Re: LUDD: Neb. Pipe bomb spree the work of luddites?

From: Mike Lorrey (mlorrey@datamann.com)
Date: Thu May 09 2002 - 09:29:40 MDT

• Next message: Brian D Williams: "BOOKS: The Fountainhead"
• Previous message: Harvey Newstrom: "Re: LUDD: Neb. Pipe bomb spree the work of luddites?"
• In reply to: Harvey Newstrom: "Re: LUDD: Neb. Pipe bomb spree the work of luddites?"
• Next in thread: Robert.Fish: "RE: LUDD: Neb. Pipe bomb spree the work of luddites?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Harvey Newstrom wrote:
>
> On Thursday, May 9, 2002, at 09:48 am, Mike Lorrey wrote:
> > Of all the security issues to be worried about, cookies are a non-issue,
> > a relic of the myth, spread by computer illiterate ebay users, that
> > cookies were a form of virus.
>
> As a security professional, I must disagree with this!
>
> A cookie can be used to store any data, not just logins. Even when they
> are used for logins, they are the equivalent of a login and password.
> Storing a cookie is the equivalent of stealing your password and writing
> it down for later use. This is dangerous. The cookie system is
> extremely flawed, such that most websites can read cookies they
> shouldn't read.

WHile Harvey is entirely correct on this point, and his arguments are an
explaination for why those sites with interest in keeping users info
private (like ebay has) do not use cookies, I've had it from the horse's
mouth at the fellow who originally programmed the ebay site that they
promoted the idea with users that cookies are like a virus specifically
because users wouldn't take security seriously with third party applets
that interfaced with ebay and used cookies.

Accepting cookies does not damage your computer, and storing logins to
other people's websites as cookies doesn't damage your machine if
someone hacks those websites. If you store sensitive information in
locations which are logged into by cookies, you might as well just make
it public, because such mechanisms are really only a means for keeping
honest people honest, as most consumer locks are.

On the issue in question, logging into a website that hosts an essay I
wrote, there is no sensitive data to be worried about, so the risk is
very low of anything 'bad' occuring. It's not productive to maintain top
secret level security around all information, nor is it productive to
act as if all information should be treated this way.

• Next message: Brian D Williams: "BOOKS: The Fountainhead"
• Previous message: Harvey Newstrom: "Re: LUDD: Neb. Pipe bomb spree the work of luddites?"
• In reply to: Harvey Newstrom: "Re: LUDD: Neb. Pipe bomb spree the work of luddites?"
• Next in thread: Robert.Fish: "RE: LUDD: Neb. Pipe bomb spree the work of luddites?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.5 : Sat Nov 02 2002 - 09:13:56 MST