Jump to content
studiot

Cookies nonsense and other changes

Recommended Posts

Posted (edited)
1 hour ago, Strange said:

I'm fairly sure that has always been there.

Ah, I never noticed it until a days ago that even inside of posts and quotes, hoving over someone's name shows it.

Edited by Raider5678

Share this post


Link to post
Share on other sites
On 1/7/2019 at 11:55 AM, John Cuthber said:

Like the media (apparently), I don't see GDPR as "ludicrous". 

What bits of it do you see as a problem?

Apparently you don't understand..

GDPR was the nicest surprise gift for thieves, crooks, hackers, virus makers they could get, nicely packed gift by politicians. Notice what we have now: flood of SMS, or e-mails, to random people all over the country, with information like "If you would like to remove your data from our database please click here".. And incompetent unaware user is nicely politely going to website possibly made by hacker, what user should never ever do in the first place! And after visit, his/her computer can be infected by virus.
They simply make script which goes through the all phone numbers in specified range, without knowing who are these people, sending message, and after user clicked in the message, they get a lot of information about person. Information they did not have previously! What is IP, approximate location, what is phone number, that phone number is active, device details (Android device or Apple, Windows, Mac or Linux), what is web browser and its version, possibly what plugins are installed on it. etc. etc.

 

Edited by Sensei

Share this post


Link to post
Share on other sites

Holy cr*p !

If I listen to Sensei, I might never use a computer again.

Share this post


Link to post
Share on other sites

He raises an excellent point. 

+1

Share this post


Link to post
Share on other sites
1 hour ago, MigL said:

Holy cr*p !

If I listen to Sensei, I might never use a computer again.

How to store phone number invisible to user at first sight.. ?

e.g.

send_sms( phone_number, "[content of malicious message] http://[ url ]/" + md5( phone_number ) );

(eventually with some additional tag).

User goes to website e.g. http://[ url ]/fa604719431619455874cef2164b0de2" (or so), hacker made db of phone_numbers and corresponding md5() hash-codes, and look it up by md5 hash-code, and receives info that phone number is +441234567890

https://www.password-generator-tool.com/md5-hash-generator

It does not matter if you will use Tor, VPN, or proxy. The same hash-code, the same phone number.

If I see in such messages hash-codes, but want to remain unrecognized, and visit it anyway, I am stripping entire query from URL Then you can use Tor, VPN or proxy.. (better from virtual machine/sandbox)

 

To be removed from any (legit or illegal) database, user has to enter his/her details. Write e-mail address, first name, second name. The all data on the plate to hackers, crooks, thieves.

Edited by Sensei

Share this post


Link to post
Share on other sites
5 hours ago, iNow said:

He raises an excellent point. 

+1

He's talking crap as far as I can tell. I don't see how a privacy law suddenly gives hackers access to phone numbers.

Share this post


Link to post
Share on other sites
51 minutes ago, Strange said:

He's talking crap as far as I can tell. I don't see how a privacy law suddenly gives hackers access to phone numbers. 

Privacy law introduced "way to be forgotten", "way to remove user data from any database".. Hackers write e-mails or SMS random people, pretending they have their data. Users are visiting specially prepared websites with intention to remove their data from fake company database and are entering their data and hackers acquire data they did not have yet. Which bit in the whole procedure you don't understand?!

There are ways to infect phone, after user visited malicious website, which I, for obvious reasons, won't reveal here, to not teach people how to do that.

Share this post


Link to post
Share on other sites
1 hour ago, Sensei said:

Which bit in the whole procedure you don't understand?!

The bit where you blame GDPR

“You shouldn’t lock your door because it will encourage burglars to break the windows”

Share this post


Link to post
Share on other sites
5 hours ago, Strange said:

He's talking crap as far as I can tell. I don't see how a privacy law suddenly gives hackers access to phone numbers.

That’s just one of many possible outcomes. The underlying point is that there is a new and seemingly sanctioned reason to get people to click on random links in random emails and on random websites.

For years we’ve been training people NOT to click on unknown links since it opens their systems to nefarious actors and bugs. Now, under the guise of GDPR, hackers have a bright shiny new opening and they will more frequently be able to trick people into clicking those links and inserting malicious code.

”This site uses cookies. Click OK to proceed.”or “Our privacy policy has been updated. Click here to accept.” ... That sort of thing. In seconds, the person reads that as valid since we’re seeing these popup boxes everywhere, clicks the button, and the hacker is now in.

Anyway, that’s how I read his point. The opening here is on clicking the link that is built to mimic a GDPR warning. What happens or what information gets collected next is limited only by the skill and creativity of the person writing the code.

 

Edited by iNow

Share this post


Link to post
Share on other sites
11 minutes ago, iNow said:

That’s just one of many possible outcomes. The underlying point is that there is a new and seemingly sanctioned reason to get people to click on random links in random emails and on random websites.

For years we’ve been training people NOT to click on unknown links since it opens their systems to nefarious actors and bugs. Now, under the guise of GDPR, hackers have a bright shiny new opening and they will more frequently be able to trick people into clicking those links and inserting malicious code.

”This site uses cookies. Click OK to proceed.”or “Our privacy policy has been updated. Click here to accept.” ... That sort of thing. In seconds, the person reads that as valid since we’re seeing these popup boxes everywhere, clicks the button, and the hacker is now in.

Anyway, that’s how I read his point. The opening here is on clicking the link that is built to mimic a GDPR warning. What happens or what information gets collected next is limited only by the skill and creativity of the person writing the code.

 

Yes  +1

 

Which is why I suggested banning cookies altogether. But cookies have benefits?

There is precedent for this.

Lead tatraethyl, DDT and other things brought benefits certainly. But they are now still banned because of their downsides.

 

Strange, do you trust your Bank's IT department after all the recent scandals ?

 

 

Edited by studiot

Share this post


Link to post
Share on other sites
16 hours ago, iNow said:

He raises an excellent point. 

+1

Yes... sort of.

His point seems to be that bad guys tell lies and sometimes good guys get fooled and taken advantage of.
You don't need GDPR to have that state of affairs.

On a related note, there's this  Nigerian prince I know...

Share this post


Link to post
Share on other sites
5 hours ago, studiot said:

Which is why I suggested banning cookies altogether. But cookies have benefits?

Like I said in earlier post, cookies are essential temporary local settings. Without them no forum nor Web v2.0 could work (alternative methods are worser and easier for hackers to intercept. That's the reason to introduce HTTP POST cookies instead of HTTP GET query string variables in '90 years). That's where is stored logged user session id (it expires after couple minutes of inactivity with web browser), what's where are stored user settings (if you click "I accept cookies on this website" that information is stored in cookies!).

Edited by Sensei

Share this post


Link to post
Share on other sites
15 minutes ago, Sensei said:

Like I said in earlier post, cookies are essential temporary local settings. Without them no forum nor Web v2.0 could work (alternative methods are worser and easier for hackers to intercept. That's the reason to introduce HTTP POST cookies instead of HTTP GET query string variables in '90 years). That's where is stored logged user session id (it expires after couple minutes of inactivity with web browser), what's where are stored user settings (if you click "I accept cookies on this website" that information is stored in cookies!).

I know the sort of thing cookies are legitimately used for, and I thank you for the useful information about how some can misuse them.

But I disagree that it is impossible to do without them.

Everybody screamed 'we can't do without Lead tatra Ethyl' and we can't make our cars more fuel efficient and cleaner burning and so on, when the regulations were introduced.

Whadda ya know?

We are now driving cars that conform.

Share this post


Link to post
Share on other sites
38 minutes ago, studiot said:

But I disagree that it is impossible to do without them.

Then show your alternative solution programmatically.. ? Solution which is not HTTP GET query string, as it's (worser) predecessor of keeping logged user session id.

Store session id inside of body of HTML page in hidden data like HTML comment.. ? Every website creator could do that. Every using completely different technique.

If somebody intends to use cookies for storing identity of user (for tracing purposes), the same person easily could use HTML tags to store that information as well.

i.e. if politicians would ban cookies, the all webmasters would encode such data inside of HTML tags.

Edited by Sensei

Share this post


Link to post
Share on other sites
1 minute ago, Sensei said:

Then show your alternative solution programmatically.. ?

The solution is not to a problem created by programmers.

The solution is different programming entirely.

(Perhaps different systems analysis)

Share this post


Link to post
Share on other sites

You get a ton of info from users, so realistically you could still reasonably identify them with that.

IP address, browser/system info, browsing times, mouse movements/click timings, writing style, and whatever users happen to directly provide. Wouldn't be perfect but be enough for more typical uses by sites.

I really see cookies as being the better option though as the data is there is limited and under your direct control.

... and there are or were at least a number of oddball ways to store info on a user's machine. Not sure what all is around now. Worse case there's always cached assets you could encode something in.

Share this post


Link to post
Share on other sites

I'm still waiting for anything that shows that GDPR  actually caused a problem.

Share this post


Link to post
Share on other sites
21 hours ago, iNow said:

The underlying point is that there is a new and seemingly sanctioned reason to get people to click on random links in random emails and on random websites.

And it is a stupid point.

There are any number of things that people will use as excuses to trick people. "You have won a prize", "You have an unpaid invoice", "Your tax refund is due", "Meet beautiful girls", "Problem with your order", "Confirm your bank details", "Check your privacy settings".

The solution is obviously not to get rid of competitions, online shopping, taxes, dating, shopping, banking or GDPR.

 

14 hours ago, studiot said:

The solution is not to a problem created by programmers.

The solution is different programming entirely.

(Perhaps different systems analysis)

Is that your way of saying that you don't have a solution?

14 hours ago, Sensei said:

Then show your alternative solution programmatically.. ? Solution which is not HTTP GET query string, as it's (worser) predecessor of keeping logged user session id.

Store session id inside of body of HTML page in hidden data like HTML comment.. ? Every website creator could do that. Every using completely different technique.

If somebody intends to use cookies for storing identity of user (for tracing purposes), the same person easily could use HTML tags to store that information as well.

i.e. if politicians would ban cookies, the all webmasters would encode such data inside of HTML tags.

How exactly do you replace data stored on the client with information stored on the server?

Just saying "use HTML tags" isn't much better than saying "magic" without an explanation of how it would work.

21 hours ago, studiot said:

Strange, do you trust your Bank's IT department after all the recent scandals ?

I am fairly confident that my bank is better than average. But I wouldn't trust them completely, any more than I would any other online service. However, that obviously has absolutely nothing to do with cookies.

A website can be secure or insecure without using cookies. A website can steal your personal data without using cookies.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.