now that’s a fun topic to dive into … i don’t know ANYTHING about coding a boot sector virus but maybe there are those who DO know, lurking around …
might be a good thread to open separately and see JUST HOW small a file one could write to fit your example 
Yeah, OK, but there would have to be fairly serious security errors in the browser and operating system if a cookie can end up in the boot sector.
As far as I know, cookies are always printable ASCII at most (couldn’t be bothered looking up the RFC to check the exact specification) and are handled by the browser as opaque values (not decoded or otherwise interpreted), so that is an additional challenge if you want to embed machine code.
My comment wasn’t entirely serious. But stupider bugs have existed.
My frustration is not just Cookies. It is any type of program that I get by just opening a webpage, and it installs. Or I have to hunt down and implement software to keep some kind of programs from installing/running on my computer.
Cookies can include tracking Cookies, Super Cookies.
I am also not a fan that the server side keep information on me, perhaps excepting those I actually buy from, and then limited to my needs not theirs to throw more advertising at me.
I point at the analogy of the US major highways requiring the limitation of signs. Who lost. We got to see the countryside again. The businesses did not have to continue to pay for signs, more signs, better signs, updating signs. Which allowed them to make profit margin that did not include charging the customers more, that was actually going to the builders of road signs.
Google is a massive company that has made available things such as; A good search engine. DNS. Now installing fiber optics in major cities. I sometimes wonder if Bill Gates thinks, “Oh why did I not build Google, Face Book as well.” He might actually be thinking, “Owning Google, Face Book would have caused me a lot a problems with being accused of having a monopoly.”
Actually I point out who has actually made Google, the information gathering service rich. Most people would say, those who buy information from Google. I would say it is those who buy products from those companies. The super rich google is like those sign builders. Put another way. If we level the playing field by limiting what information companies are allowed to collect, and utilize, then the general consumer does not have to support companies like Google. Google is not the only company that gathers information for profit.
We might be at the point where the value of the use of the information in targeted advertising is diminishing, as the percentage of the population who is poor, grows.
If we seek change by implementing rules on what can be done on our personal computers by drive by installs with a browser, or even if I give permission in some way. Then it is not a few of us complaining about our Rights. Right to Privacy. Right to Computer Security.
It is when the companies that sell things, pressure Governmental Authorities to limit information gathering, and removing from our system to cost to support the sign builders. The Googles.
As we buy products on the internet, we make Google rich.
I want a browser which has standardized programs to will allow for data to drive standardized/Advertising on my browser. No Spying. No more super fancy new flashy signs to claim my attention.
Speaking personally, I am not a fan of things which go over the top of the information I trying to look at, and make it harder for me to use my computer.
I have a simple mantra for software designers, “Don’t waste my time.” Which also means don’t use up my resources, band width, speed.
Pass laws about what ISP’s are allowed to do. I am in a neighborhood where the available ISP is Sudden Link, who was fined several times for spying on users, to obtain information to sell. In the world of Trump. I don’t think they have to worry about fines, or limits from the Profit minded Trump. ISP’s are like a public utility.
Tech Geeks who write browsers need to concerned with Security in Browsers, not finding a new trick to throw advertising at us, Spy on us. Right now it is the information gatherers, the sign builders, sellers who call the tune for software.
Power to companies to make profit should be increased by removing the leeches on the sellers. The sign builders. The Google.
Let’s say you go to the mall to do some shopping. Shortly after you enter the first store, the discussion below takes place:
Store clerk: Hello sir. Is there anything here I can help you with?
You: No, I am just browsing. Thank you.
Store clerk: Well sir, we have a rule here. You’ll need to sign-in at the door and provide us with a valid phone number and mailing address before you’ll be allowed to look through the merchandise here. Also, you’ll need to sign the consent form so that the cameras in the store here can record which items you looked at, so we can attach your interest in those items to your profile. This should improve your user experience.
You: I am not going to sign anything or give you any personal information.
Store clerk: Then sir, I am going to have to ask you to leave the store.
After you leave the store you go to the next store in the mall and experience the same thing. At every store in the mall, you experience this same treatment. This is not the America that I grew up in. But as our society moves from doing business primarily at brick and mortar stores to doing everything online, this is the America we are rapidly becoming.
I really really like and value my anonymity as I move around in this world and make purchases. When I actually want to step forward and make a purchase online, I choose to reveal my identity. But until I do that, it should be illegal to stalk literally everyone on the web. It’s creepy. I really don’t care how they can restore everyone’s anonymity. But it needs to happen if we want to keep the same country we grew up in.
How about web sites use APU, CPU, or GPU MAC addresses AFTER the client understands that, like Cookies, it’s the device that is married up to the login ID/Pword, not what is placed on the device.
EXAMPLE: Too many Surveys AKA Polls, use cookies to prevent multi-votes from the same device. But one only need to Vote, delete cookie, reload the page, Vote again and so on. Can’t do that with MAC addresses - am I right?
~s~
That’s device fingerprinting, but I think that’s even worse than browser fingerprinting.
Does/would Librem 15(x) with PureOS or PureOS alone prevent all fingerprinting?
TIA
~s~
My limited knowledge is that the web browser is where all that information travels through, so… depends on the web browser. There are add-ons to mitigate fingerprinting, but I haven’t thoroughly tested it myself.
Fingerprinting is kind of a slippery slope, though. Its not really any particular -thing- that identifies you as you, but a combination of those things (which could be anything from the size of your screen, the size of the window, your OS, your browser version, which timezone you’re in, etc etc). So the trick isn’t to block everything (not many people do that, so you’d be one of relatively very few) but to have your system lie and say sometjing like you’re a windows user on chrome with a 1920x1080 screen in some densely-populated region, so you’d be one of millions of others with the same setup. The less unique your information is, the better.
…or you can have a website recognize you as you so you wouldn’t need cookies. But if one website can tell who you are, they all can.
No well implemented polling web application would use cookies to track wether a user has already made a decision. 
It is btw impossible to track the MAC-address of a device by a visited website under usual circumstances. The MAC is a layer 2 address, it is only used in your local network and does not leave it. Outside of your local network the routing of packets works on layer 3 (IP).
In the hypothetical scenario that a survey / poll used ‘the’ MAC address in order to prevent multiple voting, you most certainly can do that with MAC addresses i.e. vote, change MAC address, vote again, change MAC address, vote again, …
In principle that could also be used in order to prevent someone else from voting if you happened to know that other person’s MAC address.
Which MAC address? Are you referring to the NIC?
According to some reads, the GPU, CPU, APU and MoBo all have MAC addresses, which can easily be converted to it’s serial number making it rather unique which is garnered by exploiting the HTML 5 Canvas element.
I’ve just been re-researching this and see that most polls just ban a second vote based on visitors IP. One vote per household. Some use the MoBo serial (converted from MAC), and others use honour system. 
I had read, wish I could find it again, that much of the Stalkerware peeps generate a fingerprint ID of visitors CPU, APU, GPU and MoBo MACs.
And now, as I scroll down this page, Font Fingerprint Defender keeps reporting a fingerprint attempt by forums.puri.sm and faked one.
But this seems to have run @purple post off-topic (my fault), so I’ll stop and leave it with the idea that just as we found ways to block popups, SMRC’ers continue look for ways to circumvent our rights to privacy.
Thanks for the discussion @kieran
~s~
By default, yes, the NIC (although a computer is open to having more than one NIC, and that could be wired or wireless or both). Could, alternatively, be the Bluetooth MAC address.
Other components may have a unique identifier (serial number, not a MAC address as such though).
It is true that web sites have many ways of fingerprinting you, and the Canvas element is one such way.
Perhaps they don’t work properly with IPv6 then, if at all. I use IPv6 address randomisation (I think it’s default anyway). That has two implications 1. You are no longer limited to one vote per household 2. You can vote more than once since your IPv6 can readily change. However it is possible that such a web site would use a prefix of the IPv6 address in order to approximate the behavior of IPv4.
It also means that the web site doesn’t work properly if you use a web proxy.
You can test your browser config for its resistance to fingerprinting using the following online tool. https://panopticlick.eff.org/
I was not concerned about the “How To’s.” As I said before, my goal is more than just Cookies. Notice how cookies can seem to have a good purpose, and yet be used against the person.
In some ways, allowing a browser to download and run software, whether I gave permission or not, is like removing all the locks from ones doors. Someone is sure to come over to borrow something, look through the drawers for checkbooks.
Another point. 5G networks, our own government wants limits on information being gathered by networks. This is similar to the standard I would hope we would enforce all over.
Or did I miss read what the plans for controlling the 5G network are to be?
Short answer: everywhere. 
Longer answer: you don’t understand web technology, obviously. And that’s OK if tech is not your thing; not everyone needs to know how the Internet works on a technical level. Except, when participating in discussions on the subject. Your opinions are based on a flawed understanding, and therefore irrelevant. First read up on the subject, then participate in the discussion as an informed party.
Sorry if that sounds harsh, but “don’t waste people’s time by engaging in discussions that you don’t understand” is common courtesy. Educate yourself on the subject: perform an Internet search, ask questions, … Just don’t barge into discussions with opinions based entirely on nonsense because you can’t be bothered to investigate the topics you supposedly have very strong opinions on…
What (s)he did is called “being mistaken,” something every single human being that has ever spoken, speaks, or will ever speak does on occasion, including you. Don’t just post (19 days after the fact) that (s)he’s wrong, irrelevant, and inconsiderate, especially when (s)he asked for feedback, especially when the basis of your post is “practicing common courtesy.”
Or perhaps I should berate you and tell you to educate yourself on what “common courtesy” is? Sorry if that sounds harsh.
I would have no issue had their post started with the question “Is it even necessary to store cookies on the client? Can’t we better store it server-side?” - this is simply bringing up what seems like a good idea, while also indicating their lack of knowledge and willingness to learn. However, leading with “It seems obvious to me” on a subject you know nothing about? Yeah, sorry, that’s not “being mistaken”. That’s ill-deserved confidence.
And it seems to be a recurring trend on these forums, which is why it bothers me so much. Half the discussions here get derailed (or even started) by people holding firm beliefs on subjects they understand nothing about and have zero plans to educate themselves on. Sorry, but that’s not how it works. If you want to have a strong opinion on something, you better know what the hell you’re talking about.
Hmmm. Well that told me absolutely nothing. I suppose you work for those that want to compromise individuals security./ Your tactic is if you cannot attach the message, attack the messenger.
Since you asked … there are at least three ways (none of which I would specifically recommend as an alternative to simply using a session cookie)
A full discussion of the pros and cons of all the approaches may be more detail than anyone wants.
Point for you. But as you stated none of them is really recommendable…
Yes Thank you epinez. These are the obvious techniques. The web ‘experts’ insist the cookie must be stored on the clients hardware. I am still waiting for someone to tell me why the cookie must be downloaded to our hard drives. I think I would like to raise the question of web security in general. HTTPS VPN encryption firewalls and so on are all addons to the OS. The various OS’s were never designed with security in mind. The MOST glaring issue is that it is possible to download programs without the client being aware. I have needed to implement third party security that warns that a program is being downloaded or changed. This should be the first thing implemented in OS security.