Category Archives: Computer networks

Another privacy invading monster (LSO cookies)

Recently I came across something called LSO cookies (read about it, I’m not going to explain them in detail here). Since more and more browsers, virus scanners and security software block cookies, these LSO cookies are a real treat for advertisers and tracking companies for several reason:

  • most people never heard of them
  • they are difficult to block
  • they provide lots of storage (100KB per site)
  • they are not removed by your browser, ever
  • they work and track you, even with your browsers “privacy mode”


There are several dangers to these cookies. First and foremost, we block cookies for a reason. We don’t want to be tracked everywhere on the web and we don’t want companies to build profiles of our web usage for whatever reasons they have. These companies shamelessly track us anyway by using all kinds of tricks, like these LSO cookies, instead of respecting our explicit choice to not be tracked and monitored.

Another problem is that this will leave tracks of your Internet usage on your computer, even if you try to cover those tracks by deleting cookies, browser cache and temporary files.

So what can we do about this?

First of all, the best thing would be to not use flash but that ain’t an option. (We want our youtube to work!). So the second best option is to block or at least remove the cookies. There is an excellent Firefox plugin called Better Privacy that will give you all kinds of options to remove or block LSO cookies.

If you don’t have Firefox, your third option is to go to Abobe’s Flash player settings page – you never heard of it, neither did I – and set the storage space to zero KB. Next, go to the last tab there or use this link, and be amazed at the amount of sites that use LSO cookies to store whatever they want to store on your PC. Next, click the remove all button to remove it all. Note that setting the storage to zero prevents sites from storing cookies, but Flash will still create directories for each site that tries. So next time you visit that shameful pr0n site, be aware that Flash will keep track of it.


After all the buzz around Ghostnet, it’s fun to look back and read the origal document describing the spy network. It’s an interesting read, and if you don’t have the time to read this you can also check out the Security Now! podcast from April 9th in which Steve Gibson explains how the research group found out about the spy network and how amateurish the (open source) Gh0trat software actually is.

One very important lesson learned from this story is that attackers no longer  control these networks by using IRC as we have seen in the past. Ghostnet used plain old http requests to periodically check for new commands. The startling thing about this is that this is exactly the kind of traffic that gets through firewalls and even proxy servers without any problems. HTTP replies consisting of jpg images contained the actual, encoded commands.

Map-Reduce in the browser

Someone had to do it: a Map-Reduce system build around the browser. Just point your browser to a URL and you are instantly helping someone to solve large problems by taking part in the process and running a number of jobs. If you think about this, it can even be used to replace advertisements. Instead of looking at flashy ads, a site can load a few tasks in the background (a frame would be best) and use some of your CPU power 🙂 That would probably even be cheaper for the visitor than running the CPU power drain called “Abobe Flash” to show the usual “OMG you just won an iPod!!!” ads.

Sniffing http headers with Wireshark

If you are ever in need of seeing http requests and responses, you can use this little snippet that I “borrowed” directly from this blog. You need to install WireShark first. On a mac, you can use Darwin ports, use the command sudo port install wireshark. You can also install it on most Linux distributions and there is even a Windows version available for download 😉

tshark -i wlan0 -f 'host' -R 'http' -S -V -l | \
awk '/^[HL]/ {p=30} /^[^ HL]/ {p=0} /^ / {--p} {if (p>0) print}'

Replace wlan0 with the network interface name you use and the ip with the ip of the destination machine.