It seems CCleaner is for windows but not Linux.  I am indeed looking for 
windows-7 solutions, but I'm also looking for Fedora solutions.  How can I 
clean out evercookies on my Fedora workstation?


Have you checked bleachbit?  I don't know if it works for evercookies, 
but it's worth checking out.

--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://lists.fedoraproject.org/admin/lists/users@lists.fedoraproject.org
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: evercookies.

2016-08-24 Thread William Mattison

(I'm replying to the entire discussion as of Wednesday evening US Mountain 
time.)

I'm now wondering if evercookies can really be fully blocked.  I do want to 
block what I reasonably can.  But as was pointed out, a lot of wanted web 
functionality needs cookies.  So now I'm mainly focused on getting them deleted 
when I close a tab or the browser.

* My Firefox is set to never remember history.  It clears all "regular" 
cookies, cache, and browsing history when I exit Firefox, right?  What about 
evercookies?

* Fingerprinting was mentioned.  Wikipedia has two relevant fingerprinting 
articles: device (browser) fingerprinting and graphic fingerprinting.  The 
device fingerprinting article makes this curious statement:
 "Recently such fingerprints have proven useful in the detection and 
prevention
  of online identity theft and credit card fraud.  In fact, device 
fingerprints can be used
  to predict the likelihood users will commit fraud based on their signal 
profile,
  before they have even committed fraud."
So now we're stuck in a love-hate relationship with fingerprinting.  Having 
experienced credit card fraud at least 3 times, I want what those two Wikipedia 
sentences mention.  But I hate commercial sites tracking, profiling, and 
targeting me.  I also understand that the advertising is needed to have "free" 
content on the web.  I accept "generic" (non-personalized) advertising that is 
not intrusive and not deceptive.  The rest actually affects me opposite of what 
the advertiser intents: it pushes me away!  So what / how much fingerprinting 
to allow vs. try to block?

* Does NoScript block evercookies or the fingerprinting parts of allowed 
scripts?

* I recently looked at Adblock Plus, and saw the same conflict-of-interest 
noted by others in this discussion.  I will look at the alternatives mentioned 
in this discussion.  I also saw the separate "Browser Privacy" topic started by 
Drew.  I've since turned off html5 storage, and will study the other 
recommendations there.

* It seems CCleaner is for windows but not Linux.  I am indeed looking for 
windows-7 solutions, but I'm also looking for Fedora solutions.  How can I 
clean out evercookies on my Fedora workstation?

* Stan - In your last message on this topic, you implied you are abandoning 
Adblock Plus and said you are using "tracking blockers".  Which?

Thank-you, everyone.
Bill.
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://lists.fedoraproject.org/admin/lists/users@lists.fedoraproject.org
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: evercookies.

2016-08-24 Thread Joe Zeff


On 08/24/2016 06:08 PM, Tim wrote:

To be blunt, the points you missed, were:

a. Not that it's the DNS protocol, but a DNS server, that was
implicated.  DNS servers can keep access logs, too.


And, to be equally blunt, you were asserting that DNS servers could be 
used to set evercookies on your machine and I was refuting that claim. 
And even if they do keep logs, they won't do you much good unless you 
know exactly what IP address to search for, which won't be of any help 
if your target's on the road using various free WiFi hotspots, or 
sharing a connection (and IP) with several other people, such as in an 
office environment.  I won't say that you can't build up a profile of a 
specific person that way, but I doubt that cost effective in terms of 
targeting advertising.

--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://lists.fedoraproject.org/admin/lists/users@lists.fedoraproject.org
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: evercookies.

2016-08-24 Thread Tim

Allegedly, on or about 24 August 2016, Joe Zeff sent:
> Except, of course, for the fact that most servers aren't running 
> browsers, and if they are, that cookie will identify them, not you.
> The point I was making, and you didn't address is that there is no way
> to use the DNS protocol to set or retrieve a cookie in an end-user's
> browser. 

To be blunt, the points you missed, were:

a. Not that it's the DNS protocol, but a DNS server, that was
implicated.  DNS servers can keep access logs, too.

b. We were talking about web servers.  It's kind of implicit that it's
webservers and webbrowsers when talking about cookies.  And since the
exposé of the exploit talked about JavaScript, Flash, Silverlight,
webhistory, and a variety of other website related things, the point was
quite clear.  But just to be sure, this link is practically a one-page
list of things:  https://en.wikipedia.org/wiki/Evercookie

c. Cookies *do* identify *you* (or are able to).  If you log into to
anywhere that's in the middle of this spiderweb, it identifies you.  If
you don't log in, just browsing the web anonymously, it may not identify
you, but certainly categorises you.  And with a service that has a
massive database at their disposal, and the longer you're on-line, it
may well be possible to follow that through to an identification.

e.g. You've posted on a public list, something will be databasing this
list, recording messages and headers.  It has your IP and your email
address.  Marry that up with something else logged on internet using the
same IP at the same time, and it's a 99% chance that it's you.  If
they're lucky, some time while your browsing you'll use a server that
they can set a cookie with.  And use that as an aid to them further
keeping track on you.

You really do have to be one of the tinfoil hat brigade, never logging
in, using things like TOR, stealing other people's WiFi, changing IPs,
etc., all of the time to be able to avoid that kind of big brother
watching (in the Orwellian sense)

-- 
[tim@localhost ~]$ uname -rsvp
Linux 3.9.10-100.fc17.x86_64 #1 SMP Sun Jul 14 01:31:27 UTC 2013 x86_64

Boilerplate:  All mail to my mailbox is automatically deleted, there is
no point trying to privately email me, I only get to see the messages
posted to the mailing list.

Hooray! I finally finished typing this email.


--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://lists.fedoraproject.org/admin/lists/users@lists.fedoraproject.org
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: evercookies.

2016-08-24 Thread jdow


On 2016-08-24 00:18, Joe Zeff wrote:

On 08/23/2016 11:41 PM, Tim wrote:

You browse half a dozen addresses, using their DNS server, they can see
all the queries coming from your IP.  Somewhere amongst them is a server
where they can set a cookie in a browser.


Except, of course, for the fact that most servers aren't running browsers, and
if they are, that cookie will identify them, not you.  The point I was making,
and you didn't address is that there is no way to use the DNS protocol to set or
retrieve a cookie in an end-user's browser.


Perhaps more telling is that with several browsers on a single connection the 
cookies must be associated with a browser to matter.


With FireFox profiles it should be possible to generate some "confusion" in the 
evercookie world by using separate browsers for various sites you visit 
regularly with one or more additional profiles for various other activities. 
They won't have the same cookies. So tracking is more difficult.


That said, Verizon has an IP header they put on traffic to track the sites you 
visit if not the content. I suspect privacy is a concept that will die out over 
time.


{^_^}
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://lists.fedoraproject.org/admin/lists/users@lists.fedoraproject.org
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: evercookies.

2016-08-24 Thread Joe Zeff


On 08/23/2016 11:41 PM, Tim wrote:

You browse half a dozen addresses, using their DNS server, they can see
all the queries coming from your IP.  Somewhere amongst them is a server
where they can set a cookie in a browser.


Except, of course, for the fact that most servers aren't running 
browsers, and if they are, that cookie will identify them, not you.  The 
point I was making, and you didn't address is that there is no way to 
use the DNS protocol to set or retrieve a cookie in an end-user's browser.

--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://lists.fedoraproject.org/admin/lists/users@lists.fedoraproject.org
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: evercookies.

2016-08-23 Thread Tim

Allegedly, on or about 23 August 2016, Joe Zeff sent:
> Assuming that somebody wanted to use DNS to set a cookie, how would
> they go about it? 

You browse half a dozen addresses, using their DNS server, they can see
all the queries coming from your IP.  Somewhere amongst them is a server
where they can set a cookie in a browser.  It becomes an anchor point
for identifying you when there's a break between sessions (where you
*may* change IPs), and the cycle continues.

Since it's Google that we're talking about, the two obvious candidates
for co-ordinating this are their DNS server and their search engine.
But even if you don't use their search engine, they provide services to
many other websites (googletag, googleanalytics, etc.), so you'll use
them all over the place without noticing.  Many websites that're more
than flat HTML, and are too lazy to write their scripting, make use of
these turnkey solutions for their problems.

Databasing is Google's business, and they've stated their aim to
database *everything* in the past.  Don't believe that they've given up
on that.

-- 
[tim@localhost ~]$ uname -rsvp
Linux 3.9.10-100.fc17.x86_64 #1 SMP Sun Jul 14 01:31:27 UTC 2013 x86_64

Boilerplate:  All mail to my mailbox is automatically deleted, there is
no point trying to privately email me, I only get to see the messages
posted to the mailing list.

Just because nobody complains, it doesn't mean that all parachutes are
perfect.


--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://lists.fedoraproject.org/admin/lists/users@lists.fedoraproject.org
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: evercookies.

2016-08-23 Thread Tim

Allegedly, on or about 23 August 2016, Drew Samson sent:
> I built Evercookie as a proof of concept, wanting to show how web
> sites are able to track users even if they delete standard cookies and
> LSOs. 

I get really sick of these sociopaths that build and release some evil
thing allegedly to prove the concept.  Like hell, they do it for their
own pleasure, and for it to be used by the service they claim to be
exposing.  We all know that it's going to get used.



-- 


Boilerplate:  All mail to my mailbox is automatically deleted, there is
no point trying to privately email me, I only get to see the messages
posted to the mailing list.

America, you've had a Bush show you that any idiot can become president,
don't let a Trump prove that any asshole can.


--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://lists.fedoraproject.org/admin/lists/users@lists.fedoraproject.org
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: evercookies.

2016-08-23 Thread stan

On Tue, 23 Aug 2016 16:54:11 -0600
Drew Samson  wrote:

> I was admittedly slow to learn this yet once I came to realize the 
> overwhelming majority of their $ is made by advertisers paying them
> to be white-listed it seemed to me as if the fox was guarding the 
> hen-house. They made a name for themselves doing a great job blocking 
> ads yet to make $ in this effort they rely on advertisers paying
> them. They are funded by the folks they help frustrate. This just
> seems like a contradiction to me and rather than keeping tabs on how
> well they are adhering to their original intent I just sought an
> alternative and that's when I found uBlock Origin.

Whoa, that's a pretty serious conflict of interest.  Sort of like a
protection racket.  I think I'll pass, too.

My attitude to advertising on the web is that I'll allow it if it
doesn't track me.  So, I put in place tracking blockers, and if ads get
through, then so be it.  Advertising is what pays for the internet, so
as long as the ads are like TV ads, broadcast instead of targeted, I'll
pay the piper by letting it appear on my browser.

But very few ads get through if tracking is blocked, since all the
major ad marketers use tracking.  I even get complaints that I have ad
blocking turned on at some sites, though I don't; I just don't allow
tracking (to the best extent I can).
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://lists.fedoraproject.org/admin/lists/users@lists.fedoraproject.org
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: evercookies.

2016-08-23 Thread Drew Samson




I know you said you no longer use AdBlock Plus, but they have
categorically stated that they protect against evercookies.

"If the last paragraph isn’t explicit enough for you, here you go:
Adblock Plus privacy protection (a.k.a. EasyPrivacy filter list)
doesn’t care whether it is cookies, canvas fingerprinting or
evercookie, you will be protected regardless."

What is your issue of concern with adblock plus?


I was admittedly slow to learn this yet once I came to realize the 
overwhelming majority of their $ is made by advertisers paying them to 
be white-listed it seemed to me as if the fox was guarding the 
hen-house. They made a name for themselves doing a great job blocking 
ads yet to make $ in this effort they rely on advertisers paying them. 
They are funded by the folks they help frustrate. This just seems like a 
contradiction to me and rather than keeping tabs on how well they are 
adhering to their original intent I just sought an alternative and 
that's when I found uBlock Origin.


I don't begrudge a company making $ and don't mind paying for a worthy 
service. However, the whole reason I use Fedora & switched from Windows 
was to use & advocate FOSS & the GNU approach to computing. It's also 
why I use GNOME & don't use Ubuntu. I understand AdBlock Plus uses the 
GPL...that's not the issue for me. Relying on what appears to me to be a 
company in conflict with itself is again why I moved on.


I know Mozilla has in the past been primarily funded thru google; that 
would be $300,000,000.00 annually in years gone by. Their current 
contract with yahoo is not public at this time. I'm fine with that since 
imo it in no way contradicts their stated objectives and they provide 
great products to me at the same time.


I'm not trying to be religious about this; I'm just trying to be helpful 
and answer your question.


Drew



--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://lists.fedoraproject.org/admin/lists/users@lists.fedoraproject.org
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: evercookies.

2016-08-23 Thread Joe Zeff


On 08/23/2016 12:20 PM, stan wrote:

As Mike pointed out, it is unlikely that DNS sets a cookie,


Assuming that somebody wanted to use DNS to set a cookie, how would they 
go about it?  Your browser doesn't interact with the DNS service 
directly, it asks your networking to set up a connection with a server 
and that uses DNS to translate the machine name into an IP address and 
make the connection.  Google's DNS servers can't set or use a cookie on 
your browser both because they don't interact with it and because the 
DNS protocol doesn't have any way of setting or retrieving a cookie. 
Yes, I know that you aren't claiming that Google's DNS servers are 
manipulating evercookies, I'm just using your comment as a hook to 
describe just how absurd the idea is.  It's just as foolish as thinking 
that you can get a STD by watching a video of unprotected sex.

--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://lists.fedoraproject.org/admin/lists/users@lists.fedoraproject.org
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: evercookies.

2016-08-23 Thread Drew Samson




On 08/23/2016 12:26 PM, Mike Wright wrote:

On 08/23/2016 09:32 AM, Drew Samson wrote:

On 08/23/2016 10:03 AM, stan wrote:

So, this brought evercookies to my attention.  I noticed that even when



Are you using google dns?  (8.8.8.8)


How would google dns go about setting an evercookie?


In a static & isolated non-rfc 2136 context probably and hopefully not 
at all. However dns integration may go far beyond that context.


Once one decides to go the google domain route and perhaps integrates a 
directory service of some type into the equation and then enables ddns 
now you have a totally different context and other protocols & ports 
other than 53 open up and google dns may be right in the middle of it. I 
used to work for a company that did this. Then you would have ldap & dns 
integration which then provides massive openness all thru simple dns 
decisions and convenient registering of all devices in the domain in 
both dns & ldap. Then when you have the creator state: "...there are 
numerous methods for storing cookies locally..." it's a small step for 
the legal department at google to tell the exec's "they asked for it" 
when some imaginative developer decides to propagate them and preserve 
them on the network which as far as I know hasn't happened yet...but who 
is to say what methods they will try tomorrow to make more $ and be more 
persistent? It's already plain to see they seek to obfuscate as much as 
possible and are willing to use disk space we pay for to make $ for 
them! My point above is simply to encourage folks to think thru their 
decisions.


When one uses free services one must be very careful to determine 
whether or not they themselves are the product for sale...if one cares 
about such things. When Mark floated the idea of taking Facebook public 
many experts wondered how in the world he would make $ on his social 
media site. However, Mark had already figured out he had hundreds of 
millions of "products" for sale and those experts aren't wondering anymore.


Here is what the creator had to say about them:

Samy Kamkar: "Evercookie is a Javascript API that allows storing cookie 
data in a number of different locations when a user visits a web page. 
Normal sites would typically just store data (such as a session 
identifier) in something like a cookie.


However, Evercookie not only uses the cookie, but a number of other 
locations such as Flash cookies, Silverlight isolated storage, and 
various locations of HTML5 storage. When a user deletes their standard 
cookies, the other locations remain and are able to rebuild the original 
cookie.
I built Evercookie as a proof of concept, wanting to show how web sites 
are able to track users even if they delete standard cookies and LSOs. 
Evercookie also sheds light on the fact that there are numerous methods 
for storing cookies locally. Finally, Evercookie acts as a litmus test 
for users who want to see if they're protected from web sites that track 
like this."


We all know this left proof of concept long ago.

Drew



--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://lists.fedoraproject.org/admin/lists/users@lists.fedoraproject.org
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: evercookies.

2016-08-23 Thread stan

On Tue, 23 Aug 2016 10:32:22 -0600
Drew Samson  wrote:

> Are you using gmail?
> Are you using google dns?  (8.8.8.8)
> Are you using google apps? chrome? earth? streetview? drive? sky?
> Do you use their repository?
> dl.google.com/linux/linux_signing_key.pub?

None of those.  Deliberately.

As Mike pointed out, it is unlikely that DNS sets a cookie, but it
allows them to track the IP across the web sites I visit.  So if they
do get a cookie on your machine, they have your whole itinerary.

The other one is google.fonts.api, and the other apis they provide
'free' to web developers, so they can incorporate them into their
sites.  Every site that gets called, is another tracking point for them.

> 
> Do you sync an android?

No.

> 
> It's easy to give someone/something permission w/o realizing it.

Except I was offline.  No web connection.  And I deleted the cookie,
and it regenerated itself under those conditions.  From where?  Not the
web, so somewhere on the client side, likely from info they stored
(hid?) in the browser.  Hey, the list of places an evercookie hides
data is pretty extensive.

Specifically, when creating a new cookie, it uses the
following storage mechanisms when available: 
 - Standard HTTP Cookies
 - HTTP Strict Transport Security (HSTS) Pinning
 - Local Shared Objects (Flash Cookies)
 - Silverlight Isolated Storage 
 - Storing cookies in RGB values of auto-generated, force-cached 
PNGs using HTML5 Canvas tag to read pixels (cookies) back out
 - Storing cookies in Web History 
 - Storing cookies in HTTP ETags 
 - Storing cookies in Web cache 
 - window.name caching
 - Internet Explorer userData storage
 - HTML5 Session Storage 
 - HTML5 Local Storage 
 - HTML5 Global Storage 
 - HTML5 Database Storage via SQLite
 - HTML5 IndexedDB
 - Java JNLP PersistenceService
 - Java CVE-2013-0422 exploit (applet sandbox escaping)

> Do you use the Alphabet?   :-)
> This last one's a joke but it does reveal the attitude of their
> exec's and how ingrained they want to be in our lives.

That's their business.  Your privacy.
> 
> This is why I try to having nothing to do with google for anything
> for reasons Tim has so eloquently described.

Exactly.

I know you said you no longer use AdBlock Plus, but they have
categorically stated that they protect against evercookies.

"If the last paragraph isn’t explicit enough for you, here you go:
Adblock Plus privacy protection (a.k.a. EasyPrivacy filter list)
doesn’t care whether it is cookies, canvas fingerprinting or
evercookie, you will be protected regardless."

What is your issue of concern with adblock plus?
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://lists.fedoraproject.org/admin/lists/users@lists.fedoraproject.org
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: evercookies.

2016-08-23 Thread Mike Wright


On 08/23/2016 09:32 AM, Drew Samson wrote:

On 08/23/2016 10:03 AM, stan wrote:

So, this brought evercookies to my attention.  I noticed that even when



Are you using google dns?  (8.8.8.8)


How would google dns go about setting an evercookie?
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://lists.fedoraproject.org/admin/lists/users@lists.fedoraproject.org
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: evercookies.

2016-08-23 Thread Drew Samson




On 08/23/2016 10:03 AM, stan wrote:

So, this brought evercookies to my attention.  I noticed that even when
offline, there was a google cookie in my cookie directory, even though
google is not whitelisted.  So, I deleted it.  And, lo and behold, it
came back.  Like that old song, "The very next day, the cat came back,
'cause it couldn't stay away."

This makes me suspect that google is using something like an
evercookie.  I have self-destructing cookies plugin, delete lso cookies,
have html5 storage turned off, keep the cache cleared, and yet, there
it is, while I'm offline.


Are you using gmail?
Are you using google dns?  (8.8.8.8)
Are you using google apps? chrome? earth? streetview? drive? sky?
Do you use their repository? dl.google.com/linux/linux_signing_key.pub?

Do you sync an android?

It's easy to give someone/something permission w/o realizing it.

Do you use the Alphabet?   :-)
This last one's a joke but it does reveal the attitude of their exec's 
and how ingrained they want to be in our lives.


This is why I try to having nothing to do with google for anything for 
reasons Tim has so eloquently described.



Drew

--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://lists.fedoraproject.org/admin/lists/users@lists.fedoraproject.org
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: evercookies.

2016-08-23 Thread stan

On Tue, 23 Aug 2016 20:05:31 +0930
Tim  wrote:

> Allegedly, on or about 22 August 2016, William Mattison sent:
> > "evercookies"  

> As users, we get sick of cookies (and related shit), and disable them.
> The evil bastards decide that they will not obey and make it harder
> and harder to avoid these things.  Essentially, they are hacking our
> computers, and I'm of the mind that they should get jail time for
> that.
> 

So, this brought evercookies to my attention.  I noticed that even when
offline, there was a google cookie in my cookie directory, even though
google is not whitelisted.  So, I deleted it.  And, lo and behold, it
came back.  Like that old song, "The very next day, the cat came back,
'cause it couldn't stay away."

This makes me suspect that google is using something like an
evercookie.  I have self-destructing cookies plugin, delete lso cookies,
have html5 storage turned off, keep the cache cleared, and yet, there
it is, while I'm offline.

"Do no evil" indeed.
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://lists.fedoraproject.org/admin/lists/users@lists.fedoraproject.org
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: evercookies.

2016-08-23 Thread Tim

Allegedly, on or about 22 August 2016, William Mattison sent:
> "evercookies"

Oh gawd, yet another horrible thing.  The creator, allegedly some
privacy and security researcher is clearly anything but that, they're an
evil bastard.

As users, we get sick of cookies (and related shit), and disable them.
The evil bastards decide that they will not obey and make it harder and
harder to avoid these things.  Essentially, they are hacking our
computers, and I'm of the mind that they should get jail time for that.

-- 
[tim@localhost ~]$ uname -rsvp
Linux 3.9.10-100.fc17.x86_64 #1 SMP Sun Jul 14 01:31:27 UTC 2013 x86_64

Boilerplate:  All mail to my mailbox is automatically deleted, there is
no point trying to privately email me, I only get to see the messages
posted to the mailing list.

Windows, it's enough to make a grown man cry!


--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://lists.fedoraproject.org/admin/lists/users@lists.fedoraproject.org
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: evercookies.

2016-08-22 Thread stan

On Mon, 22 Aug 2016 19:45:52 -
"William Mattison"  wrote:

> Hi all,
> 
> Two questions about "evercookies".  I think this could be useful to
> others in this forum as well as to me.
> 
> 1. On my home Fedora-23 (updated weekly) workstation, how do I find
> and truly, fully, permanently get rid of whatever evercookies might
> be on my system?  If y'all don't mind, I'd also like to know how to
> find and delete "evercookies" on my home windows-7 box, if there are
> any.
> 
> 2. I use Firefox (updated weekly) for browsing.  On my home Fedora-23
> workstation, how do I block or prevent the storage of evercookies on
> my system?  If y'all don't mind, I'd also like to know to to block or
> prevent the storage of "evercookies" on my home windows-7 box.  I'm
> already using "No-Script" (on both systems) if that's relevant.

There is a program? called CCleaner that apparently will remove
evercookies, as well.  Here's a discussion about it.

https://forum.piriform.com/index.php?showtopic=35769&&page=2
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://lists.fedoraproject.org/admin/lists/users@lists.fedoraproject.org
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: evercookies.

2016-08-22 Thread stan

On Mon, 22 Aug 2016 19:45:52 -
"William Mattison"  wrote:

> Hi all,
> 
> Two questions about "evercookies".  I think this could be useful to
> others in this forum as well as to me.
> 
> 1. On my home Fedora-23 (updated weekly) workstation, how do I find
> and truly, fully, permanently get rid of whatever evercookies might
> be on my system?  If y'all don't mind, I'd also like to know how to
> find and delete "evercookies" on my home windows-7 box, if there are
> any.
> 
> 2. I use Firefox (updated weekly) for browsing.  On my home Fedora-23
> workstation, how do I block or prevent the storage of evercookies on
> my system?  If y'all don't mind, I'd also like to know to to block or
> prevent the storage of "evercookies" on my home windows-7 box.  I'm
> already using "No-Script" (on both systems) if that's relevant.

That was interesting.  I knew about browser fingerprinting.  But I
hadn't heard about the evercookie.  I turned up this on stack overflow,

"most evercookie vectors have been closed via browser client security
updates"

And from the reading, I gleaned that flash, or javascript, or java has
to be enabled for an evercookie to be placed.  It's put in place by
code that has to run, so something has to be enabled to run it for it
to succeed.

It seems that private browsing mode prevents evercookies, but users
want to be protected during normal browsing.

Adblock Plus says this:

"If the last paragraph isn’t explicit enough for you, here you go:
Adblock Plus privacy protection (a.k.a. EasyPrivacy filter list)
doesn’t care whether it is cookies, canvas fingerprinting or
evercookie, you will be protected regardless."

There were suggestions that facebook and google use this technology to
track people across the web.  And I can anecdotally support that.
When I go to youtube with noscript set, it doesn't recognize me.  If I
turn script on, it then recognizes me.  H.

I use the firefox plugin self-destructing cookies, and I don't have
youtube set on the whitelist.  So, they are identifying me by some
other means.  No LSO cookies, no html5, so not that.  Browser
fingerprinting?  Evercookie?
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://lists.fedoraproject.org/admin/lists/users@lists.fedoraproject.org
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

evercookies.

2016-08-22 Thread William Mattison

Hi all,

Two questions about "evercookies".  I think this could be useful to others in 
this forum as well as to me.

1. On my home Fedora-23 (updated weekly) workstation, how do I find and truly, 
fully, permanently get rid of whatever evercookies might be on my system?  If 
y'all don't mind, I'd also like to know how to find and delete "evercookies" on 
my home windows-7 box, if there are any.

2. I use Firefox (updated weekly) for browsing.  On my home Fedora-23 
workstation, how do I block or prevent the storage of evercookies on my system? 
 If y'all don't mind, I'd also like to know to to block or prevent the storage 
of "evercookies" on my home windows-7 box.  I'm already using "No-Script" (on 
both systems) if that's relevant.

thanks,
Bill.
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://lists.fedoraproject.org/admin/lists/users@lists.fedoraproject.org
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: evercookies.

Re: evercookies.

Re: evercookies.

Re: evercookies.

Re: evercookies.

Evercookies & other malware: A different approach

Re: evercookies.

Re: evercookies.

Re: evercookies.

Re: evercookies.

Re: evercookies.

Re: evercookies.

Re: evercookies.

Re: evercookies.

Re: evercookies.

Re: evercookies.

Re: evercookies.

Re: evercookies.

Re: evercookies.

Re: evercookies.

Re: evercookies.

Re: evercookies.

Re: evercookies.

Re: evercookies.

Re: evercookies.

Re: evercookies.

Re: evercookies.

Re: evercookies.

evercookies.

29 matches

Site Navigation

Mail list logo

Footer information