From: John Tserkezis 
Reply-To: Fidonet AVtech Echo 

Bob Lawrence wrote:

> JT> You can't. It contains several parameters:
> JT> Cookie name: (manditory) the name of the cookie. Content:
> JT> (manditory) usually a unique identifier, serial number of
> JT> sorts. Exipres: time/date when the cookie is no longer valid
> JT> Path: the network path the cookie is valid for. Domain: the
> JT> domain the cookie originated from.
> JT> None of which are code, or executable, in any way.

>  Good Lord! Are you saying that hackers don't lie and cheat? Thank
> goodness for that. And here was I, thinking that all I had to do was
> call and EXE a cookie, and wait for the first person to open it by
> clicking on Explorer...

  You've just gone off on an unrelated tanget.

>  You've just finished explaining that "text" can be anything in the
> Windows environment. So all I have to do is put a ZIP EXE header on my
> cookie, and WinZip will try to run it for me...

  It doesn't work like that.  It's just stored data, all that happens, is that 
data is returned to the original sender, if the original sender asks for it.

  All it does is prove that you've been there before.  This is where the ethics 
can get a little into the grey area.

  You have a record of what serial number (that you've invented) has visited 
you, what they've done, how long they've done it, and what you haven't done.

  Alone, this information does nothing more than paint a marketing picture for 
John Doe (because they don't actually know you are).  That is, until they get 
your name, address and other details (say, if you have to register to do 
anything on that site).  They cross-reference that marketing data with your 
name, and bingo: They have a whole stack of marketing data attached to a 
particular person.

  People pay handsomly for that, because they can custom sell products that you 
are most likely to be interested in.  And that's what advertising is about, 
knowing _where_ your market is.

  Virii and trojans don't come into the picture at all. (with cookies)

> JT> A search for "cookies" via google will return many sites that
> JT> explain cookies, their structure, and use.

>  Assuming that the world is a lovely place where no one cheats.

> JT> No, that was Bob's paranoia telling him that cookies are some
> JT> evil thing that can hack into your computer. When the fact
> JT> remains, that the host could _create_ and _request_ an exising
> JT> cookie to see if you've been there before. And then, they can
> JT> only be created (or returned) if the *browser* allows it.

>  A cookie is one way a remote computer can insert data into *your*
> computer.

  Yes.  One remote site can create a cookie with its site name in it.  One site 
cannot create a cookie on 'behalf' of another site though.

> You have no idea what's in the cookie...

  Nor do you really need to know or care.

> *they* own it.

  Effectively, yes.  A site created it, and only that site can call it up again.

> If you visit them again, they access your cookie,

  Yes, that's the idea.  That's how they know where you've been.

> and if they've cheated and made it an EXE (with a new header)
 > then hello... the trojan rides again.

  Can't do that.  It's just a storage system for data that is effectively a 
randomly generated serial number.  It can't just be magically changed into an 
executable.  Even if the _data_ were a string of assembly code, it would do 
nothing except be sent back to the site that created it, if they requested it 
back.  It never gets run.

> JT> Note however, that many sites *need* cookies to keep track of
> JT> where you are, and where you've been, otherwise they won't
> JT> work. Those who do, check to see if you have cookies enabled
> JT> first, and warn you if you don't. 

>  So, you enable cookies and hello... things start to happen as soon
> as you do something else.

  Stuff me.  That's a little vague Bob.  How about you elaborate on that and 
tell us _exactly_ what starts to happen when you "do something
else", what's 
that "something else"?

> Rod is right. *You* have to run something,
> but not necessarily what you think you are running...

  Cookies are not executed.  It's just a string of data that is sent back and 
forth.  The most you could take offense to is that they user YOUR hard drive to 
store this data before asking for it back again.

  And even then, you can turn it off, so who cares?

> JT> I've got one better. Remember the "Good times" virus? The virus
> JT> where its sole mechanisim for duplication was the end user
> JT> themselves? (I'm calling it a virus because it did indeed
> JT> propigate and duplicate). 

>  My definition of a virus is something that harms *my* data. By your
> definition, Windows itself is a virus.

  No, my definition of a "computer" virus is a piece of code that is 
self-replicating.  The method of self-replication is besides the point.  As is 
the (likely) malicious intent.

>>>Whoops, that's it, I've just made Bob even more paranoid.
>>Is that possible? ;-)

> JT> It is now that he knows about the Good times virus. :-)

>  I've only ever had one virus. It came with a computer I bought, and
> all it did was infect itself onto every media, over and over
> (including the floppies I used to load Windows).

  You mean you didn't write-protect them?

> It is amazing how many floppies you can infect (not to mention the hard
> drive), when you load a new system.

  Yes, that's why I write protected everything.  On software that wrote back to 
the disk (say for copy protection purposes), I made a duplicate disk *first*, 
then used the copy to install.
  If this were not possible (advanced copy protection), I never bothered with 
it, there were other alternatives.

> By the time I realised what was happening, I'd
> infected all my backups (I never use the original discs to load
> anything)

  And apparently you never write protect ANY of your disks.

> and I was within an ace of infecting the other computer as well.  

  The write protect tab was like a condom.  It's only your fault if you were a 
computer slut.

>  I created a fresh system disc, booted, and wiped the whole fucking
> thing, partitions and all. Then I did it again.

  Yeah right.  If you used your non write protected disks to make copies, you 
would have infected them too.

>  BTW, MacAfee virus scan was useless (and then *it* got infected!).

  Duh, that's why gynaecologysts don't stick their dicks into their patients. 
When you're trying to _cure_ an infection, it helps if you don't get infected 
_yourself_...

> That was one of your *genuine* viruses where you never know where it
> came from only what it does.

  You know where it came from, you can backtrack to the last known outside 
source of data/disks.  Then you point the finger.  Worked every time.

  A guy from work once loaned me a hard drive full of software. I went back to 
him and told him it was infected with two virii, one was boot sector (stoned 
virus) and another in one of the executables.

  He squinted at the ceiling for a while and said, "shit, you're right, I've 
forgotten all about that".

  If you had so many outside sources that you couldn't tell, you were labeled a 
computer slut.

> I think it was a boot sector virus, but I never found it.

  The stoned virus was a classic.  Taking into consideration the limited data 
spread of the day, it spread far and wide anyway.

  What it did demonstrate is the far-reaching implications of swapping disks, 
how often people did it, and the lengths they went to even on normally isolated 
machines.

-- 
       -o)
       /\\    Message void if penguin violated
      _\_V    Don't mess with the penguin

Linux Registered User # 302622                         http://counter.li.org>
Fido: 3:712/610  BBS/FAX: +61-2-9716-8310  Internet: jt{at}techniciansyndrome.org
--- ifmail v.2.15