Hacker News new | past | comments | ask | show | jobs | submit login
Evercookie (wikipedia.org)
75 points by chaosmachine on April 5, 2011 | hide | past | favorite | 17 comments

I've found Evercookie to be really useful in eliminating spam.

Despite having captchas and per user send limits on my site, Nigerians were submitting tons of forms through my site a while back trying to trick users with the same scams that are popular on Craigslist. They know to clear their cookies, etc. Adding Evercookie cut down on the number of spam messages considerably just by keeping a count of the number of messages sent from a particular computer and blocking messages after more than a certain number per day.

Perhaps most satisfying, I implemented it so the message appeared to have been sent successfully even when it was blocked. So there are Nigerians happily working away all day "sending" message on my site still thinking it is working. I sometimes get hundreds of blocked message notifications per day.

If you're already implementing messages like that another fun thing to do when the person goes way past the threshold is start making the site slow/buggy. Add in random sleeps, redirect to a random valid or error page, etc. Basically make the site increasingly buggy. The added benefit is that is breaks any automated scripts people might be scamming with.

That's what I did when we marked an account as obvious spam. Usually that was when an account was created and the same or next day sent 1000+ messages to random other users. Basically the person using the account would think the messages got sent but really they usually hit either a keyword/bayes moderation or a similarity throttle and the messages were put into a moderation queue rather than delivered immediately. Once the moderator picks "obvious spam", for that account the site gets buggier and buggier for 30 days until the account gets completely shut down and the person can't log in with it anymore. I did that for 30 days because I didn't want to warn them their account had been flagged and just have them create a new one.

Basically it's a spammer tarpit.

Barring all ethical issues aside, while most are just "use whatever other readily available storage", I enjoyed this hack of a storage method:

"Storing cookies in RGB values of auto-generated, force-cached PNGs using HTML5 Canvas tag to read pixels (cookies) back out"

Evercookie is the herpes of user tracking. Wear protection (don't run JavaScript from untrusted websites).

Still, there are some interesting ideas for places to hide trackers. I wonder which parts actually survive (as wiki suggests that something does) after doing a full "clear browsing data" on something like Chrome (which comes with a super helpful link to clear Flash cookies).

Also, isn't the best way to defend against this once it's there not to try to clear it only to have it come back later, but to shuffle it's content so much that their perpetrator can't make use of it? The core of it is it's resiliency thanks to redundancy, so let's corrupt it so that the information becomes noise.

Indeed. I would love a browser plug-in that fucked with cookies and spread disinformation.

This, on linux, is defeated by Chrome's Incognito mode. It's why I didn't use it to track spammers on ragechat.com.

Edit: that, and it tries to use silverlight to store some silverlight based cookies, and people would just get big "Install Silverlight!" button/adverts coming up.

Careful though: older versions of flash will still store cookies even if you're in incognito mode (http://www.google.com/support/forum/p/Chrome/thread?tid=072d...). This is especially true with many linux installations, as often times they have older versions of flash for compatibility purposes (64 bit flash... ugh...)

Awesome, my client requested just that for his project.

I wish I was kidding.

Evercookie isn't evil, it's just a tool; it's how you use it that matters. Using it to keep track of users for spam or troll purposes is perfectly fine to me.

Some communities seem to act like magnets for trolls and abusive behavior. I use evercookies on one of my websites to keep the trolls out. Works tremendously well. It has allowed the community there to really flourish, absent petty personal attacks and troublemakers.

I wouldn't be surprised to find out that this is already in use by ad networks.

I would be, at least for ad networks based in the United States or Europe. The rhetoric around online privacy has gotten rather heated lately, and they're trying to avoid government regulation by being on their best behavior and trying to self-regulate. Evercookies are the opposite of that - it'd be like holding up a sign saying 'make me a target'.

Back when things were a little less heated (aka a couple of years ago), some companies did use a combination of cookies and Local Shared Objects in order to provide redundancy - information deleted from one was later restored by the other. Those companies have almost certainly stopped.

Not that it indicates any wrongdoing, because there's a class-action lawsuit for everything remotely advertising-related, but there's been a ton of class-action lawsuits in the Flash cookie space. I believe the ones involving actively rewriting deleted information have largely been settled, and now it's mostly lawyers trolling companies for the use of Flash cookies to store any type of information more complicated than a volume setting.

For a recent example, search for Del Vecchio vs Amazon.

Ah very cool. Tangentially related: I've been helping a client get some affiliate marketing set up, and the email-based affiliates require CAN-SPAM compliance. Basically, this requires a generic unsubscribe link where people can put in their email address to be added to a "suppression file" blacklist, which the affiliates can then download. It's intended to act as a shared blacklist when you're working with multiple affiliates, but I'm wondering what's to stop someone from just harvesting suppression files?

I believe CAN-SPAM has provisions against that, but several vendors have standardized on storing the suppression files as a list of md5s. Of course that is not bulletproof (the source space is small, especially among the big mail providers) but at the moment it seems to have shifted the economics favorably.

This page was nominated for deletion on 27 October 2010.

The result of the discussion was nomination withdrawn.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact