D
David Sherman
Is there a product that does a better job in removing LSO - Flash
cookies as mention in SN120?
http://kb.adobe.com/selfservice/viewContent.do?externalId=52697ee8&sliceId=2
Can someone place spyware in these objects?
By listening to episode #120, which you can download at
http://www.grc.com/securitynow.html. Here is part of the program that
discusses these item:
LEO: It came as a surprise to me that the last question addressed in
Episode 118, while partially answered, did not lead to the discussion
about Flash cookies, particularly as I first learned about them during
an earlier Security Now! episode - hey, we know so much that we forget
things - and that info provided then answered identical questions I've
had in the past. It turns out that three out of three financial
institutions I use online plant Flash cookies - wow - to track users'
status, including BofA. I hope many other listeners alert you to
this, leading to a good discussion of such semi-hidden techniques
which are important for computer security in general. I'm
particularly angered by this practice as the designers obviously have
chosen an object poorly understood, if at all known to most of the
public, and have not disclosed it to the users in clear manner. Well,
fooled me. Typical spyware-like methods deserving critique and raised
alertness to it. So that's interesting because remember I went
through this whole rigmarole where I turned off cookies and stuff and
so forth and so on, and it needed to be - I determined it was cookies.
But maybe it is Flash cookies.
STEVE: Well, and maybe - you and I talked about this, we've talked
about it before here. We also did a whole session on it when you and
I were in Toronto a couple years ago and showed the viewers of your
Call For Help show where to go and how to turn these off.
LEO: Which I'd completely forgotten.
STEVE: So I wanted to mention that to everyone who's listening
because many people wrote in having done this experiment. They
deleted their cookies, they emptied their browser cache, they shut
down their browser, they rebooted their computer, they took their
laptop to somewhere else, and they were - and literally at least 40
people wrote in and said, "It still knew me. How did it know me?"
And so I appreciated this confirmation that this use of Flash cookies
is becoming more widespread, clearly in this case, as he says three
out of the three financial institutions he used plant Flash cookies.
So to all listeners, into Google you want to put "Flash player
settings manager." Just put in "Flash player settings manager," and
you get a link to Macromedia, maybe it says Adobe now, I'm not sure, I
don't remember whether they've changed the URL. But the point is,
most of us have Flash loaded in our machines now, which unfortunately
is why the banks have all started using it. It's something that
survives, as many listeners have discovered, it survives casual cookie
deletion. And exactly as this guy has mentioned, it annoys him
because it is unknown and is unclear.
The good news is, it's possible to control these settings and to
prevent sites from using Flash cookies if for some reason you really
didn't want that, or to restrict sites that you have specifically
allowed. Anyway, there's good Flash cookie management available, and
it's a web-based interface. You don't use your local Flash player,
running it like standalone, because it is an embedded web page object.
Instead, if you put in "Flash player settings manager," that'll take
you to the Flash site, where you're then able to go to some web pages
to bring up a little tabbed interface. Basically it runs your Flash
player on the page and gives you access to a user interface you never
knew you had. And you're able to browse through and see the domains
that have registered cookies on your machine. You can delete them
right there. You're able to change settings. You're able to do some
worrisome things, like you can tell it don't ever turn on my
microphone and camera without letting me know. It's like, okay, well,
that's probably a good thing to tell it. So you're able to do that
and a number of other things.
So again, "Flash player settings manager," and poke around in there.
You'll find out who has stored cookies, so you know. You're able to
delete them. You're able to then block them and prevent them from
changing. Anyway, there's a whole bunch of tabs and settings that are
definitely worth poking around in.
LEO: I don't see Bank of America in my cookies, however, so I don't
know. Maybe I'm special. And wouldn't you need to see - wouldn't you
see somewhere that Flash was running?
STEVE: You don't see it. It's completely done behind the scenes
using JavaScript.
LEO: So you can uncheck the box that says allow third-party Flash
content to store data on your computer. It doesn't - JavaScript
doesn't even have Flash going. Wow, that's interesting.
STEVE: Now, is there a chance you would have changed these settings
in the past?
LEO: Yes. Oh, of course, I had set it storage to zero. But there's
more than that. You also probably want to deny all cookies and so
forth. But then you have the same problem denying cookies on a
browser, as well, which is that some sites don't like it. I see, I'm
looking at the sites that have placed cookies on, you know, visited
websites. And they're all, you know, they're mostly sites that do
Flash media in one way or the other, like YouTube and Blip TV,
Ustream. I don't see my bank. So I don't - anyway, I don't know.
Twitter uses it for some reason. That's interesting.
STEVE: My guess is that the banks probably issue standard cookies and
Flash cookies. They probably just throw as much state...
LEO: As they can.
STEVE: I'm sure they do. They throw as much state at you as they
can, and anything they get back helps them to recognize you.
LEO: Right, which is fine. And in that case I want them to have some
sort of way to recognize me.
STEVE: Agreed.
LEO: Interesting. Thank you, Dusan, for that. Now, where did the
questions go? Oh, here they are.
STEVE: They got buried under your Flash browser.
cookies as mention in SN120?
http://kb.adobe.com/selfservice/viewContent.do?externalId=52697ee8&sliceId=2
Can someone place spyware in these objects?
By listening to episode #120, which you can download at
http://www.grc.com/securitynow.html. Here is part of the program that
discusses these item:
LEO: It came as a surprise to me that the last question addressed in
Episode 118, while partially answered, did not lead to the discussion
about Flash cookies, particularly as I first learned about them during
an earlier Security Now! episode - hey, we know so much that we forget
things - and that info provided then answered identical questions I've
had in the past. It turns out that three out of three financial
institutions I use online plant Flash cookies - wow - to track users'
status, including BofA. I hope many other listeners alert you to
this, leading to a good discussion of such semi-hidden techniques
which are important for computer security in general. I'm
particularly angered by this practice as the designers obviously have
chosen an object poorly understood, if at all known to most of the
public, and have not disclosed it to the users in clear manner. Well,
fooled me. Typical spyware-like methods deserving critique and raised
alertness to it. So that's interesting because remember I went
through this whole rigmarole where I turned off cookies and stuff and
so forth and so on, and it needed to be - I determined it was cookies.
But maybe it is Flash cookies.
STEVE: Well, and maybe - you and I talked about this, we've talked
about it before here. We also did a whole session on it when you and
I were in Toronto a couple years ago and showed the viewers of your
Call For Help show where to go and how to turn these off.
LEO: Which I'd completely forgotten.
STEVE: So I wanted to mention that to everyone who's listening
because many people wrote in having done this experiment. They
deleted their cookies, they emptied their browser cache, they shut
down their browser, they rebooted their computer, they took their
laptop to somewhere else, and they were - and literally at least 40
people wrote in and said, "It still knew me. How did it know me?"
And so I appreciated this confirmation that this use of Flash cookies
is becoming more widespread, clearly in this case, as he says three
out of the three financial institutions he used plant Flash cookies.
So to all listeners, into Google you want to put "Flash player
settings manager." Just put in "Flash player settings manager," and
you get a link to Macromedia, maybe it says Adobe now, I'm not sure, I
don't remember whether they've changed the URL. But the point is,
most of us have Flash loaded in our machines now, which unfortunately
is why the banks have all started using it. It's something that
survives, as many listeners have discovered, it survives casual cookie
deletion. And exactly as this guy has mentioned, it annoys him
because it is unknown and is unclear.
The good news is, it's possible to control these settings and to
prevent sites from using Flash cookies if for some reason you really
didn't want that, or to restrict sites that you have specifically
allowed. Anyway, there's good Flash cookie management available, and
it's a web-based interface. You don't use your local Flash player,
running it like standalone, because it is an embedded web page object.
Instead, if you put in "Flash player settings manager," that'll take
you to the Flash site, where you're then able to go to some web pages
to bring up a little tabbed interface. Basically it runs your Flash
player on the page and gives you access to a user interface you never
knew you had. And you're able to browse through and see the domains
that have registered cookies on your machine. You can delete them
right there. You're able to change settings. You're able to do some
worrisome things, like you can tell it don't ever turn on my
microphone and camera without letting me know. It's like, okay, well,
that's probably a good thing to tell it. So you're able to do that
and a number of other things.
So again, "Flash player settings manager," and poke around in there.
You'll find out who has stored cookies, so you know. You're able to
delete them. You're able to then block them and prevent them from
changing. Anyway, there's a whole bunch of tabs and settings that are
definitely worth poking around in.
LEO: I don't see Bank of America in my cookies, however, so I don't
know. Maybe I'm special. And wouldn't you need to see - wouldn't you
see somewhere that Flash was running?
STEVE: You don't see it. It's completely done behind the scenes
using JavaScript.
LEO: So you can uncheck the box that says allow third-party Flash
content to store data on your computer. It doesn't - JavaScript
doesn't even have Flash going. Wow, that's interesting.
STEVE: Now, is there a chance you would have changed these settings
in the past?
LEO: Yes. Oh, of course, I had set it storage to zero. But there's
more than that. You also probably want to deny all cookies and so
forth. But then you have the same problem denying cookies on a
browser, as well, which is that some sites don't like it. I see, I'm
looking at the sites that have placed cookies on, you know, visited
websites. And they're all, you know, they're mostly sites that do
Flash media in one way or the other, like YouTube and Blip TV,
Ustream. I don't see my bank. So I don't - anyway, I don't know.
Twitter uses it for some reason. That's interesting.
STEVE: My guess is that the banks probably issue standard cookies and
Flash cookies. They probably just throw as much state...
LEO: As they can.
STEVE: I'm sure they do. They throw as much state at you as they
can, and anything they get back helps them to recognize you.
LEO: Right, which is fine. And in that case I want them to have some
sort of way to recognize me.
STEVE: Agreed.
LEO: Interesting. Thank you, Dusan, for that. Now, where did the
questions go? Oh, here they are.
STEVE: They got buried under your Flash browser.