Why cannot we manage Flash Cookies?

[polonus]

Hi malware fighters,

While loads of users delete their cookies on a regular basis (monthly or so), the trackers thought of a more persitent tracking mechanisms like the persistent Flash Shared Object. Is there a way to manage them? Is there a way to opt out,? Or are they persistent on the hard disk and the Flash Content won't play if you do not allow to share this Flash Cookie.
With ISP's adding tracking scripts to their users web browser content to sell their user's surfing habits to third parties as happened recently in the UK, there is so much going on under the hood, I want to be able at least to manage or adjust or block or allow. See: http://blog.wired.com/27bstroke6/2008/06/isp-spying-made.html
Report on this secret test: http://www.theregister.co.uk/2008/04/01/bt_phorm_2006_trial/

For instance with the tracking scripts the users thought they were victims of adware or spyware (but they never thought of their own ISP doing the spying, and slowing down their very browser performance). Is their a way to take your browser back in your own hands, and is there a way to manage the tracking mechanisms (objects, tags, bugs)? In the old days there was the Proxomitron, but I do not like proxies,

polonus

[polonus]

Hi malware fighters,

Had to look up the answer myself, there is a special Firefox add-on for this to deal with these special objects, these so-called hard disk persistent Super-Cookies - install from here: https://addons.mozilla.org/en-US/firefox/addon/6623
This add-on goes by the name BetterPrivacy and here is the homepage for installation or download:
http://netcat.ath.cx/BetterPrivacy/BetterPrivacy.htm

polonus

[DavidR]

Reading a bit from the homepage.

Those Super-Cookies are placed in central system folders and so protected from deletion.

If this is what I think it is, system or system32 them running firefox under DMR would stop them being able to drop this c**P in the central system folders.
I'm also thinking for Vista the UAC would surely block this as well unless I'm mistaken in the UAC of Vista.

So it may be that I don't have an issue with the placement on system folders as wouldn't others using DMR or Vista UAC, making this add-on redundant.

[polonus]

Hi DavidR,

Give you an example, because normally this info is certainly encrypted on your box.
www.youtube.com
Name of LSO is : soundData.sol
Parent: www.youtube.com
Size 58 bytes
Path:\#SharedObjects\562SV8\

So why don't you install Better Privacy in FF and see what is on your Vista box,
and if MS really let you opt out by default of this, what I do not think, they do the
same with their Media Player by default.

Well, because it is reset with a new one if the unique ID was handed out once, automatically.
There appears to be no method of blocking SuperCookies from a Web site
except to uninstall Windows Media Player or to turn off JavaScript.

- All Web sites get the same ID number so they can easily exchange information
about a user much like third-party cookies are used today by ad networks and Internet marketing companies.

- Even if someone is using a cookie blocker add-in, SuperCookies will still work.

- If a user has deleted cookies from his or her computer to stop tracking,
a Web site can restore an old cookie value from this altering unique ID number.
Once the cookie value has been restored,
new tracking data can be combined with tracking data
that was previously collected by the Web site.

For the unique ID that is set every time by MediaPlayer,
execute: regedit
go to: HKEY_CURRENT_USER/SOFTWARE/MICROSOFT/MEDIAPLAYER/PLAYER/SETINGS
&
HKEY_USER/.DEFAULT/SOFTWARE/MICROSOFT/MEDIAPLAYER/PLAYER/SETINGS

And set to "0".

polonus

For Vista the Super Cookie is known as Persistent Identification Element
Flash-built websites often use shared objects in gathering information from visitors. Besides data on how the sites are being used, retailers, for example, can track what visitors place in their shopping carts, or store a list of previously purchased products. So if you block it your shopping cart won't work, etc.

D.

[DavidR]

I don't have Vista, but XP Pro and using DMR on all internet facing applications.

The example you give doesn't appear to be in a system folder as the author mentions.

By the way what is the deal of asking to log in to download the add-on at the addons.mozilla.org site, I refused of course. So I went to the authors site, no such limitation there

[Hard_ROCKER]

How to manage and disable Local Shared Objects

[polonus]

Hi malware fighters,

Look here: http://www.petitiononline.com/behma/petition.html
That is why we do not like the idea of PIEs, and that is why the beta add-on BetterPrivacy for Firefox 3.0 is a good idea, moreover where FF is restoring your last browser session now by default,

polonus

[Lisandro]

By the way what is the deal of asking to log in to download the add-on at the addons.mozilla.org site, I refused of course. So I went to the authors site, no such limitation there

There are extensions that only registered users can download/use.
Why did you refuse? Won't hurt

[DavidR]

Why should I register, give my email address, etc. I simply see no benefit when having to remember yet another password, etc. just to get an add-on.

Crazy when you can get this via the authors web site without having to do that. Who is insisting on registering if the author isn't applying that via his site, it must be mozilla and I would want to know why. I don't just do things slavishly.

[polonus]

Hi DavidR,

Yes there must be a reason and I can only guess why this is so, installed from the developer's site Better Privacy will give you an insight in Super Cookies that are stored to be viewed and removed, disable DOM Storage and disable Ping Tracking.
DOM Storage came in with FF 2.0 & above = userData (max 1 MB of this) in IE5 browser & above.
These forms of persistent local storage came in after users started to perform cookie management, and ways were thought to track users behind their backs. Nothing wrong if that is for personalization or efficiency, but not to be accepted as the user has no way to manage these inside his browser (and as far as I can see it it is not the ad-seller's browser, although they act as if they own you). Maybe that is why official Mozilla is qualifying this valuable add-on as beta and puts up the additional hurdle to installing from their add-on page. I for one will start to present this add-on to the general user of Firefox 3.0 in a special thread on Mozilla Zine (under another nick).
Another reason to use BetterPrivacy add-on is that I have got also through Mozilla Zine from Mr. Maone the maker of NoScript local storage goes under NoScript's radar and it does not protect against LSO, so if you value NoScript additionally install BetterPrivacy also, or you never know why this may be on your computer for instance: sharedObjects\T43XUM44\cracle.com "cracle.Settings",

polonus

[polonus]

Hi malware fighters,

Some additional information about a previous extension that cleared most Super Cookies, well
I found this following information:
There exists a Firefox extension called Objection that allows you to clear Flash cookies.
http://objection.mozdev.org/
It shouldn't be a separate step though; Firefox should clear Flash cookies when it clears your regular cookies.
I found that it cleared the Flash cookies out of my ~/.macromedia/Flash_Player/#SharedObjects/ directory (Ubuntu Gutsy),
but that when I visited Macromedia's Flash cookie manager (below),
the cookies were still detected on my computer.
The Objection extension apparently isn't clearing all of the history/cookie data,

polonus

[DavidR]

I'm not too worried about disabling the dom.storage, as having BetterPrivacy would clear them out

Also I have DOM Inspector add-on installed to check what is in the DOM for the web page if I have any suspicions on a site I also use that. I don't know if in disabling dom.storage would in some way efect that or other legit use of dom.storage (assuming there are some).

I guess the same might be true of the ping tracking
Having checked about:config, filter on ping, I don't have a ping tracking value, but I notice there is a noscript noping value set.

[polonus]

Hi malware fighters,

As a general measure one could also use this batch file to clear settings.sol from sys:

Code: [Select]

@echo OFF
%SystemDrive%
cd \
if exist “%APPDATA%\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys” (
cd “%APPDATA%\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys”
) else (
goto DONE
)
for /F “usebackq tokens=*” %%d IN (`dir /A:D /B`) DO @rd “%%d” /S /Q

:DONE
exit
Safe as Flash.batch and enjoy,

polonus