From a link at slashdot: Breitbart.com reports that the NSA was accidentally leaving permanent cookies on user's browsers. From the article it noted that it was due to a recent software upgrade. On a hunch I went over to the NSA and discovered that, yes, it is indeed a ColdFusion site.
So - what do you think? I bet someone accidentally turned on client variables in an Application.cfm file. At least their site is reasonably secure. I "broke" the search engine but got a pretty error, and not a default error. They also covered a missing CFM as well.
Oh - and I'm not even going to comment on cookies. Get a grip. Folks should be more worried about real cookies and their health. Of course, part of the blame for the cookie paranoia falls on Netscape's shoulders. In the old days it was very hard to configure cookie support. Shoot, you couldn't even easily examine your cookies. The browser should have been a lot more open about cookies and their status.
Archived Comments
I read about this today - if you ask me (and you didn't, but I'll tell ya anyways) the only folks who should be worried about the government 'spying' on them are the ones who have something to hide.
What do people think is going to happen? Do they think the gov't is going to publish a national list of pr0n surfers???
Todd's comment was woefully ignorant. Once spying becomes widespread and accepted, the rules change and everyone has something to hide. That's how dictatorships start.
oh come on now...i'm not going to turn raymond's blog into a political debate arena, but let's get serious...
this nation wouldn't be what it was today without "spying"
would you rather we just let any and all do as they please?
besides - i'd hardly call a cookie spying!
sorry raymond, i'll digress...
Heh, go ahead, argue away.
You said "the only folks who should be worried about the government 'spying' on them are the ones who have something to hide." This is nonsense. Recently the government has spied on nonviolent organizations opposed to the governments policies. I suppose this is ok with you. BTW, your RFID asschip implant is scheduled for Thursday and it keeps a record of excessive alcohol and illegal drugs, reported directly to your employer and insurance company.
It's a typical Internet debating tactic to take your opponents position to the other extreme ("You are obviously some kind of anarchist". "You obviously hate Christ"). It's the government and especially President Fascist Moron that I DON'T want "doing as they please".
BTW not get all factual or anything ("facts are stupid things" - Ronald "Diapers" Reagan) , but persistent cookies ARE illegal on government sites.
color me crazy but isnt a cookie solely
made up of information that either you or your
machine provide to the webserver, which then takes
that data, and stores it on your machine? not
stores it on THEIR machine, but YOUR machine?
sure there is a cfid/cftoken, but who gives a flying
f*ck, really? i mean, who cares if ANY site i go to
drops a cookie on my machine? i know where/when/why/how
to remove it if i want.
am i wrong?
EXACTLY. preach on brotha...
I will let those comments speak for themselves.
And you failed to answer my points intelligently, but thats probably something that you dont consider to be a big deal.
What do you mean "cookies are bad for your health"? This is propoganda spread by Hershey in an attempt to drive-up candy bar sales. Don't believe the hype, people.
Seriously though, you're absolutely right, Ray. I don't see what the big deal is? You can read their privacy policy (http://www.nsa.gov/notices/... - it doesn't say that they promise not to use cookies or put permanent cookies on your machine... and I don't see why they shouldn't be allowed to. So long as they're using the information they gather within the boundries outlined on that page, I'm fine with it. In fact, most government websites do not claim not to use cookies. That said, if you visit the official US Government Web Portal and read their privacy policy (http://www.firstgov.gov/Abo... it clearly states that they only use per-session cookies that are not ever written to disk... you'd think that all govt. agency sites would adhere to one standard and that the standard be that of the official govt. portal. Of course, you'd also be wrong apparently.
Ray,
My apologies for continuing to add to the rant.
Jim,
I take exception to you words about Ronald Reagan, as well as most of the other things you wrote, but mostly President Reagan. President Reagan will probably be remembered as the greatest President this country has ever seen. Not because he was the smartest man on the planet, but because he understood his role and his authority. President Reagan surrounded himself with the best men available and together they put down a Soviet threat. In his role as President he portrayed a vision of hope and prosperity that positively influenced the entire world. People forget that is was during the Reagan era that humans probably had their greatest social awakening in history. LiveAid, FarmAid, Feed the World, the end of Apatheid, Perestroika, and the collapse of the wall, all took place or had their foundation established during the Reagan Administration. Unfortunately, his 8 years came to an end before the virus, known as the Soviet Union was completely eradicated and which, based on recent news events, may be coming back with a more resistant strain.
As for the cookie issue, the reason government initially took the stance on not using cookies was solely based on individual privacy. They feared that Americans would feel like their privacy was being invaded if the government placed a cookie on their machine. The fact that every other unscrupulous entity on the planet could use them is irrelevant. As for me, I want some thin mints from the Girl Scouts (they're not facist are they?).
Steve, in your cantonizing of the most useless, dumbest president we've ever had, you missed the part where he developed a vaccine for AIDS and solved the problem of the homeless. And redistributed wealth. And fixed the environment. And redeveloped astrology as a science. Not to mention defeating Nazi Germany in WWII single-handed. (wait, he never served in WWII).
Reagan:
"Many of them are, duh, uh, homeless by choice. Yeah, thats it".
"I often depend on the scientific predictions of Jeanne Dixon to make foreign policy decisions. After all, astrology is, you know, a science, kinda. And Mommy likes her."
"Trickle-down economics means the superrich will maybe throw some change at the homeless. After Ken Lay has totally ripped them off and screwed them out of every dime theyve ever managed to save."
BTW the actual threat was that the GNP of the Soviet Union was growing faster than ours. In other words, communism was winning. The only way to defeat it was an arms race.
Jim,
You must live in the Potemkin village.
Folks - lets be nice or I'll disable comments.
I read this article also on Slashdot. My first and only reaction is "what is the big deal?". I don't see why people are making a big deal because the NSA is leaving cookies on their computers. No matter what browser you are using, you can either set it up to remove all cookies from your drive when you close the browser or you can tell it to block, even prompt you to accept cookies. Futhermore, with free software like CCleaner, you can have it run once a night and remove them.
This is obviously a way to use FUD to get people in an uproar. Unfortunatly people rather be sucked into FUD then use their heads and realize that this isn't a big deal in the first place.
Well, people can get hysterical about something they know nothing about. I envision articles in public magazines such as Newsweek that will now detail how to turn cookies off (as opposed to the trade journals that you and I read).
So we as programmers need to be even more ready to handle users who have turned their cookies off.
I thought that EVEN SESSION VARIABLES use cookies to maintain their state from one page to the next. The only other option is to pass the cfid/cftoken in the FORM scope or the URL scope, which is rather like lugging your baggage around with you from room to room. You can put all your luggage into one suitcase with the JSESSION variable, but that doesn't eliminate having to carry it to every form.
Ray,
Q: is it true that EVEN SESSION VARIABLES need to have cookies enabled?
To answer Ray's question, I read somewhere that they were using WebTrends, which sets a cookie for website visitor tracking purposes by default.
Phillip, by default, session vars use 2 cookies to mark you. You CAN do session management w/o cookies though.
I have to admit, as much as I am concerned about the warrantless spying on Americans and its conflict with the 4th Ammendment, I have found myself asking what is the big deal with a permanent cookie left by the NSA?
In other words, is there a way to use cookies to monitor what sites a user goes to?
Now, before we all shout "NO, YOU'RE JUST A PARANOID ******IST!", let's not forget this *is* the NSA we're talking about here. They're pretty clever folks.
So what is the big deal in this particular case? Is there any potential "there!" there?
OMG!!!1 the White House too!
http://www.wired.com/news/w...
Cookies are the end of our freedom!!!! LOL
This is some top notch news reporting.