Thank you Paul.Paul said:Bleachbit uses XML files for control, with lines like this.
It's multi-platform, so path names for more than one platform
are present in the XML. There are 76 XML files in the Cleaners
folder.
<action command="delete" search="walk.files"
path="$localappdata\Mozilla\Profiles\default\Cache\"/>
And for some reason, I don't see a firefox.xml, just a seamonkey.xml.
Also, doing a text search on the source, I'm not seeing how they
access sqlite to do a VACUUM. There is a claim they do a VACUUM to
clean up unused space in .sglite files.
So the source package is a bit weird looking. Not
the evidence I was looking for. Why no Firefox.xml in there ?
Where does the sqlite3 file come from ?
Their builder script, also looks to pack (UPX) the Windows
version. Which isn't that reassuring for guys like me.
I don't have a good set of tools for UPX. I like to
inspect things when I download them. I can always toss
the thing into virustotal.com, but of course the people sourcing
the package can also do that.
When you click the "BleachBit portable (official)" link here...
http://bleachbit.sourceforge.net/download/windows
my downloader dialog says it comes from here.
http://katana.oooninja.com/bleachbit/sf/BleachBit-0.9.6-portable.zip
So you should be aware it hasn't been scanned by sourceforge. It's
an offsite link. Gets 3 hits out of 45. Could be related to packing,
but who knows...
https://www.virustotal.com/en/file/...7d4a852463f96f77d0f09052fea8dfeedbd/analysis/
The complexion of the package is quite different in the ZIP.
It has an sqlite3.dll, so that answers the question how it
can VACUUM an .sqlite file.
Paul
Have you tested it with NoScript?Good catch. What a nightmare.
At the end of this Arstechnica article, they mention a
"Nevercookie" addon.
http://arstechnica.com/security/2010/10/it-is-possible-to-kill-the-evercookie/?comments=1&start=40
Further info on Nevercookie. I hope the only source isn't
the Anonymizer site. I prefer Addons to be vetted at least
a little bit.
http://www.securityweek.com/nevercookie-eats-evercookie-new-firefox-plugin
All I can find on the anonymizer.com site is advertising. So
I guess it was just a bait and switch.
*******
If I saw evidence of that kind of tracking, I would simply
use Procmon, track all writefile operations, and identify
all the directories attacked in a browsing session. That
would be a start at "leak detection".
The author of Evercookie, has cookie test capability
on his personal web page. You can use this to test
your eradication capabilities. It plants a cookie, then
reads out all the storage methods that worked (for the
browser you chose to test with). Different browsers
may give different results, so you'll need to test
all the browsers you use normally. For example, I clicked
his button, stayed on the page, did a "clear cookies", and
the cookie could still be detected.
http://samy.pl/evercookie/
I sure hope there are some limits on where Javascript
can write. This suggests the browser is bloody porous.
Something I didn't know, would never have suspected.
Waiting for my first .exe to get overwritten...
I found another solution here.Paul said:Thank you Paul.
I got the evercookie from the link on your earlier post.
It set some but they were all stored in flash cookies, no where else.
Since I run a del bat file for those, they were all deleted and never
came back. My bat del's the entire macromedia folder in xp and W7.
I don't use HTLM5. SeaMonkey cache is set for RAM only, not hdd.
And for anyone who thinks this is "the final solution", it justPaul said:I found another solution here.
https://addons.mozilla.org/en-US/firefox/addon/self-destructing-cookies/?src=search
That add-on works, as long as you delete things at shutdown.
Flash cookies are stored in a different place. The
word "Macromedia" may be in the path.
C:\Documents and Settings\username\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys
And the Flash control panel, has a delete option. I just
tested it (there were three entries in the folder with "#"
character in their names), and all three were deleted
by the Delete button in the Flash control panel.
Paul
I recommend the following (as I pointed out in a previous post).Peter said:I keep getting these cookies revealed by CCleaner
whenever FF starts up and closes........
THe Ccleaner deletes them, but they are
regenerated whenever FF starts up.
I have the SysInternals, and is there any way to
catch the program involved by seeing which is
active the moment FF starts up? Presumably the
program must show some activity to regenerate the
list.
Removed Cookie: search.conduit.com 0 KB
Removed Cookie: gsimedia.net 0 KB
Peter
Thanks, and success! They've all disappearedI recommend the following (as I pointed out in a previous post).
I found this Firefox add-on. This is a portion of battling the
Evercookie Javascript exploit.
https://addons.mozilla.org/en-US/firefox/addon/self-destructing-cookies/?src=search
To test whether it is working, Samy's web page has some
test buttons you can use. You can set an Evercookie (containing
a random number between 1 and 1000), do your best to erase the
Evercookie, then reenter the browser, go back to that web
page, and see if the random number is still being displayed
(i.e. cookie was recovered successfully by Evercookie).
http://samy.pl/evercookie/
What I found, is the "Self-Destructing-Cookies" add-on, was not
enough by itself. I had to go the Preferences panel in Firefox,
and set it to empty things like cookies.sqlite at shutdown. That
seemed to help. Once I did that, I could use the Samy.pl site,
set a cookie, exit Firefox, start Firefox, go back to the Samy.pl
page, and the random number between 1-1000 was no longer detectable.
As a bonus, the combo above also stops this one, but it
really shouldn't have. I don't delete my browsing history, and
choose to keep it (as a poor man's bookmarks, in a sense). If
I need to recover a URL for a page I visited in the last couple
of days for some reason, I use my history for that.
http://samy.pl/csshack/
What I suspect in your case, is you have an add-on which *puts back*
cookies in the browser. Apparently there is a plugin which puts "bogus"
cookies in the browser, to screw up these advertising sites. And that
plugin, and "self-destructing-cookies" plugin, are not a good match
for one another. You have to decide which philosophy you're going
to use - either erasing cookies, or try and "jam" fake cookies
into the browser, making the cookie contents useless. Note that,
with the Evercookie method, faking cookies is no longer as effective
as it used to be. To effectively fake a cookie, you would need to
use Evercookie javascript code to load the fake cookie into the browser,
so there are ten different copies of the fake, and no good copies
to be seen.
Try listing your add-ons, and see if one of them is responsible for
the fake cookies. Since the "filesize" field is zero bytes, that
tells me you've got fakes working for you. One of your add-ons
is doing that.
I also recommend you become familiar with sqlite.exe and the
.dump option. You look at all the .sqlite files in your profile,
and that will give you some idea how many of them have "interesting"
information. Your browsing history for example, can be a huge database,
with as many as 20,000 URLs in it.
Paul
I deal with the problem by clearing current historyGet these two extensions for Firefox:
Better Privacy
Foundstone HTML5 Local Storage Explorer
Just click on Firefox in the upper left hand corner of the screen and
then click on addons and search for them. You can then delete them or
block them.
You probably have Adobe Flash Player installed. That's where the
cookies are coming from.
If you don't want to be tracked, the cookies should not be allowed to beI deal with the problem by clearing current history
(click on Firefox at the top left, mouse over History
to get the option to click on) every time I exit
Firefox. Very easy, very quick.
Test your methods, with this site.Anthony said:I deal with the problem by clearing current history
(click on Firefox at the top left, mouse over History
to get the option to click on) every time I exit
Firefox. Very easy, very quick.
Johnny said:Now there is a new type of cookie to deal with, it's the Evercookie that
resists deletion, and is stored in many different places in the browser,
and will regenerate the the cookies that are found and deleted.
Use the Evercookie test page.Henry said:Running WinXP Pro SP3.
Will Evercookie show up when you do a search or is it hidden too well?
I just did and got nothing. I also use SuperAntiSpyware.
Henry
Want to reply to this thread or ask your own question?
You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.