Secret Cookies on your computer that you cannot delete

Originally posted by woghd
Maybe I'm wrong, so I ask you, Skeptic Overlord, may I rewrite the artcle? I do not wish to get banned, nor do I wish to cost you money, so I won't write it unless you say it's cool.

Please believe me when I say there are no hard feelings. I'd be an emotional mess if misconceptions such as these caused any stress or inspired me to keep track of people I shouldn't like.

On the otherhand, I've been quite unfairly painted as a hoaxer, and my rep has been unfairly damaged, and I would like to be given the opportunity to do something about that.

That's not the intent to portray you as such, and I'm sorry if that's the result.

For now I'll move this to the computer help forum, and we can discuss the issues and perhaps collaboratively conceive of a new thread that more accurately portrays the real threats, and motivations of those attempting to inspire paranoia over cookies (not you).

Fair?

reply to post by woghd


Its ok. I know a lot of us do appreciate the information. I dont totally understand cookies, but I really do dislike the way they are implemented, and so I will delete as many as possible as often as possible simply because I dont like their methods.

I had a lot of these flash cookies, even though I use CC cleaner every day before I turn off my comp. So......thank you. Im glad they are gone.

I am totally willing to allow things that work for the greater good on my computer......including ads, whatever, I just dont like people doing stuff to my computer without my permission. Just ask me. Explain your reasoning. Im not unhelpful by any means. And yes, I hear the argument that using the browser IS consent, I just dont agree in principle. Technically, legally, you may be right, but morally, I think it is wrong.

Originally posted by H1ght3chHippie
But the Google webserver could easily send any extracted data from any Google.com cookie to the Youtube webserver without you even being able to monitor such traffic.

Actually, that would be easily detectible.

Or they simply use a hidden i-frame to track you and read specific cookies, just like Facebook does.

Again, something that would be easily noticed.

reply to post by woghd


It's an interesting topic, I didn't know about the .sol files - or Flash cookies as you refer to them.

I think it deserves a little more research though before jumping to any conclusions.

Let's have a look at what these files are, and what is contained within them.

So .. I just cleared all the files in the shared objects folder, and visited a random youtube video in order to generate content.

The visit generated a folder and two files file in my #SharedObjects folder:

soundData.sol & videostats.sol

furthermore it created a file called "setings.sol" in the /support/flashplayer/sys/#s.ytimg.com

Apparently they are binary files, so let's fire up our favourite hex editor and face the evil eye to eye:



Well .. doesn't look like Youtube has anything sinister going on here .. damn, I love a fresh conspiracy.

Looks like boring stuff like your client performance (in order to let youtube chose a default resolution I guess) and as far as the other files are contained there's volume settings and more things I would also expect within a text based cookie.

I'll check into a couple more after I have visited sites with flash content and I'll report back when I stumble upon anything suspicious, but as of now, I don't see anything here that ticks me off, and trust me, the fact I suffer from paranioa doesn't mean they're not REALLY after me ^^

Originally posted by SkepticOverlord
Actually, that would be easily detectible.

Sorry maybe I didn't make myself clear. I'm speaking about the Google webserver transfering data through the internet backbone to the Youtube machine, for example every tiny detail you entered into their search form, while or after you visit the Google.com site. You can not detect that, or do you have a sniffer on their internal machines ? Thought so : )


It is correct however that an xss i-frame would be easily noticed on your client. That's the reason why I suggest everyone to use the No-Script addon or disable JS by default.

reply to post by SkepticOverlord

"browsing history" of individual computers (which cookies identify) is not something of value.

What? Not of value? Browsing history allows them to feed users targeted adverts, that is crucial for increasing click rates. It can make all the difference. Knowing your potential customer is important, that also means knowing their browsing habits, not just their age, gender and location.

Originally posted by H1ght3chHippie
Sorry maybe I didn't make myself clear. I'm speaking about the Google webserver transfering data through the internet backbone to the Youtube machine

First, we're talking massive server farms here, not singular backbones and machines.

Second, without authentication in the browser of some type, resulting in an HTTP exchange, it's not possible for "YouTube" to know who you were when you were on "Google" and then came to "YouTube."

But, even if it were possible from a technology standpoint, what would be the benefit of "YouTube" knowing about the "Google" activity of your computer?

Originally posted by WhizPhiz
Browsing history allows them to feed users targeted adverts, that is crucial for increasing click rates. It can make all the difference.

The first question, ignoring some obvious issues, why is that bad? Targeting ads to geographic and psychographic intelligence has been a staple of magazines, newspapers, cable channels, and direct mail for a long time. The ads in the version of Rolling Stone magazine sent to subscribers in your state will be different than those in the same issue of the magazine in the next state.


But the issues are something the opponents of such targeting never properly address, that of diminishing returns with an over-abundance of data. I've had the rare opportunity to sit-in or otherwise be involved with some of the conversations and planning of the companies that attempt to fine-tune the delivery of online advertising -- and the resounding complaint is too much available data for too little benefit. In reality, the targeting relies very little (if at all) on what broad-stroke browsing history is available, and more on specifics.

For example, Harry & David was (now under chapter 11) one of the most sophisticate re-targeting advertisers online. They had an aggressive strategy with two ad networks to retain anonymized product-search information from their website via JavaScripts from those advertisers on their product pages. If you didn't purchase something, and then visited websites where those ad networks ran banners, you'd see Harry & David banners with products that related to your searches. If, after 10 days, you still didn't make a purchase, you'd then be presented with coupons in an attempt to inspire a purchase.

It was expensive.

In the spectrum of "targeted advertising," it was considered smart.

The approach didn't raise the hackles of consumer advocates.

But guess what -- it was far more expensive than the resulting lift in sales, and is being touted as one of the reasons for the bankruptcy filing of the company.

Point being: there's lots of buzz about the potential "badness" of highly-targeted ads online, but very little on the reality that it's expensive with no guarantee of results.

Second point: this example of some of the most recent highly-targeted ads have nothing to do with your "browsing history," and everything to do with a specific action on a specific site.

reply to post by SiglenDyn


Thank you!!And thanks to the OP!!

I just did better privacy and there were none on mine......Is that possible?.....Is better privacy as good as the one the OP said to use??......Better privacy was easy to do, the one the OP says to use looks very complicated to me who does not know much about saving stuff ect.

reply to post by SkepticOverlord


I admit this is slightly off topic but as I said it's an interesting topic.

Just let's think a little bit out of the box here. Just let's tie the biggest ISP's in here for a brief second, let's asume most major networks might serve a second purpose, beyond what you use them for, and let's assume there are algorithms and mechanisms in place that will automatically monitor every single line you feed into any major network, logging it, tying it to you personally, and - without the touch of a human hand so far - consider if you are a threat or target of interest or not. And if you are, your name will end up on the desk of some agency and a human will get involved to check you out closer. Of course your phone calls - every word you speak - is fed into a giant NSA mainframe, and certain words will trigger an automated mechanism that will get you on some screen. They've been doing that 20 years ago already, you are aware of that I assume ?

So after monitoring your online behaviour for a couple years, they have the perfect profile about you, they know things about you that you have forgotten yourself already again, and they can compile that into a vast database about basically every human being, listing everything, your interests, your political stance, your relationships, your ties to other individuals, even your daily moods, fresh from your Facebook account.

So, assuming all of that, and then weighing the possible advantages it has for basically any aspect of governmental, agency or corporate need against the technical challenge it would pose....

Do you seriously think that isn't done ? I bet my arse it is.

And on a side note, there's not really a difference between a single webserver and a server farm in terms of transfering data through whatever backbone or WAN link to other domains .. trust me .. been there .. done that .. even got the T-shirt.

Originally posted by SkepticOverlord

For example, Harry & David was (now under chapter 11) one of the most sophisticate re-targeting advertisers online. They had an aggressive strategy with two ad networks to retain anonymized product-search information from their website via JavaScripts from those advertisers on their product pages. If you didn't purchase something, and then visited websites where those ad networks ran banners, you'd see Harry & David banners with products that related to your searches. If, after 10 days, you still didn't make a purchase, you'd then be presented with coupons in an attempt to inspire a purchase.

It was expensive.

In the spectrum of "targeted advertising," it was considered smart.

The approach didn't raise the hackles of consumer advocates.

You just confirmed my thoughts, not that my thoughts carry any weight, but i am very impressed that you are familiar with it all.

reply to post by StarLightStarBright2

I just did better privacy and there were none on mine......Is that possible?.....Is better privacy as good as the one the OP said to use??

I would say BetterPrivacy is definitely better than a batch script. It is very odd that you don't have any LSOs. Not impossible, but highly unlikely. Go to this folder, replacing "User" with your Windows account name:

C:\Users\User\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\

Now you should see only 1 or 2 folders. Check them out. For instance, I have a folder named "LZJ4ZA7V" inside my #SharedObjects folder. And inside that folder are where the LSO's are kept. The LSO's will be stored in separate folders, with the name of the website that created the LSO as the folder name. For instance, inside my "LZJ4ZA7V" folder I have a folder called "mail.google.com", inside that folder are the LSO's for Google Mail. Theoretically, I could just delete all the folders inside my "LZJ4ZA7V" folder to delete all the LSO's, but I haven't tried the method, BetterPrivacy does the trick.

reply to post by TrueAmerican


Ok that would bother me!

reply to post by WhizPhiz


Thank you!

reply to post by StarLightStarBright2


So did you find anything inside that folder?

Originally posted by H1ght3chHippie
Just let's tie the biggest ISP's in here for a brief second, let's asume most major networks might serve a second purpose, beyond what you use them for, and let's assume there are algorithms and mechanisms in place...
>snip<
They've been doing that 20 years ago already, you are aware of that I assume ?

Now, that's something very, very different than concerns over what nefariousness might be possible via cookie abuse -- you're referencing "deep packet inspection," and is a very different animal.

So after monitoring your online behaviour for a couple years, they have the perfect profile about you...

Okay, there's a couple issues here, many are related to misconceptions, but there are concerns.

The most important thing is to visualize the quantity of data, and project forward to the plausibility of such a thing. Imagine a system that would be able to track and quantify all the various IP address you use, in real-time. Not necessarily impossible, but would require highly-sophisticated deep-packet inspect by every network you use, engaged in real-time reconciliation and communication back to some central source. Then, consider how such a system would engage in such real-time reconciliation for every HTTP packet you receive -- just the ATS home page would require more than 100 such packets, many pages use much more. Then imagine the scale of such a thing as it attempts to recognize, reconcile, track, and record every packet received by every person using the web in the United States for just one day. We're talking about dozens of petabytes of data being categorized and exchanged in just one day.

And if you want to scale that even further, consider the amount of data resulting from a month, a year, or several years.

And then, imagine how an inept "government" who is unable to keep an Army Private from stealing secure government communications could create and manage such an unimaginably massive and sophisticate system. Such a system would require massive bandwidth and more than 50 billion terabytes of data storage for 10 years worth of information. Why... the hard drive maintenance alone would keep an army of IT geeks running in circles.

That level of intelligence as a result of wide-spread deep-packet inspection has received a lot of speculation, but it's not plausible to believe an inept government who can't keep their law enforcement agencies up to speed with computer technology that is less than five years old can pull it off.


However, that's not to say that some level of data reconciliation and inspection isn't going on... we know it is, but just not on the grand scale that would be required above.


Based on the tidbits we know, there are three strategies being used:

(1) Deep packet inspection of certain protocols (such as HTTP post and SMTP) for important keywords, phrases, or destinations.

(2) Monitoring of interconnected communications (using #1 at times) on certain subjects, some of which may be "seeded" by provocateurs or purposeful release of low-level semi-classified information.

(3) Deep packet inspection and monitoring of specific computers that have been identified as a result of #1 and #2.

This is not only much more plausible, but also much more likely to result in a manageable amount of data on which law-enforcement action can be taken.

And on a side note, there's not really a difference between a single webserver and a server farm in terms of transfering data through whatever backbone or WAN link to other domains

Except when you start considering the massive scale of the amount of data you originally proposed. Even in our little cluster for ATS, we often flirt with the upper limits of a 10GB network connection between our database server and web server during spikes of high traffic, and that's just for the posts and threads on ATS.

Originally posted by SkepticOverlord

Originally posted by SD-JH543
Here is a good visual on how Google uses cookies to Datamine you..
donttrack.us...

No where does that indicate the site owners also have your IP address to cross-reference with the search term that delivered you to the site... which they do not.

Alarmist and false information.

Not sure I'd go as far as alarmist and false, I believe their description of how tracking can be used is mostly correct. I also understand they have an agenda to promote their search engine.

In my opinion If they are not using IP based tracking it's simply a matter of when not if.. They (Google) definitely have the brain-trust to do this and with all the companies they own that data is potentially worth billions.
SD

Originally posted by SD-JH543
I believe their description of how tracking can be used is mostly correct.

Not really.

They claim the combination of information on browser and computer data tracked by Google Analytics and reported to website users amounts to a browser fingerprint, which is not correct. As a Google Analytics user, I can assure you that:
(1) Browser information is aggregated, all I see are totals for different browser versions
(2) Computer information is aggregated, all I see are totals for various operating systems
(3) #1 and #2 are not ever combined, nor is there any ability to do so.

While it's true that an actual browser fingerprint can ultimately be a better identifier than a cookie, there's even less evidence that it could be used for harm than there is for cookies.

In fact, the browser fingerprint, if used correctly, could be more secure. We're considering moving to that framework rather than using cookies for some site functions -- an encrypted browser fingerprint would be totally meaningless to anyone but us... especially for "law enforcement" that might some day be in the mood to compel us to reveal user information.

I wasn't implying that end-users of analytics are privy to that data. I have used Goggle analytics myself and am familiar what data is released to users. I was stating that Google has the ability to utilize and abuse this data when they abandon their "Don't Be Evil" mantra..

SD