NYTimes web cookies
It doesn't check the PW or ID at all except the first time you log in. After that it generates a new cookie titled NPLCNYT and that is the only cookie it checks; the PW and ID are not required to be there at all. If you delete the NPLCNYT cookie, it will check the PW/ID and generate a new one. An example cookie is below: NPLCNYT=AAAALw>AAAAAX9IUUWiPhfALqHZuSh2mUM0yzNOwGRReAAAAAsAAAAAY3lwaGVycHVua3M> ^^^^^^^^^^^^^^^^^^^^^^|||||##### The characters marked ^^^ appear to be random, and change every time a new cookie is generated. The ones marked ##### appear to encode the originating IP address, and ||||| appears to be date/time. The rest don't seem to change (tho I only tried ID=cypherpunks PW=cypherpunks). The server will still accept the cookie if your IP address changes. There does seem to be some sort of checksum on the data. While the relatively small area it uses to store the time and IP address wouldn't seem to leave much room for this, I wasn't able to find a spoofed cookie that it would accept - perhaps the checksum is included in the 'random' part.
ghio@temp0199.myriad.ml.org (Matthew Ghio) wrote:
I put this wafer in my junkbuster-configfile and disabled all other cookies, and NYTimes let me in without asking for a password, but after I read a few articles, the site started behaving strangely, where the server would seem to hang on certain pages, taking forever to send the html. Interesting though. Maybe we should hold a cypherpunks 'potluck' where everyone trades cookies. :)
nobody@REPLAY.COM (Anonymous) writes:
I played around with nytimes.com some more and I'm certain that it does check for the presense the ID= in the cookie (but not the value). Apparently the following 2 is necessary and sufficient: NPLCNYT=(whatever it tried to set it to) ID=(anything; I used ID=0 to save bandwidth) With ID=0, it says "welcome, 0" of the first page and I see no problems.
Interesting though. Maybe we should hold a cypherpunks 'potluck' where everyone trades cookies. :)
A good idea. here are more of mine: #.reference.com wafer userid=cypherpunks@bwalk.dm.com wafer passwd=cypherpunks (I haven't been able to register cypherpunks@algebra.com on reference.com) # amazon.com cypherpunks@algebra.com cypherpunks wafer group_discount_cookie=F wafer session-id=1451-4798095-404463 wafer session-id-time=886320000 wafer ubid-main=3578-1328899-434066 wafer cf=c90fe571f7b5f873 By the way, junkbuster does NOT strip cookies in secure http. Be careful. --- Dr.Dimitri Vulis KOTM Brighton Beach Boardwalk BBS, Forest Hills, N.Y.: +1-718-261-2013, 14.4Kbps
Anonymous wrote: | Interesting though. Maybe we should hold a cypherpunks 'potluck' where | everyone trades cookies. :) .nytimes.com TRUE / FALSE 946684173 RDB C802002E1B000055 5301026495323B0100000000000000 Anyone figured out how to get Amazon's Group-discount cookie to set to true? :) Incidentally, I edit my file something between daily and weekly, in the hopes of generating bizare and worthless data for them. I also spend time clicking random links while on the phone to help fill my cookie file with junk. Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume
Steve Schear <schear@lvdi.net> writes:
www.wsj.com is a pay site ($49 | $29 / annum). Someone (not me) might want to post the details of their subscription so everyone else could use it; I suspect that the folks running wsj.com might object. I messed around some more with various sites that use cookies. 1. .CNN.com wants to set the following 4 cookies for "cypherpunks cypherpunks": PNAA=:Ypgxlx L. Egdfbd'sZAQF0: (i.e. Random Q. Hacker) PNAB=:01884: PNAC=:CVGTEOZRSBY: CNN_CUSTOM=1 path=/customnews Problem is, the last one needs the path and there'e no way to fake path in junkbusters wafer. I simply put cnn.com in the cookie file momentarily, logged in to let it set the cookie, then changed it to ">cnn.com" to filter out any updates to these 4 cookies. 2. www.economist.com has a freebie "cypherpunks cypherpunks" account. The cookie is: wafer econ-key=4GgOaV1a Perhaps someone cares to set up a paid account for group use. 3. foxnews.com doesn't allow "cypherpunks" (too long); "cypherpunk" is already taken, and I couldn't guess the password. Would the entity responsible please set the password to what we all expect it to be. :-) 4. avweb.com (aviation site) cypherpunks cypherpunks wafer AVweb_Auth=Y3lwaGVycHVua3M6Y3lwaGVycHVua3M= 5. .reba.com (country music) cypherpunks cypherpunks wafer RebaNet%5FPWD=cypherpunks wafer RebaNet%5FUID=cypherpunks 6. http://www.netstrike.com:8080/ cypherpunks cypherpunks wafer WB-User=cypherpunks wafer WB-Pass=cypherpunks 7. .citywire.com aka .nyrealty.com - manhattan real estate Random Q. Hacker cypherpunks@algebra.com cypherpunks wafer primary_nyrealtyid=Ra34cbf1b0a7d1c wafer nyrealtyid=Ra34cbf1b0a7d1c 8. .netscape.com, .mcom.com wafer NETSCAPE_ID=10010408,121ee744 wafer NSCP-US-DOWNLOAD=pkjbcTTL5OYAAAAAYRr3d8towI7Tj4v3nJwgig== (Should somebody set up a cypherpunks microsoft login for downloading all the patches and bug fixes they put out?) Given the number of these things, it seems that sending them out with every nntp request as a wafer wastes too much bandwidth. Can someone recommend a good program for editing the cookie file? I'm too lasy to write it myself. --- Dr.Dimitri Vulis KOTM Brighton Beach Boardwalk BBS, Forest Hills, N.Y.: +1-718-261-2013, 14.4Kbps
participants (5)
-
Adam Shostack -
dlv@bwalk.dm.com -
ghio@temp0199.myriad.ml.org -
nobody@REPLAY.COM -
Steve Schear