background preloader

Evercookie - virtually irrevocable persistent cookies

Evercookie - virtually irrevocable persistent cookies
samy's home page || follow my twitter || email me || samy kamkar October 11, 2010: Reported on the front page of the New York Times Find the latest details, code, and implementations on github @ Cookie found: uid = currently not set Click to create an evercookie. Don't worry, the cookie is a random number between 1 and 1000, not enough for me to track you, just enough to test evercookies. evercookie is written in JavaScript and contains portions in Java, SWF/ActionScript (Flash) and C# (Silverlight). What is the point of evercookie? csshack, best website ever See CONTACT. Questions or comments, email me: Related:  evercookies

Killing the Evercookie - Dominic White (Hi Slashdot & The Register readers. Make sure to check the 2nd part on killing iPhone Evercookie's too) Samy Kamar recently released his tool, evercookie. When the evercookie is created, is shows as existing in the following locations (note: just visiting the site sets up some of the evercookie containers): userData mechanism: undefinedcookieData mechanism: 362localData mechanism: 362globalData mechanism: undefinedsessionData mechanism: 362historyData mechanism: undefinedpngData mechanism: 362etagData mechanism: 362dbData mechanism: 362lsoData mechanism: 362 If I reset Safari, but don't restart it, the cookie persists in these four locations. pngData mechanism: 362etagData mechanism: userData mechanism: undefinedcookieData mechanism: undefinedlocalData mechanism: 362globalData mechanism: undefinedsessionData mechanism: nullhistoryData mechanism: undefineddbData mechanism: 362lsoData mechanism: 362 cat #! Running the script while Safari is running will have no effect. Killing the Evercookie (Google Chrome w/o Restart) This post inspired by Dominic White's attempt at killing Samy Kamar's evercookie demo. As described:evercookie is a javascript API available that produces extremely persistent cookies in a browser. Its goal is to identify a client even after they've removed standard cookies, Flash cookies (Local Shared Objects or LSOs), and others. evercookie accomplishes this by storing the cookie data in several types of storage mechanisms that are available on the local browser. Yes, plain evil. Set-UpGo to Samy's evercookie demo- Click "Click to create an ever cookie" * not down the number Evercookie Removal1) Open a new tab, then close all other windows and tabs. 2) Delete Silverlight Isolated Storage Go to click the Silverlight application (any app will do)Silverlight Preferences > Application Storage > Delete all...Click "Yes" * Optionally disable "Enable application storage" 3) Delete Flash Local Shared Objects (LSO) 4) Clear Browsing Data

A Primer on Information Theory and Privacy If we ask whether a fact about a person identifies that person, it turns out that the answer isn't simply yes or no. If all I know about a person is their ZIP code, I don't know who they are. If all I know is their date of birth, I don't know who they are. If all I know is their gender, I don't know who they are. There is a mathematical quantity which allows us to measure how close a fact comes to revealing somebody's identity uniquely. Because there are around 7 billion humans on the planet, the identity of a random, unknown person contains just under 33 bits of entropy (two to the power of 33 is 8 billion). ΔS = - log2 Pr(X=x) Where ΔS is the reduction in entropy, measured in bits, and Pr(X=x) is simply the probability that the fact would be true of a random person. Starsign: ΔS = - log2 Pr(STARSIGN=capricorn) = - log2 (1/12) = 3.58 bits of information Birthday: ΔS = - log2 Pr(DOB=2nd of January) = -log2 (1/365) = 8.51 bits of information How much entropy is needed to identify someone?

Killing the Evercookie - Part2 MobileSafari - Dominic White UPDATE: An iPhone developer has turned this into an awesome little SBSetting addon. You'll still need a jailbroken phone but can install it via Cydia. My previous experiments in killing the Evercookie in Safari sparked similar posts describing how to do the same for Chrome and Firefox. However, my second most frequent browsing platform is my iPhone, and I thought I would investigate how Apple IOS, MobileSafari & embedded WebKit fares. To hard clear all the WebKit datastores, including normal cookies, I put the following quick script together (you'll need a JailBroken iPhone). #! I know this and my previous entry are scorched earth tactics. In short, what does Apple need to do to fix this? Update: Clarified what the two separate problems are, and added a section on what Apple should do to fix.

visitor statistic - Detecting a "unique" anonymous user