Lockergnome Sowing FUD
I regularly read various IT-related newsletters published by Lockergnome. Normally I’d recommend them as a great place for both newbies and experienced folks alike to keep abreast of technology and trends.
Unfortunately, since they’ve changed their site and the way they generate their content, their editorial ability seems to be lacking. I just read the January 8 issue of the IT Professional newsletter and found an article someone submitted regarding computer and network security (SECURITY: Feasibility Of Standards).
I tried to write in to the author of the article, but his mail server seems to be down (or he provided a bad email address on his web site). So I wrote in to the content editor (or supposed content editor) of the newsletter.
So we’re on the same page, let me paste in what I read him as saying:
1) Is Your Browser Set To Allow Cookies? Why? Well, gee, if I go to this game site, they automatically plug in my username and password. Very nice. I hope you know better than to believe that cookies only do this! There ARE good cookies, and most of them are time savers. But most are either nothing special or downright miserable!
Yeah, eventually. When you need to reboot and strange things start to happen!
The web has become a much more accessible platform for application development and delivery than it was even a few years ago. Being a web developer by trade for almost 8 years now (and an application developer for much longer than that), I’ve followed these developments with eagerness and anticipation of the next huge development to come around (and when it does, making use of it).
Unfortunately, what I’ve found is that there seem to be two types of people when it comes to the web being an application platform: the paranoid, who seem to sow fear, uncertainty, and doubt when it comes to the web; and the open-minded, who are probably a bit too liberal when it comes to how they work within the web. I’ll admit I tend toward the liberal side, and normally I let things like this slide by, but when someone makes pretty bold statements like this in a forum like Lockergnome that newbies trust, I have to take issue. Let’s look at each of the statements in turn.
Howie says that most cookies are “nothing special or downright miserable.” He also gives the impression (though it’s not directly said) that all the good cookies do is fill in your name on a form. I know that he, with the experience he claims on his PuterGeek site, is smarter than that, but the newbies out there reading your stuff don’t have a context like the more experienced folks. Cookies, in many cases nowadays, are what make web applications function - period. Due to the stateless nature of the web, many times you can’t write a robust application without assuming there be some sort of state maintenance. Can you get around that? Sometimes, using hidden form fields and so on. What about disconnected or mobile users? Gets more tricky.
He also makes the statement that he “hope [the reader] know[s] better than to believe cookies only” fill in forms. Sure they do. In the context of his statement, though, he makes it sound like they primarily have malicious abilities beyond the filling-in-of-forms. That’s a problem, especially when you start reaching audiences like less-than-educated network admins (like I had at a company I used to work for) who start filtering cookies out at the proxy level because they believe they’re huge security risks.
I guess my thoughts are when talking about security and cookies, it’s necessary to tell people that cookies may potentially be used to TRACK you, but they can’t siphon information out of your computer like your name or email address. They can’t steal anything that you didn’t provide in the first place. I still talk to users who think cookies can magically figure out your credit card information. Reading a statement like his, implying that cookies should probably be disabled entirely, only contributes to that mindset, and I think that’s not such a Good Thing.
I’m sorry if I seem to have run off at the virtual mouth here. I just find that, as I develop applications of my own and support both customers internal and external to my company, I run into people who call me up and complain that applications aren’t as “dynamic” or “functional” as they could be (or USED to be) and it always turns out they read an article like this and decided it was a great idea to disable scripting, cookies, and any other dynamic behaviors. I don’t think disabling the technology entirely is the key - I think it’s knowing who to trust and working accordingly. And that’s the point I feel was missing from the whole thing.
Thanks for your time, -T