Tracking Cookies:Google Offers Opt-Out

--
In keeping with the "bad news travels fast; good news is forgotten" theory, I dug up something quite good today that was only whispered in the tech news: Google lived up to their motto this past March and started offering opt-out options and tools for being free from being followed by their Tracking Cookies. Imagine that.


Not that I actually care, since I've been blocking Tracking Cookies on my web browsers for over a decade. And not that your average Internet surfer is going to notice. Google aren't exactly advertising their kind gesture.

If you've read my previous posts on Tracking Cookies you already know what to do: TURN OFF third party cookies in your web browser settings. On Mac, every browser worth using has this setting available in its Preferences under various descriptions. Here are some examples:

Safari Preferences:

OmniWeb Preferences:

Camino Preferences:

FireFox Preferences:

iCab Preferences:

Opera Preferences:

. . .

For the sake of review,
What Are Tracking Cookies?

Wikipedia.org has a very good description of them HERE.

My rendition:

Fried SPAM with cute little colored sprinkles on top. Or if you prefer sushi, how about:


Marketing people, ideally, like to help people find what they need and want. (These days we know that is generally NOT the case, thank you MBA degree mills. But I cover that subject over at my zunipus blog). The modern ideal in marketing is to follow you every minute of the day and offer you sales opportunities everywhere you go that are tailored just for you.

There are some marketing people who would be most pleased to implant a chip under your skin that triggers off automatic ads with potential sales opportunities around every corner. Some people believe this will trigger the end of the world. What a revelation. Darn, you got chip ID #666? That's not good.

Since it is illegal to 'chip' anyone in our current age, the next best thing is to 'chip' your web browser. This allows marketing people to follow you around on the Internet and trigger off automatic ads with every click.

The 'chip' in your browser is called a 'cookie', formerly 'magic cookie'. Thank Lou Montulli of Netscape for the concept and name. Cookies are actually very benign in concept. They allow the sharing of basic information between you and specific websites. For example, they are able to hold your ID and password at the Apple Store. They can also feed back to each specific website where you visited within that website. Amazon make very good use of cookies, suggesting books, music, electronics, etc., that fit within your demonstrated interests while navigating their site. It can help you find things you never knew existed.

Where cookies become evil is when they are shared among many sites. These are Tracking Cookies. Google is the King of Tracking Cookies. What you end up with is a syndicate of websites, all associated with one marketing hub, such as Google, who all share their cookie data with one another via ubiquitous Tracking Cookies. This means that your Google web searches end up with Targetted Ads aimed particularly at you.

Suppose you went to Amazon.com and went shopping for sex toys. Thanks to Google's Tracking Cookies, now the entire syndicate of Google associated web shops knows. So now you get ads for vibrators on your Google search pages. You go to SuperDuperWhatever.com for the very first time and up pop ads for warming gels, various stimulation pills, elongated probing instruments, on and on.

If this all sounds entirely offensive and invasive of your privacy, you're not alone. I personally don't give a rat's about marketing data collection, no matter what 'opportunities' they may offer. When I want something I go out and research it, all on my own, and typically end up buying the best product at the cheapest price entirely due to my efforts. No ads required. To me, advertising is a distraction at best. Therefore, my web browsers are maxed out with ad blocking plugins and settings. Even in situations where anti-ad measures fail, my brain is so used to marketing 'opportunities' on both the real and virtual landscapes that I quite literally don't see them. They don't exist in my mind's eye. There are 'subliminal' marketing theories of course, but every one of them fails from my POV.

Example:

My parents freak out whenever I visit them because I never bother to mute the TV ads. Why do I do that? I literally don't notice them! I don't care what they say. If I pay attention at all it is typically to mock them, they are usually so ridiculous and predictable. The only exceptions are abusive ads. I pick up on them rather quickly and take note of what they're selling in order that I never buy it. I also enjoy collecting examples of abusive ads. I often post perpetrators of what I call 'AD BLASTING' and 'AD SLAMMING' over at my zunipus blog. For some reason, my personality is particularly offended by any form of human abuse. Maybe it's because I'm human. With the plethora of psychopaths in world politics, religion and biznizz these days you have to wonder how many humans are left on Earth. But I rant.

We humans always discover and create new ways to thwart other people's bad choices. Blocking Tracking Cookies is simple because just about every web browser provides a method. Set it once and forget it. Happiness shall be yours young apprentice.

Well, there is one drawback: Advertising isn't going away.

You'll still be hit with it everywhere you go IRL or WWW. But instead of the ads targeting specificially you, they'll simply be generic. Darn! You'll just have to settle for having your privacy.

--

Mac Attacks @ Black Hat USA 2009

--
BWAHAHAHA!

It's time for the second Black Hat Technical Security Conference of the year, this one being held in Los Vegas, NV. Where else! I wonder how much money casinos will lose to participants after hours.

The conference runs July 25 through July 30. I'll be keeping an eye on Mac related revelry. Here are a couple announced Mac security events, researched and presented of course by two of our greatest Mac hackers, Dino Dai Zovi and Dr. Charlie Miller. My anti-heroes. *sw00n*

DINO DAI ZOVI

Advanced Mac OS X Rootkits

The Mac OS X kernel (xnu) is a hybrid BSD and Mach kernel. While Unix-oriented rootkit techniques are pretty well known, Mach-based rootkit techniques have not been as thoroughly publicly explored. This presentation will cover a variety of rootkit techniques for both user-space and kernel-space rootkits using unique and poorly understood or documented Mac OS X and Mach features.

Macsploitation with Metasploit

While Metasploit has had a number of Mac exploits for several years, the exploit payloads available have done little more than give a remote shell. These payloads are significantly simpler than the DLL-injection based payloads for Windows-based targets like the Meterpreter and VNC Inject payloads. This talk will cover the development and use of the fancier Metasploit Mac payloads developed by Dino Dai Zovi (the presenter) and Charlie Miller, including bundle injection, iSight photo capture, and Macterpreter.

Here is Dino's bio from the site:

Dino Dai Zovi
Endgame Systems

Dino Dai Zovi has been working in information security for over 9 years with experience in red teaming, penetration testing, and software security assessments at Sandia National Laboratories, @stake, and Matasano Security. Mr. Dai Zovi is also a regular speaker at information security conferences including presentations of his research on MacOS X security, hardware virtualization assisted rootkits using Intel VT-x, 802.11 wireless client security, and offensive security techniques at BlackHat USA, Microsoft BlueHat, CanSecWest, the USENIX Workshop on Offensive Technology, and DEFCON. He is a co-author of "The Mac Hacker's Handbook" (Wiley 2008) and "The Art of Software Security Testing" (Addison-Wesley Professional 2006). He is perhaps best known in the information security and Mac communities for discovering the vulnerability and writing the exploit to win the first PWN2OWN contest at CanSecWest 2007.

Also featured is a talk by Kostya Kortchinsky on how to use breakout vulnerabilites in VMWare virtualization software for Mac to hack into the host machine. And that's bad. Kostya works in France and is infamous for being first to exploit announced Microsoft vulnerabilities.

Some other somewhat Mac relevant subjects that will be presented:

• BitTorrent Hacks - Michael Brooks and David Aslanian
• Reversing and Exploiting and Apple� Firmware Update [for an Apple aluminum keyboard] - K. Chen

And of course an array of new PHP and SQL vulnerability hacks. What, no Microsoft exploits? There's no fooling you! Of course there are! And let's not forget exploitation of ye olde Intel� BIOS, Oracle, parking meters, iPhones, routers, and the US federal government. Included is an in depth discussion of the Windows worm of the year, Conficker. The favorite subject this year appears to be rootkits. The Pwnie Awards will be announced July 29th. There's fun for everyone.
--

Mostly Harmless: Adobe Updater Requests Administrative Privileges!!!

--

Consider me profoundly ticked off at Adobe. This is the last straw for me regarding their Adobe Updater program. It has now been DELETED off my computer, and I suggest you do the same.

I really hope I am being alarmist about what Adobe just tried to pull on me and I get lots of letters ranting at me about my foolishness. But I believe what I just witnessed on my Mac has tipped Adobe into the Evil Zone.

Back Story:

For the last several years it has been at times hell-on-Earth updating Adobe programs via the Internet. I have never, ever seen a more diabolically BAD system for updating programs. I've written to them about it several times as have hundreds of other people.

So this past year Adobe figured out they had a PR problem and offered professionals the opportunity to describe the problems with Adobe's update system. Hundreds of people again contacted Adobe. So everything is going to get all better now. Right?

Adobe wants to rule your Mac:

Tonight I got notification from good old VersionTracker.com that Adobe Reader version 9.1 had been released. It is a critical update that plugs some very bad security holes. Everyone should update ASAP. So of course I did the update.

As per usual, stupid Adobe couldn't do just one simple update, they had to ask me again and again for permission to install stuff. Among the added rubbish was yet another version of Adobe Updater. Clearly, nothing has been improved in Adobe's idiotic updating system over the Internet.

Then came the very-very last step: A box requesting my password, for a SECOND TIME, allowing Adobe Updater to have ADMINISTRATIVE PRIVILEGES, forever!

Stop and consider that a second. An application asked me if it could always have administrative privileges to do whatever it wanted to my computer at any time. IOW Adobe Updater was asking if it could rule my computer. This is called evil. (OK, now you can tell me I'm paranoid. But I don't think so!)

My response:

I canceled the request.

And for good measure I DELETED Adobe Updater from my computer.

Then I wrote the following to Adobe:

I just installed Adobe Reader 9.1 for Mac OS X.

Why did Adobe Updater ask me for my password so it could run, at will, with Administrative Privileges?

This is profoundly insecure, DANGEROUS and a bad idea in ALL situations.

As a result I CANCELED this privileges request. I also took Adobe Updater and ERASED IT from my computer. Adobe Updater will remain erased from my Macintosh computer until such time as Adobe explains itself regarding this DANGEROUS request. It had better be good. I will be publishing my disgust regarding your privileges request on the Internet and in computer user group newsletters this coming week.

And so I have. And if (a big if) Adobe get off the arrogance kick and actually respond, I'll let you know and share what they say. You can start holding your breath . . . NOW.

Until then:

Clutch your Mac firmly to your breast. Adobe are coming to take it away.
--