- don't put me in your cookie jar
- it's too late
don't put me in your cookie jar
Hey site designing people! No matter how many times you tell people that cookies are harmless and that everyone should set their browser to accpet them all, we know better. SOME cookies are harmless, but plenty are intrusive, violate our privacy, and subject us to more advertising crap. If I don't understand and trust what your cookie is doing, I won't accept it, and I will go elsewhere if you pester me too much with dialog boxes. So please consider the following.
One of the things I like about the Mozilla browsers (I am a recent firefox convert) is that when a site is trying to set a cookie, the expiration date is prominently displayed. This is now one of the main factors in my cookie decision process. It's a decision you need to think about -- "as long as possible" is not an acceptable or appropriate answer in most cases.
Cookie expires with session
I'm likely to accept it unless it's blatantly ad-related or has unencrypted information I consider sensitive.
Cookies expires in a week or less
Cookies expires in a year (I see this one a lot.)
Cookies persists for multiple years
If I have an extant real world relationship with you -- if you're my bank, for example, you can get away with this. If you're a vendor with whom I have a multi-year relationship, or so much trust that I allow you to set any cookie, OK. Otherwise, dream on. Why do you think you get to occupy space on one of my hard drives for so long, anyway?
2 sep 2004
it's too late
Since April or so, I've been working on a piece for this column (and possibly publication elsewhere) about Trusted Computing in general, and about Microsoft's separate-but-related Next Generation Security Computing Base initiative.
It's very difficult to write, because I need to strike a balance between being accurate and being shrill, and because virtually everyone who really knows what's going on is gagged by Nondisclosure Agreements. My article is still unfinished.
But MS has shipped Service Pack 2 for XP, which I am told incorporates NGSCB features (so does Office 2003, which I also recommend boycotting).
(I suppose I should say something to the effect that SP2 is nominally supposed to address serious security issues in XP. I won't connect a computer running any version of XP to the Internet. Period. I would never recommend that anyone else do so, either. But if you already have a computer running XP that is connected to the Internet, you might want to upgrade. Maybe. But I'd still advise research first.)
I don't often publish long lists of external links. However, Trusted Computing is an extremely complex issue, and I think understanding it from many sides is important to achieve a clear perspective. I think exposure to widely divergent opinions is a useful means to that end.
- NGSCB (Microsoft)
- Microsoft's Palladium FAQ (cached legacy copy)
- Trusted Computing Platform Alliance
- Trusted Computing Group
- American Megatrends AMIBIOS8 TCPA white paper (PDF)
- Email exchange between Stephen Hinkle and NGSCB Product Team (Reprinted by permission)
- Electronic Frontier Foundation (Seth Schoen)
- Electronic Frontier Foundation (Fred von Lohmann)
- New York Times (John Markoff, reprinted at On Lisa Rein's Radar)
- Trusted Computing FAQ v1.1 (Ross Anderson)
- Richard Stallman on "Treacherous Computing"
- Michael Robertson on Microsoft Office 2003
- Public Knowledge
- Lucky Green's Defcon X slides
- New Yorkers for Fair Use
- Consumer Broadband and Digital Television Promotion Act (S.2048)
- Against TCPA (see especially the TCPA hardware list)
2 sep 2004
all contents © 1995-2004 d. mayo-wells except where otherwise noted.