Slashdot Mirror

With poisontap. You would know if you read /. more regularly, it was featured here two weeks ago.

(Yes, I fully expect Cortana to eventually berate you for forgetting stuff. At least in its Jewish Mom setting)

Flash LSOs are only one persistence means used by the evercookie library. It also uses HTML5 localStorage, IndexedDB, pixel values in cached images, and other methods.

It would be trivial to write a script that just gave you a new MAC address every hour.

You'd also have to write scripts that clear out all the stored objects used by the evercookie library. Even if you abstain from Flash, Java, and Silverlight, there are plenty of persistence mechanisms in both HTTP itself and JavaScript.

Agreed! Page isn't loading, that was fast as hell.

For those looking for other resources tho, that DO load

http://samy.pl/evercookie/

https://panopticlick.eff.org/

You may be joking, but Samy isn't:

Today Amazon announced they're planning to use unmanned drones to deliver some packages to customers within five years. Cool! How fun would it be to take over drones, carrying Amazon packagesor take over any other drones, and make them my little zombie drones. Awesome.

Using a Parrot AR.Drone 2, a Raspberry Pi, a USB battery, an Alfa AWUS036H wireless transmitter, aircrack-ng, node-ar-drone, node.js, and my SkyJack software, I developed a drone that flies around, seeks the wireless signal of any other drone in the area, forcefully disconnects the wireless connection of the true owner of the target drone, then authenticates with the target drone pretending to be its owner, then feeds commands to it and all other possessed zombie drones at my will.

SkyJack also works when grounded as well, no drone is necessary on your end for it to work. You can simply run it from your own Linux machine/Raspberry Pi/laptop/etc and jack drones straight out of the sky.

That still doesn't protect you. http://samy.pl/evercookie/

Did they just invent ETag or what? This "feature" is known for a few years and there are existing implementation, including this one: http://samy.pl/evercookie/ from 2010.

The wikipedia article on ETag links to a page from 2003 discussing ETag's usability for tracking.

Did they just invent ETag or what? This "feature" is known for a few years and there are existing implementation, including this one: http://samy.pl/evercookie/ from 2010.

It's not Big Brother, but when Big Brother arrives he'll have every useful intimate detail about every citizen right at his fingertips. Furthermore, cryptography is not a solution by itself.

I access Gmail, Yahoo Mail, Hotmail, and my work email through encrypted connections, and most of the transactions between those services is encrypted. So a third party snooper can't read my mail. But a corrupt employee at one of those companies, someone that hacks the web servers at one of those companies, or a corrupt government official with a warrant can get to my mail. For real privacy I need to host my own email on a secure I alone can physically access, and only send email using encrypted messages to other people that do the same. To do that I need to set up my own email server and get everyone I want to communicate with to do the same. The former is merely tedious, the latter is effectively impossible.

By using a cell phone and keeping it on so my family members can contact me in case of an emergency, I give my wireless carrier (and anyone unethical at the wireless carrier, or anyone that hacks into the carrier, or any corrupt government official) a long, detailed history of my travel patterns. I could avoid that by not having a wireless phone or leaving it at home most of the time, but since I have family members with potentially life-threatening medical problems I am unwilling to risk being unreachable during a crisis.

Thanks to tricks like Evercookie ( http://samy.pl/evercookie/ ), which are used by many sites, my web traffic is almost certainly tracked in a very detailed way. I can get around it, but it's a lot of work. And so few people manage it.

The cell phone can't be helped. Otherwise? I'm starting to think the best solution for tech-savvy people is just to unplug as much as possible. Google can't read the mail I send on paper over the postal service, Comcast and Amazon can't track the shopping I do with cash at a flea market.

It's my understanding that tracking is done by cookies. I delete all cookies 2-3 times a day, and always after logging out of Google (which I rarely log in to) and Facebook. The only downside is that I have to log in to again to certain sites but that is easy because of OS X's built-in password manager.

Cookies are just the simplest way to track you. Another common way is to use DSOs (Flash storage). And there are also several other possibilities to store identifying data.

And even if you manage to block everything, your browser still sends some identifying information by default. With JavaScript, even more partially identifying information can be collected, like screen resolution, your time zone or feature tests which might identify your browser even if you send a forged HTTP User Agent line (and the very fact that your browser line doesn't fit the JavaScript results might further help with identifying you).

The retarded part of this whole thing is that Apple's Safari was allowing 3rd party cookies AT ALL when 3rd party cookies are disabled. Remember, Apple sells ads on its platforms too. Now, it's QUITE simple to detect if any action actually came from a user initiated event. This is how most pop-up blockers have worked since 2000, including the ones built into our browsers. The JS that creates a new window/tab is blocked unless the JavaScript is executed as the result of actual user interaction... Point being: Apple knows how to detect if its a user action or not.

Additionally, when I was testing Safari a few years ago, any cookie that was already set would keep being sent to the server even after you disabled all cookies -- That option just disabled "new" cookies from being created. The old ones were still sent, not sure if this is still the behaviour because I stopped using their systems when their systems lied to -- or, at best, misled -- their users. Their settings have always been specious. Apple doesn't have a good track record when it comes to cookies.

The fact that Safari assumed that form submittal was a user initiated event is a big problem here too. This "invisible form" submission is how we did "Ajax" like Web2.0 features before XML HTTP Request objects were around. JS populates a form in a hidden iframe, submits, then the JS on the page, or in the iframe from the server, changes the main page without reloading it. If Safari is confusing this with a user action, I'd be calling Apple programmers on the carpet, "Did you do this?!? BAD CodeMonkey! BAD! No Banana, or APPL!" (it's actually difficult for me to believe this isn't Apple's intended design)

Don't get me wrong, I hate tracking more than the next guy, and instead prefer content based relevancy, but many users have Opted In to the Google Ad network. It's getting harder to opt out of parts of it w/ their new privacy policy. I keep separate accounts for G+, Gmail & Youtube because I don't want an action on one to ban me from the other. Point being, if you're logged in, you've logged in, and you agreed that it's fine for Google to target ads at you. They can't very well give you targeted ads in exchange for your privacy if they can't see if you're logged in or not via cookie...

I don't blame just Google for finding a way to get opted-in Safari users the content they opted-in to, even if it's ads. I also blame Apple for saying "3rd party cookies are disabled", when in reality, 3rd party cookies ARE SLIGHTLY DISABLED, unless you interact with the Ad, or we think you might have done so... You know, because We (Apple) also want to use those 3rd party cookies.

Here's an idea: SAFARI SHOULD BLOCK ALL 3RD PARTY COOKIES [PERIOD]! Otherwise, the "Block 3rd party Cookies" option actually doesn't.

Cookies are the easy-mode tracking channel. Many other methods exist. Hell, Mozilla removed the UI for 3rd party cookie disabling since it was so damn easy to work around. Had to use about:config for a while there, but now Firefox has the 3rd party cookies UI again. At the very base layer your IP address and time stamps are all the ad networks need. Blacklist the sites. Some Ad-block extensions actually make a request before not displaying the content -- Mission Failed.

Posted to remove a bad mod... figured I'd contribute in the process.

This reminded me of an old Slashdot article about Evercookie http://samy.pl/evercookie/

I use the "Modify Headers" firefox add-on to filter the If-Match, If-None-Match, If-Modified-Since etc. headers, because they can all be used to store cookie-like bits of data. This has been known about for a while.

The documentation for evercookie lists the methods it uses for tracking: http://samy.pl/evercookie/

But most of all, Samy is my hero.

Evercookie
Isn't it wonderful?

Posting this in hopes that those who create the browsers read it (again).
All of those things should be capable of being cleared by a user from the options menu.
It might not be a large size, but multiplied a 1000+ times, it starts to gain size.

As more and more storage methods get added to web browsers, there NEEDS to be a decent file manager for them.
It is simply shocking that there are no decent methods of accessing this data without having to go through a hell of a time with extensions and various external readers to even get to them.
I know the File API is being worked on just now, but it can't be stressed enough that there needs to be better access to stored files from websites.
Every browser should have a Files page in there options, with access to all content saved by sites, just in exactly the same way that cookies have been since as long as I can remember.
If you guys seriously expect the web-as-an-app age to take off, THIS IS A MUST.

Taking a quick look at the JavaScript they use there doesn't appear to be anything particularly unusual going on such as browser fingerprinting, or even as encompassing as evercookie which can be easily defeated using built in browser options. The only thing that seems different about it is that it attempts to use more storage techniques than other tracking services, browser local storage , e-tag tracking, and ie userdata storage in addition to the common browser and flash cookies. To say that it "can't be dodged", while possibly true for the average user, doesn't hold for anyone who knows how to configure their browser for greater privacy.

Google did make it publicly available, but that's not what the got sued for AFAIK.

I don't think this activity is limited to 'street view' cars - I don't live in a country where there are any roaming the city at all, yet every mac address for all the access points I own can be located by entering them in to sites like: http://samy.pl/androidmap/index.php

I would assume Android is the culprit here. I expect Google buried some lawyer speak deep in an EULA making this activity perfectly legal. I'm not okay with it though.

Evercookie supports over ten different data storage mechanisms, and if it finds valid data in just one of them, it re-replicates the cookie to the other storage methods.

Of course, being able to delete Flash cookies more easily is still a very much welcome improvement.

http://en.wikipedia.org/wiki/Evercookie
http://samy.pl/evercookie/

Evercookie is unstoppable, irrevocable, undeleteable, and it represents a new trend. When is Google and Microsoft going to do something about this? Or do they and others conspire to use this evil mega cookie to track us?

I was interested in what you said and that site is http://samy.pl/androidmap/ and it was interesting, my wireless router was in google's database. Cant say I was happy to have it mapped. But what can you expect from wireless. Guess I will just keep changing the mac address, or spoof it.

On the other hand, there is a website know where you can enter the MAC address of a router, and it will give you the location of that router, based on data on Google's servers.

Is that this site? I'm sure there are more, but this one only took about a minute to find (via Google of course):

http://www.samy.pl/mapxss/

Then why can I type in the BSSID (MAC address) of my WiFi router into http://samy.pl/androidmap/ and via google it will tell me exactly where it is?

Out of curiosity I just tried what you just said. It showed me the location I was in over 3 months ago in a totally different city to the one I live in. I have since a) connected to over 5 different wifi points. b) been back to that city twice (however it showed me at the hotel I was at 3 months ago) I'm not overly concerned about that form of tracking.

No, Android stores the last 50 unique cell-derived locations (in cache.cell) and the last 200 unique wifi-derived locations (in cache.wifi). In other words, the file /is/ truncated, but based on quantity of data rather than age/time. Apple's logfile is not truncated, whether by design or programming error.

Conversely, Apple's log remains on the device only for Core Location caching; it's stored in iPhone backups, but isn't ever sent back to the mothership (at least so far as anyone has been able to tell). Google truncates the log, but does send the data when you hit a WiFi point and have a GPS signal; they use this to update their WiFi location database for GPS assist, as they use their own service rather than Skyhook. (If your base station advertises itself, open or otherwise, go to http://samy.pl/androidmap/ and enter your local router's MAC address; you can see where Google thinks that base station is, based on how Android devices have paired your station to their GPS data.)

While you have a good point, that solution already never worked.

This is the 2nd attempt to prevent them from abusing local storage.
They should have extended it to all local storage.
While most browsers say "hey, this site wants to store some files on your computer, yay or nay?", it might get changed sometime in the future as more sites take up use of local storage since it is a valuable resource and will help greatly in the coming years to enhance the web, but also use it as another tracking method.

I'm sure everyone remembers Samy's Evercookie
The one i left on there months ago (on purpose) is still there. This demonstrates a major failing in options by browsers in what it lets you control.
Every browser should have a well-polished local storage manager (if only for the stuff that works just now) so you can easily change everything for all sites.
And by local storage, that means every single thing that any URI can modify on your computer, including historical records, address history, cache, etc. (even a history of where files were saved to by what website, most only record where things are saved to)
There needs to be better control on such things as it will grow larger as the years grow, and then it will lead to one hell of a mess.

If you think the NSA is surveilling you, they are. If you're concerned about that, I don't have much to say but use cash, avoid tech, and good luck. If you don't want local people snooping your wi-fi transmissions, don't use wi-fi. Or at least use WPA2 and https. A VPN, secure proxy, or SSH tunnel would be a good thing. But unless you have a device with an editable wi-fi MAC address, don't use wi-fi. The MAC address is always plain text no matter what you do to secure your session data. So you can be tracked across time and space by your MAC address. If you don't want your ISP snooping on you, use a VPN, secure proxy, or SSH tunnel (of course then you have to have some trust in the endpoint). You could use Tor, but that's slow. It's a trade-off between how involved you are willing for the precautions to be, and what ease you want in using modern technology. Make sure your DNS requests are routed through the proxy, or your ISP will still know what sites you visited, and when. If you're concerned about the advertising-analytics-social ecosystem tracking you (who isn't?), there are a lot of things you need to do. Keep your browsers clean of cookies (of all kinds: http://samy.pl/evercookie), cache, and history. Change your IP address frequently. Use Tor as much as practical. Use multiple browsers over multiple VPNs, secure proxies, and/or SSH tunnels. Keep browser configs as standard as possible with respect to things that can be detected by a remote web site (Flash, Silverlight, Java, internet plug-ins, fonts, etc). Use multiple physical or Virtual Machines to diversify your accesses. Keep each physical or VM as standard as possible to reduce the bits of entropy that its device fingerprint betrays (https://panopticlick.eff.org/). Browsing on an iPhone is better than browsing on a desktop with unique add-ons, for example. Actively block tracking servers and domains with your hosts file, DNS service, browser add-ons, etc. Yes, we need a good law to make privacy rights fundamental, protected, and with enforcement teeth. But we also know there will always be bad actors who will ignore or work around the law. Bottom line? Do more to protect yourself than you think you need to, then do some more. Defense in depth. Diversification across services, accounts, connections, browsers, machines, etc. And always practice good security, even if you're in a situation where you don't think you have to.

You know, assuming Javascript engines in web browsers use the FPU to do floating point math operations, you could roughly categorize what hardware visitors to your website use.

And/or you could run a JS benchmark, and on the server side have baseline benchmark results for different web browsers and web browser versions on known hardware configurations - and then use that to deduce the user's clock speed. That is assuming that they aren't running anything else at the same time, but 99% of the time desktop systems are idle. You could do a run of 5 benchmarks over a period of say 30 seconds and throw out the outliers.

Of course you could combine this with the kind of stuff Panopticlick does, like detect the screen size, time zone, flash variables etc. For extra evil points, combine it with Samy Kamkar's evercookie.

Was not XSS, but based on insecure session ID generation. http://samy.pl/phpwn

How does that prevent HTML5 local storage? How about the BrowserHistory storage? (e.g. domain/path/unique/1st-byte, domain/path/unique/2nd-byte, etc.) And CSS history storage? The most ingenious method is PNG RBG value storage! You block all images too?

I use NoScript (but I still temp-allow the primary site, otherwise why browse at all), CookieMonster in whitelist-only mode, and BetterPrivacy to delete flash LSOs on startup and shutdown. This still does not prevent the Ever Cookie.

Did anyone here read the original documentation?

The article is nonsense. Every privacy problem mentioned either doesn't exist or predates HTML5. Every browser has a security team that carefully reviews any new features for privacy breaches and reports problems back to the standards bodies before implementation. Everyone involved in web standards is well aware of all of these issues and tries to head them off at the pass. No website can read another website's data, none can store things without the user's permission, and nothing stops users from clearing all private data at any time.

Let's look at this systematically. First of all:

The new Web language and its additional features present more tracking opportunities because the technology uses a process in which large amounts of data can be collected and stored on the user’s hard drive while online. Because of that process, advertisers and others could, experts say, see weeks or even months of personal data. That could include a user’s location, time zone, photographs, text from blogs, shopping cart contents, e-mails and a history of the Web pages visited.

Web Storage, Web SQL Database, and IndexedDB are three of the standards commonly lumped in with HTML5, and all of them do indeed allow larger amounts of data to be stored client-side than ever before. What the article doesn't mention is it's only available to the site that stored it, and users can clear it as easily as cookies. It poses absolutely no privacy threat beyond cookies: if a server wants to store data on your computer, it can already just store it on the server and store a short identifying key as the cookie.

What the unnamed "experts" here say is therefore crazy. Nothing in HTML allows advertisers to see your location or time zone without your consent, let alone shopping cart contents or e-mail. Since the article doesn't deign to specify what HTML5 technologies are supposed to be able to do this magic, I can't refute it beyond saying it's just nonsense.

The new Web language “gives trackers one more bucket to put tracking information into,” said Hakon Wium Lie, the chief technology officer at Opera, a browser company.

Hâkon knows what he's talking about – he's a notable figure in the web standards community, editing such high-profile standards as CSS 2.1. But look at what he says carefully: trackers get "one more bucket". One more just like all the others, which can be controlled and cleared along with all the others, thus no greater privacy risk. I'd bet good money that this quote of his is taken completely out of context, and that he was dismissing the reporter's fearmongering.

Then there's mention of evercookie. But nothing that evercookie does relies on any HTML5 feature. Yes, it stores things in four different types of HTML5 storage, but again, those are cleared just like cookies. Try it yourself: create an evercookie on that page, clear your cookies from your browser's menus, and then click to rediscover cookies. You'll see that the four HTML5 methods (localData, globalData, sessionData, dbData) are all cleared too.

(There is one other mention of HTML5 on evercookie's page, but it's red herring. The pngData mechanism uses HTML5 canvas, but if you look at how it works, it would work just as easily by storing a JavaScript file or even a plain text file, and retrieving it via <script> or XMLHttpRequest.)

It's worth emphasizing, by the way, that using your browser's "private browsing mode" (whatever it's called) will completely defeat evercookie. So this is not some earth-shattering problem that no one's thought of.

The article goes on:

Each browser has different privacy settin

Evercookie must die!

Again, no other possible way to do it without cookies.

Good.

Well, actually there are other ways to do it like putting that infomation in the URL, or hidden form elements, or http://samy.pl/evercookie/...

Here is what evercookie tells me when I go there...

Cookie found: id = 34452062

cookieData mechanism: 34452062
localData mechanism: 34452062
globalData mechanism: undefined
sessionData mechanism: 34452062
historyData mechanism: undefined
dbData mechanism: 34452062
pngData mechanism: 23235035
lsoData mechanism: 34452062

Interesting to note that on my system the pngData doesn't match the rest. Perhaps thats because I am using OS X with Safari and ColorSync.

You might want to check for prior art.

Failed for me too.

The text displayed, an error was generated, then "The page cannot be displayed"

Internet Explorer cannot open the Internet site http://samy.pl/evercookie/. Operation aborted

Inputting my friend's router's MAC address on his site (here) results in a location circle about 3km wide and about 10km away from his house. Close, but not close enough.

Should I be worried that Google knows the correct location for a new WAP which I just turned on about a month ago in a small po-dunk town in the middle of nowhere?

I mean seriously--the town has a population of approximately 10,000. It's hardly Austin or New York. Maybe I just timed it correctly.

Inputting my friend's router's MAC address on his site (here) results in a location circle about 3km wide and about 10km away from his house. Close, but not close enough.

http://samy.pl/mvsbot.pl A markov chain-based unintelligent chatterbot. I run a modified version of the above bot on certain popular networks. With automated replies to anyone who PMs it (simple enough to do, the linked bot is public only), it's awesome bait with a feminine nick and an automated "18/f/cali" reply to "ASL?" Make sure you "teach" it a bit first before unleashing upon the deranged masses.

I have hit 1,000,000+ users. In less than 20 hours, I've hit over 1/35th of all myspace users. Every request is from a unique, living, and logged in user. I refresh once more and now see nothing but a message that my profile is down for maintenance. I messed up, didn't I. I'm now more afraid and decide I am never doing anything even near illegal ever again. To get my mind off of everything, I begin downloading a copy of the latest Nip/Tuck episode. 1 hour later, 7:05 pm: A friend tells me that they can't see their profile. Or anyone else's profile. Or any bulletin boards. Or any groups. Or their friends requests. Or their friends. Nothing on myspace works. Messages are everywhere stating that myspace is down for maintenance and that the entire myspace crew is there working on it. I ponder whether I should drive over to their office and apologize. Another attempt to free my mind of worry, I go back to watching some episodes of The OC which I downloaded a few days earlier. File sharing rocks. 2.5 hours later, 9:30 pm: I'm told that everything on myspace seems to be working again. My girlfriend's profile, along with many, many others, still say "samy is my hero", however the actual self-propagating program is gone. I'm relieved that it's back up as they can't claim damages for any downtime past this second if everything is in fact working properly. 10 minutes later, 9:40 pm: I haven't heard from anyone at myspace or FOX. A few minutes later, my girlfriend calls, I pick up, and she says to me, "you're my hero". I don't actually get it until about three hours later.

Samy, the guy involved with the MySpace worm, wrote some Perl to do this a while ago:

http://samy.pl/chownat/