[article] 'Who Left Open the Cookie Jar?'

[atomGit]

interesting reading, fairly recent paper

Who Left Open the Cookie Jar? A Comprehensive Evaluation of Third-Party Cookie Policies

In this paper, we evaluate the effectiveness of these defense mechanisms by leveraging a framework that au- tomatically evaluates the enforcement of the policies im- posed to third-party requests. By applying our frame- work, which generates a comprehensive set of test cases covering various web mechanisms, we identify several flaws in the policy implementations of the 7 browsers and 46 browser extensions that were evaluated. We find that even built-in protection mechanisms can be circum- vented by multiple novel techniques we discover. Based on these results, we argue that our proposed framework is a much-needed tool to detect bypasses and evaluate solu- tions to the exposed leaks. Finally, we analyze the origin of the identified bypass techniques, and find that these are due to a variety of implementation, configuration and design flaws.

[Thorin-Oakenpants]

yup,,, you might want to check out #489

[atomGit]

long as i'm nagging ya....

i'd like to interview the core delinquents of this project and post it on my site - other than you and @earthlng i don't even know who the core members even are

just a few questions via email if you guys are open to it???

didn't want to create a new issue for this

[Thorin-Oakenpants]

Sounds exciting: Under you own repo you could provide details and invite them to partake. Here's a bit of a list

Owners

• Thorin-Oakenpants
• earthlng
• claustromaniac

Frequent commentators

• overdodactyl
• crssi
• Atavic

Dedicated watchers/occasional chatter etc

• Gitoffthelawn
• Just-me-ghacks
• grauenwolfe
• KOLANICH
• Forsaked
• ArchangeGabriel
• 2glops
• Theemim
• publicarray
• v1adimir

No typos in that lot, I previewed em with an @ symbol. There are no doubt others. I just compiled it from the watchers list

[atomGit]

thanks much pants!

my GitHub repo has been archived - i moved to GitLab - what's the easiest way for you guys to do this?

i can create a private issue on my GL repo, but then you'd have to join and i'd have to add you guys as reporters and you'd have to accept..... yada yada - or i can create a password protected page on my site and you all can post your answers as comments

i like the latter option - i would just need a way to distribute the password to you guys and it doesn't need to be anything super secure - if you have private contact with the others, i can grab your email from a previous comment you left on my site (if you left a genuine email addy) and you can send the pwd to the others - if not, then they can all contact me and i'll return an email with the pwd

i would want to interview....

Owners

Thorin-Oakenpants
earthlng
claustromaniac

Frequent commentators

overdodactyl
crssi
Atavi

[Thorin-Oakenpants]

Well, all six of us are here and respond and chatty. I only have one person's email, so I cannot help there. And I have no idea if anyone wants to divulge that. Rather than fiddle around with your github stuff, do the following

Just create a (password protected) page on your site and then invite us (just use this issue) to post answers. At the start of the page, let us add a unique code, so you can confirm its us. i.e, I go there, I type in 213bvhdbjkdw and then do my answers Pants here .. blah blah .. then I pop back here and tell you my code so you know it wasn't CHEF-KOCH or some other :hankey:

Does that sound like a plan?

Edit: If someone tries to reuse my one-time pad code, then you know the real one was the first one received. This is about the only way I can think of that's super easy to setup, allow anonymity, but confirm credentials

[atomGit]

@earthlng @claustromaniac @overdodactyl @crssi -- read this

[Thorin-Oakenpants]

its Atavic .. and I spelt it correctly the first time

[Thorin-Oakenpants]

the reason for us the interviewees to type in our own one time made up code, and AFTER posting to your form, to tell you here .. is simply so no trolling mad nutter will answer it and claim to be someone he/she isn't - its a means to verify that we are who we say we are

e.g Gerald Broflovski (SkankHunt42) reads this thread, sees your password pantsromance .. logs in, claims to be me, "Hi Pants here... " and spreads BS

Capisce?

[Thorin-Oakenpants]

OK, I had a quick look at the q's - I'll answer it soon .. not today .. today is pants off beer day/night with loud music (hope the meds mix well). Tomorrow is probably beer recovery day. But soon

@Atavic .. you were invited as well . but atomGIT did a typo

[Thorin-Oakenpants]

Is there a word limit?

[atomGit]

65k chars - i'll bump that up - why? did you hit it?

oops - i cant bump it up - must be a WordPress max - 65525 chars

submit multiple comments if need be

[claustromaniac]

If you don't mind, I will patiently wait for others to reply first, so I can save myself some time saying stuff like "I agree with X" :cat:

[Atavic]

I answered in a gist and hope @atomGit got the supersekrit link.

[Thorin-Oakenpants]

65k chars - i'll bump that up - why? did you hit it?

No. But I tend to get wordy. But now I see I'm being taken advantage of ... that sneaky :cat2: ,, I might play a game of cat and mouse .. see who blinks last .. wait .. does that mean I'm the :mouse2: fuuuuuuk

[atomGit]

this started here

i could've made this a lot easier ... if anyone wants, just send me your answers from [removed] - you need not be logged in nor provide a real email - just make sure to include your github alias so i know who to attribute your answers to - or post them to here or in your repo or wherever

[removed]

here's the questions - just reference them by number followed by your answers - don't copy them to my contact form else you might hit the max char limit (65k)...

---

1. What color tape do you tinfoilers use to cover your web cams?

2. What do you think or say when someone says they don't care about privacy because they have nothing to hide?

3. I recall learning of your project when Martin Brinkmann published 'A comprehensive list of Firefox privacy and security settings' on ghacks.net in 2015. Is that were it all started? Did you envision this project expanding to the degree it has?

4. What do you think about the direction Mozilla is taking with Firefox? I started using their browser some time prior to the 1.0 release (i even had a 1.0 t-shirt) and have watched its development over the course. Frankly, i'm not pleased with the direction the company is pursuing regarding many of their decisions and projects. I'm thinking about things like some of the controversial system add-ons and telemetry, their partnerships with ethically retarded corporations and their apparent race to dumb-down the browser on their way to becoming the new Google Chrome. What are your thoughts? Has Mozilla lost its way?

5. Are there any significant changes in the pipeline for this project? Are you considering any ideas which could make it easier for newbies to leverage your user.js?

6. Are there any Mozilla insiders who contribute to this project (obviously you need not identify them)?

7. 'Pants', 'earthing', 'claustromaniac': This seems like quite a time consuming and complex project given the several different skills it requires. I suspect there's a lot more going on behind the scenes which most of us fans (myself included) fail to fully appreciate. Please elaborate on who possesses what skills and how those skills are put to use.

8. 'Pants': In a timeline fashion, could you describe what happens between the time you become aware of a new version of Firefox and the corresponding update to the user.js? There's obviously new and depreciated preferences and features to deal with, merges, important discussions, etc.. What does this process look like?

9. There is an ever-growing number of ways that users and browsers can be profiled and tracked. What is your opinion regarding the various technologies that are available to web developers these days? Do you think these technologies and APIs provide more value than harm?

10. Which one of you is the Russian hacker that did this?

---

@Atavic - can i get clarification on this: for Q 9 regarding whether new web tech: 'Do you think these technologies and APIs provide more value than harm?' you wrote:

More harm, definitely. 's browsers are technically

what's the 's ? is there a word missing?

[Thorin-Oakenpants]

Sorry for the delay @atomGit .. I typed up a local copy of my answers over 3 hrs (a little web browsing in there as well) and did about 20 revisions, and a gazillion edits .. and it's rather long. And then I drank beers and slept for ages. I should get it done and sent to you tomorrow.

If you're just going to cherry pick from what I send you, then I won't bother to clean it up - I probably went off course a bit, as well as giving away too much info - but nothing that can ID me.

[atomGit]

send the whole thing (or post it here) - i'm anxious to read it

just be sure to fully charge your battery before uploading your novel :P

[atomGit]

thanks claustromaniac! ... now waiting on pants, which is coming (i think he went to the store for more string to bind his novel), and also @earthlng @overdodactyl and @crssi

also need clarification from @Atavic regarding:

More harm, definitely. 's browsers are technically

's ?

if you're lost, please look here

i published the thing publicly so you guys can see the other answers given

thanks guys!!!

[Thorin-Oakenpants]

i published the thing publicly so you guys can see the other answers given

aww shit .. definitely posting mine last then, and cleaning it up. Can you not do that, please? I haven't looked at the link, but you said we would be able to preview the article before publishing (I assume to ask for any changes we were uncomfortable with re our own bits), and here you are giving away the raw material for all to see.

edit: nvm .. it's now on 4chan and archived ... and meme'd .. too late

[Thorin-Oakenpants]

fuck .. I peeked .. it's not that bad, but jesus, you'll need to clean mine up and not post it ad verbatim (in places) .. maybe :lulz:

[Thorin-Oakenpants]

I also see one of my answers is shorter than :cat2: 's, so I will fix that

PS: I must have slightly changed my desk vs monitors vs keyboard positions, and I keep typing :cat.. :cat2: as :vat... :vatican_city: (vatican city) . I think that must be a sign about this

[atomGit]

don;t feel bad <-- you SEE THAT? been fighting with this stoopid keyboard since i got it - that's how the NSA tracks me! i know it!

[earthlng]

7. ... Please elaborate on who possesses what skills and how those skills are put to use.

One of my skills is to evade interviews. 1st lesson in the Kremlin's hacker academy

[Thorin-Oakenpants]

So it was you in Q10?

PS: I added an extra interview question to mine. At the start

• 0. If you could have one superpower, what would it be, and why?

[earthlng]

No that wasn't us. We're too busy posting memes on facebook and always making sure we pay for our ads in rubles

10. Which one of you is the Russian hacker that did this?

his name was Seth Rich (?) ;)

[Atavic]

There are two words missing.

It was <current year>'s (a Pun, just ignore it) or simply: current year's

[claustromaniac]

Atavic is missing the c here

... and frequent contributors include ‘overdodactyl‘, ‘crssi‘ and ‘Atavi‘.

[claustromaniac]

:jeans:, was your original draft shorter than what I wrote? I'm now thinking my replies are too wordy...

[Thorin-Oakenpants]

:cat2: no, my original draft is voluminous to say the least .. I'm on revision 22 and trying to trim it down. But one of my answers was shorter than your one, so to be consistent, I'll been adding a bunch of BS to pad it out

[atomGit]

fixed - tanks

On 12/17/18 9:26 PM, claustromaniac wrote:

Atavic is missing the c here

... and frequent contributors include ‘overdodactyl‘, ‘crssi‘ and ‘Atavi‘.

[atomGit]

hey @Thorin-Oakenpants - any word on when you're going to press with this?

@earthlng - you don't wish to comment? i'd like if you did, but of course you don't have to

[atomGit]

seen that - i'd like to talk to you about the issue you mentioned - can you send me an email addy through my contact page? no one but me has access to anything on my site

[atomGit]

health

On 12/21/18 2:07 AM, Thorin-Oakenpants wrote:

I can't remember what I typed. What issue? Can you give me a cryptic hint?

[atomGit]

mr. PANTS, if you please........

you're the one that said, and i quote, "doing an interview is the mega-best idea i ever heard of in my entire life and i promise to be the very first to submit my answers so help me dear lord", unquote

i don't like things hanging out there and that interview page is not linked to from my site, so could you?

[claustromaniac]

now I know this was all just a trap to get atavic, crssi and I to reveal our super secret ideologies...