New Cookie Technologies 10/12/2009

Harder to See and Remove, Widely Used to Track You

Cookies are still a privacy problem for web users, many years after privacy advocates first raised concerns about their use to track web browsing. Today, cookies are one of the main mechanisms that advertising companies like Google use to track and profile users across sites and over time — often building up a single gigantic profile for years and years. Many EFF members respond to this threat by using their browsers’ cookie management features to limit which cookies they’ll accept or how long they’ll be retained.

But it turns out that the cookie situation is quite a bit trickier today, and sites that want to track users have new technical options that are hard for users to respond to. The traditional “cookie” is an HTTP cookie, invented by Lou Montulli and John Giannandrea at Netscape in 1994. But today many browsers implement a range of things with the same kind of cookie-like tracking behavior — mechanisms that are far less familiar, harder to notice, and often harder to control.

A great overview of the wide range of cookie technologies confronting us today is Cleaning Up After Cookies, an article published last year by Katherine McKinley at iSEC Partners. McKinley describes five cookie-like tracking methods that go beyond traditional HTTP cookies, and explains how browsers often fail to let users exercise meaningful control over these varieties of tracking.

The most prominent of these tracking methods is the so-called “Flash cookie”, a kind of cookie maintained by the Adobe Flash plug-in on behalf of Flash applications embedded in web pages.1 These cookie files are stored outside of the browser’s control. Web browsers do not directly allow users to view or delete the cookies stored by a Flash application, users are not notified when such cookies are set, and these cookies never expire. Flash cookies can track users in all the ways traditionally HTTP cookies do, and they can be stored or retrieved whenever a user accesses a page containing a Flash application. Some of the problems are highlighted by Rob Savoye, the developer of Gnash, an open source Flash implementation.

Last month, a group of researchers at UC Berkeley led by Ashkan Soltani released a study, Flash Cookies and Privacy, about this technology and the ways it’s being used to track Internet users today. The study found that Flash cookies are extensively used by popular sites, and that most users probably don’t know about them or how to delete them. They also found that at least one major site uses them in a way that violates the advertising industry’s own rules on tracking.

What’s more, the Berkeley researchers found that Flash cookies are often used to deliberately circumvent users’ HTTP cookie policies. That is, a site may intentionally store the same information redundantly in both HTTP cookie and Flash cookie forms. When a user deletes the HTTP cookie, the site may “respawn” it from the copy that was stored as a Flash cookie! It seems clear that site operators know many users don’t want to be tracked with cookies, but have found a way of circumventing those users’ privacy preferences.

These privacy-invasive marketing practices need greater scrutiny. We need more research to reveal whether the other kinds of cookies McKinley described are also being used to track users, as Soltani and his collaborators showed that Flash cookies are. It’s entirely possible that Flash cookies will turn out to be just the tip of the next-generation user tracking iceberg.

Meanwhile, browser developers should do more to let users understand and control how they’re being tracked — using any of these techniques. Unfortunately, Adobe has made that extremely difficult with regard to Flash cookies, since they’re stored outside of the browser’s control, and since the official Flash plug-in isn’t open source, users can’t easily fix this for themselves. The BetterPrivacy Firefox plugin tries to address this by finding Flash cookies on the hard drive and regularly deleting them, but Adobe could help by ensuring their cookie system follows the browser’s privacy settings.2

Clearly, there’s a lot of work to be done to bring these next-generation cookies even to the same level of visibility and control that users experience with regular HTTP cookies.

————————

1. Adobe refers to Flash cookies as Local Shared Objects. Aside from Flash cookies, the other kinds of cookie-like objects McKinley identifies are HTML 5 DOM storage, Microsoft Silverlight cookies, Microsoft Internet Explorer User Data Persistence, and Google Gears data.
2. Adobe currently provides an interface to manage Flash cookies, but most users are unaware of it, it’s not integrated with browser cookie policies at all, and it seems to focus as much on the disk space Flash cookies can take up as on their privacy implications. It also doesn’t provide some of the kinds of control over cookies that regular browsers and browser plugins can.

Exploiting Online Games 10/12/2009

I recommend to read this book if you want to cheat online games such as World of Warcraft.
Amazon

New cloud-based service steals Wi-Fi passwords 09/12/2009

A new cloud-based hacking service can crack a WPA (Wi-Fi Protected Access) network password in just 20 minutes.
The WPA Cracker service bills itself as a useful tool for security auditors and penetration testers who want to know if they could break into certain types of WPA networks. It works because of a known vulnerability in Pre-shared Key (PSK) networks, which are used by some home and small-business users.
To use the service, the tester submits a small “handshake” file that contains an initial back-and-forth communication between the WPA router and a PC. Based on that information, WPA Cracker can tell whether the network seems vulnerable to this type of attack.
Hackers have known for some time that these WPA-PSK networks are vulnerable to what’s called a dictionary attack, where the hacker guesses the password by trying out thousands of commonly used passwords until one finally works. But because of the way WPA is designed, it takes a particularly long time to pull off a dictionary attack against a WPA network.
Because each WPA password must be hashed thousands of times, a typical computer can guess perhaps just 300 passwords per second, while other password crackers can process hundreds of thousands of words per second. That means that the 20-minute WPA Cracker job, which runs 135 million possible options, would take about five days on a dual-core PC.

Restart Ubuntu Gnome session without rebooting 07/12/2009

Ctrl+Alt+Backspace
or
sudo /etc/init.d/gdm restart

aMSN on Ubuntu 24/11/2009

Remove the comments before the universe lines in your sources.list
sudo nano /etc/apt/sources.list

Add the following source in the sources.list
deb http://ppa.launchpad.net/amsn-daily/ppa/ubuntu jaunty main
or
deb http://ppa.launchpad.net/amsn-daily/ppa/ubuntu intrepid main

Then,
sudo apt-get install amsn

SIPp Call Generator 09/11/2009

SIPp is a free Open Source test tool / traffic generator for the SIP protocol. It includes a few basic SipStone user agent scenarios (UAC and UAS) and establishes and releases multiple calls with the INVITE and BYE methods. It can also reads custom XML scenario files describing from very simple to complex call flows. It features the dynamic display of statistics about running tests (call rate, round trip delay, and message statistics), periodic CSV statistics dumps, TCP and UDP over multiple sockets or multiplexed with retransmission management and dynamically adjustable call rates.

Other advanced features include support of IPv6, TLS, SIP authentication, conditional scenarios, UDP retransmissions, error robustness (call timeout, protocol defense), call specific variable, Posix regular expression to extract and re-inject any protocol fields, custom actions (log, system command exec, call stop) on message receive, field injection from external CSV file to emulate live users.

SIPp can also send media (RTP) traffic through RTP echo and RTP / pcap replay. Media can be audio or audio+video.

While optimized for traffic, stress and performance testing, SIPp can be used to run one single call and exit, providing a passed/failed verdict.

Last, but not least, SIPp has a comprehensive documentation available both in HTML and PDF format.

SIPp can be used to test many real SIP equipements like SIP proxies, B2BUAs, SIP media servers, SIP/x gateways, SIP PBX, … It is also very useful to emulate thousands of user agents calling your SIP system.

DOWNLOAD

Webmin Installation 21/10/2009

cd /usr/src
wget http://prdownloads.sourceforge.net/webadmin/webmin-1.490-1.noarch.rpm
rpm -ivh webmin-1.490-1.noarch.rpm

URL for the latest version by hovering your mouse over the ‘RPM’ link on the webmin homepage at webmin

[Solve] Critical Error retrieve_conf failed, config not applied 07/10/2009

Install the “Queues” module.

Module Admin > Check for updates online > Queues

Install VMWare Tools on CentOS 07/10/2009

The VMware Tools allows you to increase your virtual machine’s performance and capabilities.

Make sure that you have got the kernel header files and a C compiler installed:

# yum install gcc gcc-c++ kernel-devel

Now create a link pointing to your kernel header files directory:

# ln -s /usr/src/kernels/[your kernel version] /usr/src/linux

From the VMware Server console, click on “VM => Install VMware Tools…”. This will connect a virtual cdrom drive with the VMware Tools installation files in it. You now need to mount it and install the VMware Tools manually:

# mkdir /mnt/cdrom
# mount /dev/cdrom /mnt/cdrom
# cd /mnt/cdrom
# cp VMwareTools-[version].tar.gz /tmp
# cd /tmp
# umount /mnt/cdrom
# tar zxf VMwareTools-[version].tar.gz
# cd /tmp/vmware-tools-distrib
# ./vmware-install.pl

I’ve left the VMware Tools parameters to their default values by hitting “enter” until the end.

Install GNOME on Ubuntu Server 04/10/2009

Easy & Full options

• sudo apt-get install ubuntu-desktop
• OR sudo aptitude install ubuntu-desktop

Install without recommended

• sudo apt-get install –no-install-recommends ubuntu-desktop
• OR sudo aptitude install -R ubuntu-desktop