Jump to content

Cookies nonsense and other changes


Recommended Posts

  • 3 weeks later...
On 1/7/2019 at 11:55 AM, John Cuthber said:

Like the media (apparently), I don't see GDPR as "ludicrous". 

What bits of it do you see as a problem?

Apparently you don't understand..

GDPR was the nicest surprise gift for thieves, crooks, hackers, virus makers they could get, nicely packed gift by politicians. Notice what we have now: flood of SMS, or e-mails, to random people all over the country, with information like "If you would like to remove your data from our database please click here".. And incompetent unaware user is nicely politely going to website possibly made by hacker, what user should never ever do in the first place! And after visit, his/her computer can be infected by virus.
They simply make script which goes through the all phone numbers in specified range, without knowing who are these people, sending message, and after user clicked in the message, they get a lot of information about person. Information they did not have previously! What is IP, approximate location, what is phone number, that phone number is active, device details (Android device or Apple, Windows, Mac or Linux), what is web browser and its version, possibly what plugins are installed on it. etc. etc.

 

Edited by Sensei
Link to comment
Share on other sites

1 hour ago, MigL said:

Holy cr*p !

If I listen to Sensei, I might never use a computer again.

How to store phone number invisible to user at first sight.. ?

e.g.

send_sms( phone_number, "[content of malicious message] http://[ url ]/" + md5( phone_number ) );

(eventually with some additional tag).

User goes to website e.g. http://[ url ]/fa604719431619455874cef2164b0de2" (or so), hacker made db of phone_numbers and corresponding md5() hash-codes, and look it up by md5 hash-code, and receives info that phone number is +441234567890

https://www.password-generator-tool.com/md5-hash-generator

It does not matter if you will use Tor, VPN, or proxy. The same hash-code, the same phone number.

If I see in such messages hash-codes, but want to remain unrecognized, and visit it anyway, I am stripping entire query from URL Then you can use Tor, VPN or proxy.. (better from virtual machine/sandbox)

 

To be removed from any (legit or illegal) database, user has to enter his/her details. Write e-mail address, first name, second name. The all data on the plate to hackers, crooks, thieves.

Edited by Sensei
Link to comment
Share on other sites

51 minutes ago, Strange said:

He's talking crap as far as I can tell. I don't see how a privacy law suddenly gives hackers access to phone numbers. 

Privacy law introduced "way to be forgotten", "way to remove user data from any database".. Hackers write e-mails or SMS random people, pretending they have their data. Users are visiting specially prepared websites with intention to remove their data from fake company database and are entering their data and hackers acquire data they did not have yet. Which bit in the whole procedure you don't understand?!

There are ways to infect phone, after user visited malicious website, which I, for obvious reasons, won't reveal here, to not teach people how to do that.

Link to comment
Share on other sites

5 hours ago, Strange said:

He's talking crap as far as I can tell. I don't see how a privacy law suddenly gives hackers access to phone numbers.

That’s just one of many possible outcomes. The underlying point is that there is a new and seemingly sanctioned reason to get people to click on random links in random emails and on random websites.

For years we’ve been training people NOT to click on unknown links since it opens their systems to nefarious actors and bugs. Now, under the guise of GDPR, hackers have a bright shiny new opening and they will more frequently be able to trick people into clicking those links and inserting malicious code.

”This site uses cookies. Click OK to proceed.”or “Our privacy policy has been updated. Click here to accept.” ... That sort of thing. In seconds, the person reads that as valid since we’re seeing these popup boxes everywhere, clicks the button, and the hacker is now in.

Anyway, that’s how I read his point. The opening here is on clicking the link that is built to mimic a GDPR warning. What happens or what information gets collected next is limited only by the skill and creativity of the person writing the code.

 

Edited by iNow
Link to comment
Share on other sites

11 minutes ago, iNow said:

That’s just one of many possible outcomes. The underlying point is that there is a new and seemingly sanctioned reason to get people to click on random links in random emails and on random websites.

For years we’ve been training people NOT to click on unknown links since it opens their systems to nefarious actors and bugs. Now, under the guise of GDPR, hackers have a bright shiny new opening and they will more frequently be able to trick people into clicking those links and inserting malicious code.

”This site uses cookies. Click OK to proceed.”or “Our privacy policy has been updated. Click here to accept.” ... That sort of thing. In seconds, the person reads that as valid since we’re seeing these popup boxes everywhere, clicks the button, and the hacker is now in.

Anyway, that’s how I read his point. The opening here is on clicking the link that is built to mimic a GDPR warning. What happens or what information gets collected next is limited only by the skill and creativity of the person writing the code.

 

Yes  +1

 

Which is why I suggested banning cookies altogether. But cookies have benefits?

There is precedent for this.

Lead tatraethyl, DDT and other things brought benefits certainly. But they are now still banned because of their downsides.

 

Strange, do you trust your Bank's IT department after all the recent scandals ?

 

 

Edited by studiot
Link to comment
Share on other sites

16 hours ago, iNow said:

He raises an excellent point. 

+1

Yes... sort of.

His point seems to be that bad guys tell lies and sometimes good guys get fooled and taken advantage of.
You don't need GDPR to have that state of affairs.

On a related note, there's this  Nigerian prince I know...

Link to comment
Share on other sites

5 hours ago, studiot said:

Which is why I suggested banning cookies altogether. But cookies have benefits?

Like I said in earlier post, cookies are essential temporary local settings. Without them no forum nor Web v2.0 could work (alternative methods are worser and easier for hackers to intercept. That's the reason to introduce HTTP POST cookies instead of HTTP GET query string variables in '90 years). That's where is stored logged user session id (it expires after couple minutes of inactivity with web browser), what's where are stored user settings (if you click "I accept cookies on this website" that information is stored in cookies!).

Edited by Sensei
Link to comment
Share on other sites

15 minutes ago, Sensei said:

Like I said in earlier post, cookies are essential temporary local settings. Without them no forum nor Web v2.0 could work (alternative methods are worser and easier for hackers to intercept. That's the reason to introduce HTTP POST cookies instead of HTTP GET query string variables in '90 years). That's where is stored logged user session id (it expires after couple minutes of inactivity with web browser), what's where are stored user settings (if you click "I accept cookies on this website" that information is stored in cookies!).

I know the sort of thing cookies are legitimately used for, and I thank you for the useful information about how some can misuse them.

But I disagree that it is impossible to do without them.

Everybody screamed 'we can't do without Lead tatra Ethyl' and we can't make our cars more fuel efficient and cleaner burning and so on, when the regulations were introduced.

Whadda ya know?

We are now driving cars that conform.

Link to comment
Share on other sites

38 minutes ago, studiot said:

But I disagree that it is impossible to do without them.

Then show your alternative solution programmatically.. ? Solution which is not HTTP GET query string, as it's (worser) predecessor of keeping logged user session id.

Store session id inside of body of HTML page in hidden data like HTML comment.. ? Every website creator could do that. Every using completely different technique.

If somebody intends to use cookies for storing identity of user (for tracing purposes), the same person easily could use HTML tags to store that information as well.

i.e. if politicians would ban cookies, the all webmasters would encode such data inside of HTML tags.

Edited by Sensei
Link to comment
Share on other sites

1 minute ago, Sensei said:

Then show your alternative solution programmatically.. ?

The solution is not to a problem created by programmers.

The solution is different programming entirely.

(Perhaps different systems analysis)

Link to comment
Share on other sites

You get a ton of info from users, so realistically you could still reasonably identify them with that.

IP address, browser/system info, browsing times, mouse movements/click timings, writing style, and whatever users happen to directly provide. Wouldn't be perfect but be enough for more typical uses by sites.

I really see cookies as being the better option though as the data is there is limited and under your direct control.

... and there are or were at least a number of oddball ways to store info on a user's machine. Not sure what all is around now. Worse case there's always cached assets you could encode something in.

Link to comment
Share on other sites

21 hours ago, iNow said:

The underlying point is that there is a new and seemingly sanctioned reason to get people to click on random links in random emails and on random websites.

And it is a stupid point.

There are any number of things that people will use as excuses to trick people. "You have won a prize", "You have an unpaid invoice", "Your tax refund is due", "Meet beautiful girls", "Problem with your order", "Confirm your bank details", "Check your privacy settings".

The solution is obviously not to get rid of competitions, online shopping, taxes, dating, shopping, banking or GDPR.

 

14 hours ago, studiot said:

The solution is not to a problem created by programmers.

The solution is different programming entirely.

(Perhaps different systems analysis)

Is that your way of saying that you don't have a solution?

14 hours ago, Sensei said:

Then show your alternative solution programmatically.. ? Solution which is not HTTP GET query string, as it's (worser) predecessor of keeping logged user session id.

Store session id inside of body of HTML page in hidden data like HTML comment.. ? Every website creator could do that. Every using completely different technique.

If somebody intends to use cookies for storing identity of user (for tracing purposes), the same person easily could use HTML tags to store that information as well.

i.e. if politicians would ban cookies, the all webmasters would encode such data inside of HTML tags.

How exactly do you replace data stored on the client with information stored on the server?

Just saying "use HTML tags" isn't much better than saying "magic" without an explanation of how it would work.

21 hours ago, studiot said:

Strange, do you trust your Bank's IT department after all the recent scandals ?

I am fairly confident that my bank is better than average. But I wouldn't trust them completely, any more than I would any other online service. However, that obviously has absolutely nothing to do with cookies.

A website can be secure or insecure without using cookies. A website can steal your personal data without using cookies.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.