You’ve heard that they are dangerous, used by hackers, and can be stolen and used for identity theft.

In a nutshell, people say they are bad, but people are also full of crap 9 times out of 10, and do the Internet community, their friends, and family no good by spreading all this fear. Follow along and I will show you what a cookie is and how it can be used for good and evil.

I hope this will make you more aware of them, and give you the conviction to call “bullshit” when you hear fear-mongers spouting off about them and how they will eat your computer if you don’t kill them with fire.

In it’s simplest form it’s just a blob of text that a website stores locally on your computer. Below is an example of a cookie I got from mozilla.com

http://caphrim.net/tim/wp-content/uploads/2010/03/cookie.png

See? a whole bunch of gibberish.

Why would a website put information on your computer? Well, there are many reasons, but one of the more common reasons is so that the website can remember something about you so that the next time you visit it, it will appear as if the website is personalized to you.

Cookies are the devil

No, cookies are not the devil. They are no more dangerous than guns, cars, or giant concrete structures in Italy”. The problem with them, as with guns, cars, and towers, is that they can be misused by people.

One common misuse is by websites other than the one that put the cookie on your computer to begin with. We’ll call this “other” website, “Tim’s Evil Website Inc” (TEWI) Established August 5th, 1983. Our motto is “You provide it, we steal it and sell it”

What TEWI can do is ask your computer to tell the TEWI website where it has been in the past. Why would TEWI care? Well, TEWI sells ads to make money. Specific information is much more valuable than general information.

For instance, I can charge far more for

  • 100 email addresses
  • of people that are alive
  • known to be living in Aurora IL
  • Who have children <= 13 years old
  • Who shop at Toys-R-Us
  • On every other Sunday
  • And like grilled Feta cheese sandwiches

Than I can charge for

  • 1000 email addresses

Why? Because an email address is arbitrary. There’s not even a guarantee in the 2nd example that the email addresses are valid and attached to real people. And how do you tell, as a Marketer, whether those 1000 people like Gouda cheese or Feta cheese?

So I can charge $1000 for those 100 email addresses, and only $10 for those 1000 email addresses.

The badguys want specific information.

Cookies steal my information

No. Cookies are technically impotent. They are just a means of storing information in a text form. The websites you visit are what can steal your information.

So what, don’t trust the websites I visit?

Absolutely. Don’t trust them as far as you can throw them.

Be wary of websites with Ads on them. Popups, and other crap. It’s all crap. They’re selling something you don’t want. If you wanted it, you would have felt a need before-hand. I don’t ever buy anything I see in ads.

Sites with good intentions getting you in trouble

Even sites with good intentions can get you in trouble.

For example

Gary’s Online Oxford Dictionary (GOOD) has a database where they keep records for all their users. After all, GOOD is a really cool site (far better than Wikipedia) and it’s users typically read lots of subjects about ninja’s and their never ending war against pirates.

You, being an avid supporter of the ninja’s

http://caphrim.net/tim/wp-content/uploads/2010/03/Screenshot.png

log in every week to read more about the ninjas. You notice that when you visit GOOD on Monday, that the website asks you to log in, but for Tuesday through Sunday you’re never asked to log back in. “Awesome!!!1!1!!” you tweet (I forgot to mention you’re a Ruby programmer who works on a Mac and lives in San Francisco)

Little do you know though that all the while you’ve been doing this, GOOD has been storing the following string of characters in a cookie on your computer

“username=rubyrules&password=ILoveMyMaC”

So from Tuesday through Sunday when you visit GOOD again, GOOD reads in those characters and says “Cmon in partner!” (GOOD is run by wranglers in Texas) and you’re automatically logged in.

Well, some time goes by and then one day Apple releases the iAMGrate, a food grater with an AM radio built in (Man Apple is cool, what will they think of next)

http://caphrim.net/tim/wp-content/uploads/2010/03/grater.png

You’re so in shock by the extreme excellence of this product that you go scouring the web looking for articles leaking information about it. You go to site after site after site and somehow find yourself at, unbeknownst to you, a site run by supporters of the pirates.

You read through all their bogus articles mentioning how it will have a camera and a phone built into it and how it will let you update your Twitter feed in realtime, and while this is going on, this bad guy site has read the data out of your cookie and stolen your information.

A couple days later, you re-visit GOOD and find, to your great shock that you now support the pirates.

http://caphrim.net/tim/wp-content/uploads/2010/03/Screenshot-1.png

The world is over, oh woe is you.

This happens, although in a slightly more realistic way which includes your real name, address, usernames and passwords (the list goes on) all over the internet, and it’s not entirely your fault.

In this case, GOOD didn’t secure their site properly and you’re the one who got screwed.

Extrapolate this out. Be creative! Anything you can imagine, has probably been done by some fool or group of fools who design the software that runs the websites you visit the most.

So what do I do about it

Well, since this article is about awareness, the one thing I ask that you remember is that cookies exist and they are a benign technology that can be misused.

Since you know this, try to stay away from questionable sites. If you make an effort to only visit sites that are reputable, you’ll make out just fine.

Well, what is reputable you ask? Good question. I can’t answer that, but “I’ll know it when I see it”. If I go to a website and it floods me with ads and popups and other crap, I add that to my list of sites I’ll never visit again (but which I will tell my worst enemies to visit)

I also use different web browsers depending on the benefits I see in them. Firefox has two cool extensions called Ad-block Plus and NoScript which, combined, de-fang most of the internet. They make some sites slightly un-usable, but you can tweak that to make them usable again.

Also, sometimes I just accept my fate. If a website tracks me, good for it, it’s a cost of doing business on the Internet. I can be paranoid if I want (for instance I can use Tor) or I can be aware that the Internet is scary and therefore exercise diligence and caution while I navigate it.