What was Really in that Cookie Jar?

Note: the "cookie jar" referred to was a cgi script that fed your computer a nasty 4 kilobyte cookie over and over again. It's been disabled ever since these pages moved from cml138 (running OS/2) to tempest (running linux) because it was a rexx script, and those don't run on linux. One day when I have the time I'll recreate it in pearl. For now I've crossed out text that applied to that cgi script.


Unhappy with your snack? Not what you expected? Well, use your noggin: you wouldn't accept cookies from a stranger in real life. Don't do it on the WWW either.

Did your access to this page take a longer than normal time? If the cookiejar page was being automatically reloaded, did each access take a little longer than the preceding? Then your machine has got cookies on it now.


What are Cookies?

Cookies are one of those little things on the WWW that aren't a very good idea. They are little files that WWW sites place on your machine, and that your browser automatically sends back to those same sites the next time(s) you visit them. Many sites use these to keep track of who you are, what you have searched for in the past, what you looked at in their site, etc..., and sell that information to marketers who then use it to place an advertisement that they think is tailored to you on the page you are viewing, or worse yet, in your mailbox (electronic or otherwise).

What's even better is that unless you are savvy to them, you never know cookies are there. It's another win-win situation for The Man®: the more you browse and search the net, the more he learns about you. Can we say "I'm a rat in a maze"? I knew that you could.

Two Kinds of Cookies

Cookies come in two varieties. One type is known as "temporary"; it exists only until you close down your browser. The other is known as "permanent", and exists, stored on your harddrive, until it expires (at a time set by the site that served you the cookie). It is the latter that allows sites to track you day after day, year after year. The former is less of a problem, and I'll concede that it might even be beneficial to a few sites. However all the unscrupulous uses of cookies that I list below would still be possible if they used temporary cookies, so I do not see much distinction between the two types on the basis of evilness. (And the evilness of cookies is what this page is all about.)

Uses that go too far

Some uses of cookies that I've seen on the WWW are so evil that I feel the need to vent publicly about them here on this page.

  1. Ad Banners and ad.doubleclick.net

    Do you use the alta vista search engine? (one of the best on the net, as far as I'm concerned) Do you read Dilbert every day? These are two of the many high traffic sites that contain advertisement banners served from the doubleclick.net domain.

    The banners are served from the ad.doubleclick.net site with an insidious twist: the URL of the image source contains, embedded in it, include information about the source site. For Dilbert this is just the fact that the ad is to appear on the Dilbert page; the html source looks like

       IMG SRC="http://ad.doubleclick.net/ad/www.dilbert.com/"...
      
    However for Alta Vista the URL contains your search! For example, if I search for "car" the html source looks like
       IMG SRC="http://ad.doubleclick.net/ad/altavista.digital.com/result_front;kw=car;ord=-294008994"
      
    So ad.doubleclick.net knows what you are searching for, and uses it to tailor the ad banner you see. When I search for "car" I always get an ad having something to do with cars.

    OK, so what? They show you ads tailored to what you are doing. That's ok. The bad news is that the banner ads are accompanied by a permanent cookie. So somewhere in ad.doubleclick.net's database is a record that you visit Dilbert every day, and that you search for cars on Alta Vista. That, and any other pages you visit that contain an ad.doubleclick.net banner, like

    1. Home Central, a site about home repairs and improvements.
    2. Stock Master, a site with stock quotes (*)
    3. JobTrak, a job search site (*)
    4. The Web Developer's Virtual Library, a site for web monkeys.
    5. Gamelan Developer Direct, a site for java and internet developers.
    6. Salon Magazine, a magazine of supermarket fluff (as far as I could tell). (*)
    7. Windows Magazine, a magazine about MickeySoft Windows 95 and NT (*)
    8. U.S. News Online, a news site (*)
    and another 1000 popular sites that contain ad.doubleclick.com banners.

    (*) means that the html source informs ad.doubleclick.com of the page you are viewing, allowing statistics to be kept about what interests you).



    UNDER CONSTRUCTION
    This is where I stopped when last editing this page. Below are pieces of material for the rest of the page.
  2. Web-Rings and linkexchange.com

  3. Search Engines that Tag You

  4. The Dole-96 Site (www.dole96.com)

    Unfortunately this site is now defunct, the candidate in question having lost the election. This site featured a questionnaire form that visitors could fill out to help the candidate understand who his supporters where and what where their concerns. It contained questions on the visitor's geographic location like "What state and town/area code are you from?", on their concerns, like "Rank these four items from most important to least important: crime, economy, foreign policy, taxes". So far everything is fine: it's a corporate site, and it's totally ok for them to ask people to volunteer to answer these questions. However when someone fills out a survey like this they (in the western world) have the belief that the answers will be recorded anonymously.

    Instead the answers to the survey were saved in a cookie on the visitor's machine! Every time that visitor returned to the site, their answers to the survey were sent with each www request. Could the dole96 site have tailored the returned pages so that they appealed a little more to that particular visitor's locale and concerns? Say, insert a paragraph about how Dole had visited their state the week before, or a quote from the candidate addressing the visitor's biggest concern? Who knows; The Shadow Knows.

How can I get rid of Cookies?

There are two steps to getting and keeping cookies off of your machine:

1. Deleting the existing cookies

Cookies are normally stored /System Folder/Preferences/Netscape/MagicCookie (open it in simpletext) or use this handy AppleScript. Delete (or at least edit) the file in which the cookies are stored. With netscape this is a text file called "cookies.txt" or "MagicCookie" depending on which operating system you are using. You can open the file in any text editor and delete the lines that pertain to sites that you don't want tracking you, or you can flat out delete the file (it will come back if you accept a cookie in the future).
  • Configure your browser so that no new cookies are accepted.
  • In some browsers you can't do this (ie netscape 2.x); the browser programmers and the site owners were so keen on cookies that you weren't even given an option.

    The cookie blocking built into netscape 3.x is a non-solution. It requires you to click Cancel on a requester every time a site tries to serve you a cookie. Surfing a site that uses cookies becomes a requester clicking hell. The Man® wants you to give up that silly privacy business and go back to accepting cookies like the good rat he knows you want to be. But...

    There is a very simple solution to permanently block cookies silently on nearly any browser. You'll need a program called a hex-editor (many good editors (ie TextPad) have a hex-editor mode built in). You load the browser's executable into the editor, and search for the string "set-cookie" (it might be in uppercase). Once you've found it, alter it by changing some characters. For example, you could change it to "no-cookies". Lastly you save the altered file.

    Now instead of looking for "set-cookie" in the http headers your browser will be looking for "no-cookies". When a site sends a cookie it will send "set-cookie" in the httpd headers, but your browsers will no longer recognize that as the code for a cookie. Instead the cookie header will ignored. No requester, no cookie. :-)

    Notes on the above technique:

    I've read that setting the ACCEPT_COOKIE option in Netscape's preferences file (NETSCAPE.INI under Win3.1, the registry under Win95/NT) to "2" disables cookies. ("0" means always accept, and "1" means "prompt the user, the two options officially available). This is a less drastic alternative to editing the executable, but I don't know if it really works.

    Another trick I haven't tested is to edit Netscape's preferences file (or the registry under Win95/NT) so that the cookie file is /dev/null (for real OSes) or c:\nul (for MS-DOS derivative OSes).

    A good trick that works with some places is to alter your /etc/host file so that your computer can't reach those who have served you cookies. This works particularly well with ad.doubleclick.net since they like to have other pages link to them. Just add or modify the line beginning with 127.0.0.1 so it looks like

    127.0.0.1       localhost           ad.doubleclick.net
    
    to your /etc/host file, and you'll never get that cookie again when you visit AltaVista (it also gets rid of the ad, an added benefit) or read Dilbert. I especially like this because in AltaVista the search string you enter is passed on to ad.doubleclick.net, so they potentially have in their database everything you (identified by your cookie) have ever searched for on AltaVista. That's worth $money$!

    Fun with Cookies

    While stepping on roaches is a chore, pinning them down, putting a drop of rubbing alcohol on their back and lighting it is all american fun. The same goes for cookies. Deleting them is ok, but what if you could do more? Well you can: many sites store only an ID code in the cookie, and keep the rest of their information on you on their machine. This keeps the cookie small and hard to notice. Edit your cookie file and change the ID code. For example
     .site.name FALSE / FALSE id=XY56693
    
    can be changed to
     .site.name FALSE / FALSE id=XY56639
    
    and voilà, you are someone else!

    Furthermore some sites don't check the contents of cookies very carefully for validity (after all why should they: they placed it on your machine without your knowledge---who would have altered it?) You can freak out or even crash their cgi scripts by scrambling their cookies in between visits to their site. One thing that commonly screws up cookie handling programs is feeding them a monster cookie in place of the normal 10 or 20 character string they expect (you can thank C's historically poor handling of overflow in strings for this). The cookie(s) that the cookiejar served you are very useful for this purpose since they are nearly 4Kbytes in size. To use them cut the long gibberish text after the COOKIE666666 (your exact cookie number will vary) and paste it in place of the id number in another site's cookie.

    Knowledge is power; information must be free.




    Back Home