|
|
| Search Forums |
| Tag Search |
| Advanced Search |
| Quick Links |
| Contact Us |
| Forum Rules |
| Today's Posts |
| FAQ |
| Pictures & Albums |
| All Albums |
| Miscellaneous |
| What is My IP |
| Whois |
| Mark Forums Read |
Sponsored Content
The Lounge
What is on Your Mind?
Individual Risk Management (Personal IT Security) and Browser Cache Management
Post 303033320 by bakunin on Wednesday 3rd of April 2019 07:36:37 AM
04-03-2019
Registered User
Wow - i didn't expect such an answer from a casual remark i threw somewhere between two meetings.
First off, thank you for taking the time to start this discussion. It is a worthwhile one and it should be held - not only by you and me but by everyone in our line of business. You are also right in this regard: i threw the term "security" into discussion without defining what i meant with it. So let me first make up for this before we delve into the main part again.
"Security" is a term that is used - and misused - in many ways and i have to blame myself for not saying more clearly what i mean when i used the term. There are a lot of different - more or less legitimate - meanings and i will not enter the discussion about how legitimate these meanings are. For you (or so i suppose) security means most prominently:
- make sure anybody without a certain authorisation cannot do something the intended authorisation is required for
(e.g. make sure stopping and starting the application can only be done by a certain user)
- make sure anybody without a certain authorisation cannot do something the intended authorisation is required for
(e.g. make sure nobody can become that user without the necessary password)
- make sure nobody can get the authorisation by means outside of the supposed procedures
(e.g. make sure nobody gets that users password by i.e. phishing methods)
and, i might add, this is a very important aspect of security. Most of what i read from you about security plays more less up that alley and most times, when i talk about security i mean the same. Still, there is another aspect and that is - privacy. Privacy is also an aspect of security because we are, at the core, territorial beings. I may have nothing to hide but i still wouldn't feel comfortable letting strangers search my bedroom or look at my bank account - and i'd feel even less comfortable if they do it while i am not there. (To be honest, if they'd look at my bank account i'd primarily feel not so much uncomfortable but embarrassed. ;-)) )
Cookies are little files a web server places at the client side which can be queried by the server later. In most cases these are used for harmless functions - after all, HTTP does not create a "session" but works rather like a mail exchange. HTTP consists of independent messages going back and forth between sender and receiver and if one wants to provide lasting context (this is what sets apart "sessions" from "messages") either the web server has to remember it - which would lead to exhaustion of resources on the server side in a very short time - or the server has to have a way to offload that to the client. This was the original rationale for creating cookies and in general storing web content on the client side.
Alas, this concept can be misused (like most things can be) and in fact in modern web development it regularly is. Modern web development and web server operating is a costly undertaking and things/services on the web are - mostly - supposed to be free. It follows that somehow the money to do it has to be raised somehow. Many web services do that by advertising and the revenue for advertisements is the better the more you know about the targets of these advertisements - the user. This is why many developments in modern Web Development revolves around getting more information about the user and one of the means of knowing the user better is to put context to his sessions - by cookies (i am aware these are not the only means - but a prominent part of it). Cookies (among other things) are used to connect data from single accesses to a web server to a picture about your habits.
This may sound pretty benign: the bookstore where you always buy the crime stories you like to read will provide only crime stories (and not the history documentations you detest) in its suggestions. On the other hand, whenever i go into a real bookstore i may be searching for a crime story but at that time i will see 5 other books - completely different in topic - which also interest me. This widens my horizon whereas i would start to "boil in my own bubble" otherwise. A similar notion goes for Youtube, as you noticed yourself, for Amazon, for Google, ....
I don't want to be in a bubble and this is why i completely delete all web data between browser sessions. It is probably not enough but at least it is a part of what i consider necessary to get a "clean slate" every time i contact one of these services. I don't want to get only hit in french (which i don't understand) just because i contact Google in France, etc., etc.. And, btw., if i am not forced by the policy of a company i work for i do not use Google at all but a mix of search engines all vowing to retain no data about me: Ixquick/StartPage, DuckDuckGo, and so on. I do not use Googles DNS server (or - heaven forbid - the hacked/crippled DNS server of my german ISP) but UncensoredDNS and Cloudflare (1.1.1.1) for backup. The only difference between my ISPs DNS and UncensoredDNS may be some porn site i don't care for anyway - but i would like to retain the decision if it is relevant or not for me mine. I will not give away that to some nondescript committee which decides behind closed doors about what is best for me.
You asked for a scenario where this might pose a risk to the user: let us say i search Google for ways to overcome personal debt repeatedly. If one of the "advertisement partners" of Google is the next bank and if Google is able to identify me across sessions i may well have lowered my credit rating effectively by doing that research - even if it might not even be for me. Given, that is a constructed example and includes a lot of conjecture - but the girl getting advertisement for baby food before even her parents were aware of her pregnancy was real. It is not a lot different (not in scope and definitely not in technical background) from what i presented here.
Professionally i support a lot of "big data" installations and - believe me - you'd be amazed about what is possible with a P9 LPAR, some TB of memory and many TB of fast disk space from a SAN like EMCs ExtremeIO.
I will stop here and leave something to discuss further on. At any rate, this is a great topic to discuss and i am looking forward to seeing your (and others) POV described in more detail. I am happy to be part of a community where we convene to learn and refine our ways from the exposition to each others perspectives.
Wolf
Quote:
I am very interested in this topic, so please and kindly be factual in this, as you are in describing your great unix and linux solutions here at unix.com, so I can know your ideas about risk, threat, vulnerability and severity. I am truly curious what you are "worried about" which makes you "advise everyone on the net" to always clear their cache and delete all cookies in their web browsers!
"Security" is a term that is used - and misused - in many ways and i have to blame myself for not saying more clearly what i mean when i used the term. There are a lot of different - more or less legitimate - meanings and i will not enter the discussion about how legitimate these meanings are. For you (or so i suppose) security means most prominently:
- make sure anybody without a certain authorisation cannot do something the intended authorisation is required for
(e.g. make sure stopping and starting the application can only be done by a certain user)
- make sure anybody without a certain authorisation cannot do something the intended authorisation is required for
(e.g. make sure nobody can become that user without the necessary password)
- make sure nobody can get the authorisation by means outside of the supposed procedures
(e.g. make sure nobody gets that users password by i.e. phishing methods)
and, i might add, this is a very important aspect of security. Most of what i read from you about security plays more less up that alley and most times, when i talk about security i mean the same. Still, there is another aspect and that is - privacy. Privacy is also an aspect of security because we are, at the core, territorial beings. I may have nothing to hide but i still wouldn't feel comfortable letting strangers search my bedroom or look at my bank account - and i'd feel even less comfortable if they do it while i am not there. (To be honest, if they'd look at my bank account i'd primarily feel not so much uncomfortable but embarrassed. ;-)) )
Cookies are little files a web server places at the client side which can be queried by the server later. In most cases these are used for harmless functions - after all, HTTP does not create a "session" but works rather like a mail exchange. HTTP consists of independent messages going back and forth between sender and receiver and if one wants to provide lasting context (this is what sets apart "sessions" from "messages") either the web server has to remember it - which would lead to exhaustion of resources on the server side in a very short time - or the server has to have a way to offload that to the client. This was the original rationale for creating cookies and in general storing web content on the client side.
Alas, this concept can be misused (like most things can be) and in fact in modern web development it regularly is. Modern web development and web server operating is a costly undertaking and things/services on the web are - mostly - supposed to be free. It follows that somehow the money to do it has to be raised somehow. Many web services do that by advertising and the revenue for advertisements is the better the more you know about the targets of these advertisements - the user. This is why many developments in modern Web Development revolves around getting more information about the user and one of the means of knowing the user better is to put context to his sessions - by cookies (i am aware these are not the only means - but a prominent part of it). Cookies (among other things) are used to connect data from single accesses to a web server to a picture about your habits.
This may sound pretty benign: the bookstore where you always buy the crime stories you like to read will provide only crime stories (and not the history documentations you detest) in its suggestions. On the other hand, whenever i go into a real bookstore i may be searching for a crime story but at that time i will see 5 other books - completely different in topic - which also interest me. This widens my horizon whereas i would start to "boil in my own bubble" otherwise. A similar notion goes for Youtube, as you noticed yourself, for Amazon, for Google, ....
I don't want to be in a bubble and this is why i completely delete all web data between browser sessions. It is probably not enough but at least it is a part of what i consider necessary to get a "clean slate" every time i contact one of these services. I don't want to get only hit in french (which i don't understand) just because i contact Google in France, etc., etc.. And, btw., if i am not forced by the policy of a company i work for i do not use Google at all but a mix of search engines all vowing to retain no data about me: Ixquick/StartPage, DuckDuckGo, and so on. I do not use Googles DNS server (or - heaven forbid - the hacked/crippled DNS server of my german ISP) but UncensoredDNS and Cloudflare (1.1.1.1) for backup. The only difference between my ISPs DNS and UncensoredDNS may be some porn site i don't care for anyway - but i would like to retain the decision if it is relevant or not for me mine. I will not give away that to some nondescript committee which decides behind closed doors about what is best for me.
You asked for a scenario where this might pose a risk to the user: let us say i search Google for ways to overcome personal debt repeatedly. If one of the "advertisement partners" of Google is the next bank and if Google is able to identify me across sessions i may well have lowered my credit rating effectively by doing that research - even if it might not even be for me. Given, that is a constructed example and includes a lot of conjecture - but the girl getting advertisement for baby food before even her parents were aware of her pregnancy was real. It is not a lot different (not in scope and definitely not in technical background) from what i presented here.
Professionally i support a lot of "big data" installations and - believe me - you'd be amazed about what is possible with a P9 LPAR, some TB of memory and many TB of fast disk space from a SAN like EMCs ExtremeIO.
I will stop here and leave something to discuss further on. At any rate, this is a great topic to discuss and i am looking forward to seeing your (and others) POV described in more detail. I am happy to be part of a community where we convene to learn and refine our ways from the exposition to each others perspectives.
Wolf
Last edited by bakunin; 04-03-2019 at 08:55 AM..
|
|