Slashdot Mirror
Quova Inc. Completes Trace of 4 billion IP Addresses
RatzMilk writes: "Quova Inc. claim they have completed a global scanning system [Note: first mentioned on Slashdot in July -- timothy] that pinpoints the geographic location of Internet users in real time. The information gathered is then sold as a tool called 'GeoPoint' that can be used by advertisers to better target their advertisments to people based on their location. It doesn't rely on cookies or voluntary submissions from users, instead, using a data base built by scanning every host on the Internet.
In gathering this information, they set off alarms all over the world, and yet, it seems that this is an accceptable practice in the eyes of the law. Individual people are having their computers impounded and in some cases are being incarcerated for doing the same. ...
Further details on this story can be found at Security Focus." (Sorry, but Security Focus is not designed for direct linking; click on the link that says "Scanning Mystery Solved.") [Updated 5:58 GMT by timothy] Scratch the comment about deep linking; I've restored the link RatzMilk provided, which originally brought me only "page not found" errors. Hope it works for everyone ...
Aside from the invasion of privacy issues this brings up, whats to stop an organization with the financial backing from sueing the pants off these guys?
Say for instance you're a large corporation which is very security-conscious. One dark weekend evening your border machines/firewalls/whatever sense that someone is launching a widespread scan of all your machines. Admins get paged, people come in to work, and everyone spends a few hours figuring out what the heck what happened, where the scan came from, and evaluating potential security breaches that may have resulted from this. Even after you realizing that its nothing too serious, the company has dropped a lot of time/money responding to and investigating this event.
What's to stop someone from sueing them over this? I would be surprised if someone doesn't. Hey, if people can sue because McDonald's coffee is hot and you're uncoordinated enough to spill it on yourself, anything is possible. I won't even mention the hot pickle / scalding suit...
Is that true? I have absolutely no idea how AOL's network works, but I wouldn't be surprised if by the aol IP they could narrow it down to a city.
AOL has dialup numbers just about everywhere, I always assumed that everywhere there was a little AOL building with the modems and a big fibre to Virginia. I assume for routing purposes an IP is assigned from within the little AOL building. If they figured out AOL's routing then, they could get decent resolution.
Of course, I'm talking out of my ass, and this is all speculation, but if someone knows for sure, I'd be interested in hearing it.
Just try explaining to someone in ad sales why you have no idea how long someone was reading a given web page. They will blithely ignore you and continue using Web Trends fatally-flawed heuristics for guessing "unique users" and the like, or make even sillier jumps of logic.
Never mind that the number two "entry" page to the site is in fact redirect CGI to handle a drop-down menu used for site navigation; they take this shit as gospel when it's plainly bogus.
After all, they've been using the Nielsen reports for ages and they aren't much better statistically than asking your friends what they like and guessing what the rest of the country likes.
Boss of nothin. Big deal.
Son, go get daddy's hard plastic eyes.
Expanding a vast wasteland since 1996.
So now this database exists where I can get a location for these sites:
www.SIPRnet.mil >> Location: Area 51, NV
www.AlcoholicsAnonymous.org >> See www.GeorgeWBush.com
www.AOL.com >> Location: Remedial Into to Computers Course, North Virginia Community College, VA
Microsoft.com >> Location: Redmond, WA
Microsoft.com >> Location (update): US Supreme Court, DC
Microsoft.com >> Location (update1): Bangalor, India
www.whitehouse.gov >> See www.whitehouse.com
www.HotGrits.net >> Location: your pants
www.NataliePortman.org >> Location: your dreams
PenisBird.com >> See Slashdot.org
Maybe the people using the region restrictions will define an "anonymous proxy" region and deny access to it.
Guess again. I'm not even going to bother following the link--either you misinterpreted it, or they're wrong (likely the former).
You see, in the US, supreme power does not rest with the people. An example. If a majority of the US citizens of voting age wanted Bill Clinton to be president for a 3rd term, would it happen? Nope. There are restrictions on this (the constitution being the main one). Now, the US has a mechanism for changing the constitution, so we could change the constituion to allow presidents to have three consecutive terms. But doing so would change the US from a republic to a NEW republic. If Bill Clinton was then elected, he would be eligible for two further terms, since that would be his first term as president of that particular country (irrgardless of two earlier terms as president of a very similar country that occupied the same territory earlier.
So in short, the US has MAJOR checks on the exercise of democratic power, as can be seen every time a law is struck down, or a referndum is ignored. Which is why the US is not a democracy, whatever you might think.
Depends on the scale. Advertising targeted to your dialup's region will be a hell of a lot more relevant than advertising targeting Mongolia, Kazakstan or Hong Kong.
You're on a NAT, so when you send packets out to the rest of the world, instead of looking like you come from the private-network 10.* address your computer believes you have, it looks like you come from one common address Charter Cable uses in your area, which is mapped to your town, or maybe to the major city nearby. I doubt they're doing NAT on a larger scale than this, because besides being a routing bottleneck, they only have so many ports from the NAT address that they can dynamically reassign to ports of connections from your machine and those of all of your neighbors.
That is assuming that you have a MAC address... isn't that an Ethernet attribute? What if I was running IP over another medium (ATM, TokenRing, etc...)?
As many already has said here, there are a lot of reasons why this information is no more usable than what is done today.
I could mention one too, large companies where branches in different countries go through the company WAN to the HQ for internet access.
If you are lucky you can go down to country level, and that information can evnen Apache get out from fx. MSIE(you know, the LanguagePriority directive), assuming that people have set it right, but at least itdescribes their preference.
--------
Just call them repeatedly, the phone bill should bankrupt them
Nope. You cannot connect to a US Toll Free number from outside the US/Canada phone system. I'm pretty sure it works the other way too.
--
Some people have a way with words, and some people, um, thingy.
This entire thing is amazingly rediculous. It's silly that anyone is DOING this, and silly that anyone CARES they're doing this.
:-)
/. posters are having a fit about privacy (honestly, do you EVER *THINK* before having panic attacks?). I personally find all three groups quite amusing. :-)
Let's make it simple, here. They're pinging people right? Yup. I've pinged people. You've pinged people. It's a tool for figuring out if there's anything at a given address, and if it's awake. That's what it's designed for, that's what I've used it for, that's what you've used it for, and that's what they're using it for.
Now, some companies with nearly enough brains to tell whether it's raining or not by standing outside have systems that actually page the sysadmin when they get pinged. Let's all feel sorry for the sysadmins, and hope they are lucky in their search for a job at someplace with an actual functioning clue. But none of that changes anything. If I go ping yahoo (I do this several times a week, since it's a nice easy to spell and remember domain name, will always be up, and if I can't reach it it means I've got connection problmes), I'm using ping for what it's designed for. So is this company. And if anyone doesn't like it, they should go back to whatever reality they came from, 'cause this one works differently.
Same holds for traceroute too. Useful tool, being used for the purpose it was designed for.
Finally, what did the company get from all of this? A big-ass list of routers and stuff. Now if they fiddle around with nslookup, whois, dig, and so on, run a few regex searches through the list, and so on, they'll actually get some idea of what boxes are talking to what other boxes, and where they're located. Yipee. And although it's NEARLY useless for advertising, it's not COMPLETLY useless. Do a traceroute on my IP address, and you'll find fairly easily I'm PROBABLY in NZ. Or at least, the box that the IP address belongs to is in NZ, and thus I'm probably in NZ too. If some website uses this knowledge to put up a few fewer ads that are only useful to people in North America, I won't be even slightly sorry.
What does it mean for us? Nothing. Any website that wants to can record the IP of anyone who visits (which DOES effect your privacy, since *IF* your on a static IP, that child sex sting site operated by the FBI that you visited might record your IP and go talk to your ISP). Now the website has a chance of knowing the area the IP address comes from. Big deal. *THIS* doesn't effect privacy. The goverment doesn't need it, and corperations can't use it.
So to sum it all up... Some startup company is burning VC money doing something fairly silly (they'll certainly make money, but probably not enough to cover expenses). Some very silly corporations and security consultants are throwing a fit about it (do these people have NO idea how TCP/IP works?). And some silly
IMHO the database is useless. By trying to nail down IP addresses to geography they are trying to nail Jell-O to the wall. In 5 years I bet the turnover rate of IP's will be 100%.
There certainly isn't anything wrong with the scanning. After all, IP addresses are a world resource, like Electromagnetic Frequency Spectrum. Surveying it doesn't infringe on anyone... and IMHO if an admin is so upset about a simple ping or traceroute bringing down their security wall, then they've got far bigger problems.
Don't blame me - I voted for Howard Dean. http://dean2004.blogspot.com
The problem here is not intrinsically that they know what state you are in. It is that e-tailers and web sites now have the power to find out, without any input on your part, where you are from. This is like, say, giving Best Buy the permission to fingerprint you every time you walk into, or even just glance in, the store.
Now, if all of us were still on dial ups, this wouldn't be such a big deal, but with the increasing number of fixed, or even semi fixed IP's, this becomes a huge privacy concern.
And how long, honestly, do you belive it will be before this company makes the leap into matching IP's to addresses. Or even to actual people. Then a web site operator will know who you are, where your from, etc, with no permission given on your part. If my viewing a web site is interpreted as tacit permission to collect personal data on me, the anonymous internet goes the way of the dodo.
The jump from there to say, someone in a black suit knocking on your door because the server logs show that you looked at...questionable information is, unfortunately, not a big one. This will happen in steps, but if we are not careful, it will happen.
I thought IP addresses were, in general, distributed geographically anyway. I get that, say, Ford Motor Company might have Class A 11.0.0.0 (or something) and their machines are all over the place, but aren't ISPs assigned IP addresses geographically? Or am I nuts?
Surely someone knows someone from this company or has the means to find this information. "Sell" their information to as many advertisers as you can find. Maybe having 20 pounds of mail delivered a day plus their phone ringing off the hook will give them some perspective.
Scary stuff! Why havn't I heard that before? I'm not up on IPv6 so I'm going to do some research to see if it really is that bad!
Comments anyone?
When it absolutely positively has to be there.
The government should not do anthing to anyone for tracerouting or pinging. There is nothing wrong with that. I use these tools often, just for curiosity.
If a computer has a web server running that allows anyone to download a webpage, it should be considered authorized use. If a computer returns my pings, that should be authorized use. These people should be allowed to ping/traceroute whoever they want, and so should I. If people don't want me to ping them, they should set up their computers not to return my pings.
I long for the old days of the internet when you weren't considered a threat if you used a ping. Now we must play dumb or be considred "hackers".
A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
Ennui
Ennui
"I walk in the air, between the rain, through myself an
From their website:
As someone living in British Columbia, Canada, I have been in dire need of this service. Hooray!
You can never put too much water in a nuclear reactor.
Of course he shops there, I don't think their advertisement is going to discourage him from buying their product, but they simply won't target him.
Think like a man of action, act like a man of thought.
Most large companies have private or public address space, and rely upon thier own network of leased lines to move this address space around the world. You will find that, to simplify routing, etc. most of them have only one or two gateways out to the rest of what we call the internet.
Consider the case of a big green and yellow oil company. The headquarters are in Britain, major distribution, fields, and refineries in Belgium, Russia, China, Alaska, Austral-Asia, Japan. Main internet gateway in Texas, because it's cheaper there.
Think this "geocoded IP address" company and their product know and account for this? I suspect that the folks in Japan would get a lot of Texas-oriented web content, don't you think?
*whup* "Get along, little electrons. Heeyah!"
Did someone clue these people into the fact that there *ARE* only 4 billion IP addresses, and that over 1/4 of the address space is currently unpopulated?
I don't recall for certain, but I believe that they were doing some sort of network uptime tests or something like that, and I can't remember the name of the company, but if your a sys admin, and someone is pinging one of your routers continually, you damn well better stop them, or figure out who they are before you just let it go.
What?
Some cable and DSL boxes work as routers, some as bridges, some as NAT boxes. If you're using a bridge-flavored box, it's your PC's MAC that matters. But those guys are probably not going to switch to IPv6 until Cisco and the Tier 1 ISPs make it easy, ICANN stops their current predatory pricing which is designed to prevent IPv6 adoption, and cheap DSL and cable routers support IPv6.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
This is great for smaller ISPs, since it allows to cover a larger area without more office space. And since people can be dialing in from further away say 100 miles or more, even if they are dialing a number which is local to them, their IP address will show that they are at the address of your ISP, (most likely obtained from a WHOIS query, this is how visual route works.. someone else already linked to it, and I don't know the address)
So, in reality, you could be getting ads localized for your ISP which could be several hundred miles away, and quite possibly do you no good, or more accurately, the advertiser no good.
What?
I'm sorry if I shocked'cha... not my fault'ough.
As i said, the whole mess wasn't really planned, nor is there any intention to deceive anyone - not even evil double-click.
It was just that we pooled proefssional resources from various countries and everyone is telecommuting. Technically we don't even have an office as such. Ain't the Net great?
Obviously we are driving government departments in several countries bananas [as we don't pay tax for the company, anywhere] and run rings around petty issues like licensing, copyright, etc.
I mean, a commercial license for a software can be shared by set number of individuals in a company - noone says that they have to all in the same building, city, country, continent [and coming soon: planet].
But then, we started this whole thing back in 1991 and then spread out, adding new people, some of which left again to do their own thing.
And by now it's next to impossible to explain just exactly what belongs to which company, who owns whom and who owes whom what.
We've been audited in two countries and the guys went nuts and gave up.
The only pitty is that when IPv6 is starting to spread, then some smart cookies will put IP and IP together and end up with maps of 'organic structures' like ours...
No sig here...
One of the nice things about OS is that someone could change things to strip out the undesirable information from packets and put in dummy stuff.
We could then decide whether to put random stuff in there or one set of information for everyone!
I wonder if anyone will?
I'll see your Constitution and raise you a Queen.
Sorry, but AOL has 14 mega-proxy servers that all web trafffic is directed to, and users are randomly switched from one to another, sometimes in the middle of a session. Ask anyone who's dealt with global ITM for a while, this is quite a headache...
Think outside the... Hey, where'd the friggin' box go?
Now we know who was online, and from where, during all of last year.. Oops! now it's out of date
This link appears to work just fine.
Does anyone know if this type of effort will be easyer with IPv6?
Free Unix? Free Windows. http://www.reactos.com
Actually, the only problem I have with this is that the database isn't open for anyone to use. I hope it someday is. I already knew that my location could be identified based on my IP address. Frankly, I wish companies would use that to automatically fill in my zip code when I visit a site, to save me the trouble. If I didn't want the company to know my zip code, I'd use anonymizer or some such proxy. The information is there. The "bad guys" are already using it. Now lets open it up to everyone so the "good guys" can use it to, and the less technical who don't want to give out the information can realize it's there in the first place. Blocking the database is merely security through obscurity.
ok then your [sic] infringing on my copyright! Could you as [sic] me next time before STEALING my comments for your own?
I'd like some evidence to back their claim. First of all, 27 million AOL users will appear to be in Virginia. Secondly, I'm sure a lot of people use a ppp account on one of their colo/ISP's servers.
Sooo, more evidence please!
------------
------------
Tonight on Fox: Deadliest Executions Part XVII
Down at the bottom of the article in question, there's a bit of text that reads:
Whoops.
Date: Sun, 5 Nov 2000 22:19:32 -0800 (PST)
From: Kevin Fox
To: frezza@alum.mit.edu
Subject: IPv6 vs the Status Quo
I just finished reading your article at Internet Week and I had two comments:
First, network interface addresses aren't always hardwired, and many NICs allow you to, with the proper utility, change your 48-bit address to
anything you want.
Second, your Ethernet address is heavily used under current networks for a lot of things, and is stored in mailserver logs, correlated to email that you send out, and DHCP keeps records of Ethernet address/IP address mappings, records that could be hacked or subpoenaed to create a relatively solid link between an IP/time to an NIC.
While I agree with many points in your article, I do think the above points were worth mentioning, as omitting them gives the article an aura of "We were safe before, but with IPv6 we're all f***ed." In actuality, we're only kind of safe now, and after IPv6, we're only kind of f***ed.
Thanks,
Kevin Fox
Kevin Fox
They are talking about selling IP world maps
so lets that a picture is legal in France but not in china. They could tell you the country ip address that came from so you could block it.
Web sites that provide music, video, and other forms of content finally have an effective solution for managing content distribution. By identifying the geographical location of Web visitors in real-time, GeoPoint lets you comply with territorial restrictions on digital content. Which means that you can continue to benefit from the vast global reach of the Internet while ensuring that content is only available to users in authorized areas. It's a smart and seamless solution for adhering to today's ever-changing distribution and copyright requirements.
Comply with domestic and international distribution restrictions on Webcasts, music downloads, video clips, and other online content by limiting access from unauthorized areas.
Respect user privacy by pinpointing their location without the use of cookies, registration information, or click-stream data.
No, we live in a republic.
TO BUY A NEW CAR WOULD MAKE YOU SEXUALLY ATTRACTIVE.
so i don't even have a real ip address (sucks), and neither does anyone else on charter's cable network (at least in my area)...so i guess i'm safe
;-)
:-P
Safe from everything but your ISPs logfiles my friend
In the UK, all the free/cheap ISPs (i.e. the ones most likely to DHCP your connection rather than give a static IP) will not allow you to connect to their service if you put "141" in front of the dialled number (which is meant to protect you from call-number forwarding). This means they get to log your phone number beside the IP address they have just allocated!
I'd much rather have a static IP (which I do) on dial-up which allows me to phone up anonymously. At least then I can delay proceedings while they prove it was me on the phone
My IP is actually in one state and I am in another! woohoo! The bad thing is that the IP is in Illinois and I am in Arizona. So I may have to put up with Chicago-style ads.
Now how this work with anonymizers?
"Be polite, be professional, but have a plan to kill everybody you meet." General James Mattis
I DoS-ed a colleague's OmniSky by pinging him about 10 times a second with a 1k packet.
;-)
That'll teach the showoff (Hi, Mike)
On the offchance he was actually using it when Quova came knocking, he would have noticed a serious drop in bandwidth.
--
--
E_NOSIG
Who has been incarcerated for port scanning? I am not saying that it has not happened, but from everything that i have read the courts have ruledd many times that "port scanning is like ringing the doorbell at a residence to see if anybody is home." If people are being arrested for this, then that is something that we should be up in arms about.
David Dominick Security is the opiate of the masses -- twist on an old quote
You only get what LOOKS like NAT if you use their stupid proxy servers. But, disable those settings and its basically an IP just like everybody else.
i only wish i could bypass their proxy servers. in my area (a small rural state in the mid-atlantic area}, i don't think you have that option, so you either go thru their proxies (and logging, spying, etc) or have no cable modem.
Here's a good question...
If I go to your house and look at the house, is that illegal? I just matspace pinged you. Now how about if I go up and portscan your house? (Jiggle all the door handles and windows, but not enter) is that illegal? how about I go to your house and photograph every inch of the publically accessable parts and build a house like it. is that illegal? (mirroring)
I know I would be pissed if someone came over trying all my doors and windows, BUT.. if I was a place that welcomed the public in and someone jiggled all the doors and windows. they're just trying to find a way into a place where the public is welcome! (Store? go and try the door to see if they are open.)
meatspace rules should apply to cyberspace, and ERASE ALL stupid cyberspace based laws.
we have laws that apply, these un-informed officials trying to get laws passed should be required to read the laws we already have before even trying to draft a new law.
Do not look at laser with remaining good eye.
Even supposing someone at an ad agency has a clue what ARIN is or can tell how worthless this new scheme is, they'll just jump on the train. They'll buy into the database and in turn drop the same sales pitch on their customers. This makes them seem to have an advantage over competitors. In turn those competitors will buy into the service just to be keep up. Remember, crap like this looks great on promotional material and sounds even better in sales presentations.
"When it rains, it pours." --Morton's Salt
Some NIC drivers allow you to set the MAC address to whatever you want. Find one that does and use that. If the company whose NIC you have doesn't, ask them why, and that they should add that functionality. I'm sure others with write utilities that will allow you to change your MAC address as well.
Actually I'm well aware that there will be an optional method, eventually, for masking MAC addresses in IPv6, although last I checked a few months ago it wasn't final yet and no one seemed in a great rush...and no one held up IPv6 to wait for this fix to be part of the rollout.
And I'm also aware that because it will not be the default, very few folk will use it; most folk will therefore have their true MAC address visible. Your comment is therefore not only snide but thoroughly misleading in terms of the practical effect on the privacy of not just average AOL users, but most people. I discuss all this and a great deal more about privacy in a recent article on privacy and the law (Note: article is in .pdf but a crude HTML of an earlier draft is available here)& lt;/P>
I have a blog.
Not only has Quova misused directory information in order to compile a Direct Marketing Database, but they've used The Public Internet to perform this data compilation. What is the "LAW" on ownership of this form of information? IANAL, but to me this is a pure form of Public Domain information so we all should be free to DOWNLOAD QUOVA'S DATABASE! Obviously they won't allow that, so maybe we should compile our own form of Quova's database and make it available for free!
oh....my!
This is not news. I've been able to track people's localles over the internet for years now. All truly skilled hackers can.
I know where you live, where you work, when you sleep and what you fear.
I have only one thing to say to you:
Damn you're boring - why don't you get a life?
--Shoeboy
We (USians) do live in a democracy (as well as a republic). I refer you to M-W.com's definition. We live in a democracy because supreme power ultimately rests with the people. The fact that we exercise that power through elected representatives doesn't negate that.
--
The most valuable commodity I know of is information. - Michael Douglas as Gordon Gekko, Wall Street
Their claim is very interesting because I can easily make it appear as though my IP address is down: make it ignore ICMP packets all together. This is very easy to do with ipchains: ipchains -A input -p icmp -j DENY. Most scanners will fail at this stage one as the host doesn't even appear to be alive. All it takes is blocking incoming ICMP packets at a firewall to mask hundreds or thousands of hosts. Don't get me wrong, ICMP does have its good merits but I'd like privacy and security over time request packets.
It really is that bad, but it's optional. IIRC you can use 64 random bits instead of your MAC address if you want.
Regardless of whether these services (Akamai, RealMapping, and now Quova) do or don't represent an unreasonable encroachment on privacy (or whatever), it occurs to me that (as always) whenever the rules change, there's the possibility of benefits for both sides. In this case, consider the fact that better reverse IP indexing would make it much easier to track down spammers and other net.vermin and nail them to the wall. (Whether or not the average little-guy spambuster could afford a comprehensive commercial reverse IP index service is another question, of course.)
So these are the idiots who have been trying to scan my network from IPs on Exodus Communications (64.41.x.x)... Good thing I've been blackholing their packets for about 4 months...
Does this mean Amazon.com will price my CDs based on how much I spent at Chapters.ca?
Getting geographical information is one thing, but its potential uses seem, well, scary. Sure its nice if I can get Canadian prices automatically at a web site, but what if this company is collecting "geographical statistics" on buying patterns as a service to its many clients?
This kind of behavior will likely be ignored until comeone can prove that, for the cases where you have a static IP, these "regions" include only a single person or household.
I need to get me a tinfoil hat!
IPv6 is mostly going to suck for cable/dsl-users. Sure, you can change your NIC's MAC, but I recall it being the cable modem/dsl that get's the address and cable/phone companies identify people(to grant access) based on the MAC. Even with dynamic ip(no need for that really, maybe same ip-part, but MAC different for one company) your're still constantly identified..
I sent Quova a note saying I think it should provide a free sample of where they think your particular address is coming from. They replied with an Excel spreadsheet with 2 lines.
:)
My domain is on the net via 4 static IPs on sDSL (Speakeasy + Covad). Sure enough, even though I'm in Nashville, TN, they showed me as being located in NYC (where my Speakeasy POP is located).
They probably have a good general idea of where a majority of addresses are located, but they don't have anything accurate. Unless you are actually located where your ISP's POP is, the service will not be able to target you.
I think that's a good and a bad thing, good as it may keep people from adopting the service (which I don't particularly like), but bad since once a company has chosen to use Quova for targetting ads, I'd rather get stuff that actually applies to me.
Ah well
It is more productive to voice thoughtful opinions (reply) than to judge (moderate) others.
Assuming they didn't use RIPE, ARIN, or APNIC data to compile their database (and even assuming they did), what's the big deal? I don't even consider this an invasion of privacy, much less anything to worry about. Then again, slashdot users will bitch about just about anything (yet do absolutely nothing to "solve" the "problem".)
- A.P.
--
* CmdrTaco is an idiot.
"Remember when the U.S. had a drug problem, and then we declared a War On Drugs, and now you can't buy drugs anymore?"
--Fesh
"Citizens have rights. Consumers only have wallets." - gilroy
--Fesh
Kill -9 'em all, let root@localhost sort 'em out.
Ha. And that option doesn't _save_ it anywhere (like in EEPROM of the card). Wake up yourself!
--The knowledge that you are an idiot, is what distinguishes you from one.
However, do we really need to? In "the real world," advertisers can avoid spamming people with irrelevant ads. Allowing this type of targetting online seems reasonable. Occasionally, advertising is useful -- it is a good way to learn about what's out there. Not every corporate practice is wicked and evil, even if it removes some level of the anonymity that was previously found on the internet.
While privacy is important to protect, the internet is a changing place and I believe that the level of casually available anonymity will inevitably decrease. Some losses should be protected against, but I don't think this is one of them. Which step in their collection process should have been prevented? If your activities are traceable to _your_ IP address, then they are not anonymous, and I don't think any knowledgable individuals would expect them to be. Security through obscurity... The only difference is that it's now a little easier to figure out where (some of) those IP addresses are. If the information is out there to be collected by legal procedures, it will be collected.
If you haven't heard this before, then you haven't been reading slashdot for long. This type of fear mongering is quite common when people talk about IPv6. The *recommended* way to generate an IPv6 address is through your MAC address. You're still welcome to assign them by hand if you so choose. Also, almost every Ethernet NIC can have its MAC address overridden.
The poster apparently hasn't been following slashdot either...
I can change the MAC on my NIC to whatever I want, thus no privacy problems.
Maybe they do a reverse DNS of several of the hops near you to get better information. For example, if you did a reverse DNS lookup on my IP address you'd just know what city I live in. If you did a reverse DNS lookup on the next hop, you'd find out what street I live on.
Comment removed based on user account deletion
This sounds like total snake oil. How does scanning IPs tell you their geographical location? At most, you can look up the (physical) address of the netblock holder, which has very little to do with the physical location of the machines in the netblock. And that can easily be done using the RIR (ARIN, RIPE, APNIC) whois databases; Why would we need some other company to recycle the data for us?
Hope it works out for them though, that sort of restriction I can live with :)
~ppppppppö
How are they the first? Akamai's had this service for somet time now:
http://www.akamai.com/html/sv/edse.html
-Bill
SlashSig Karma: Excellent (mostly affected by moderatio
Dial-up long distance to an ISP in a backwards country using a phone company you know don't support call-number forwarding, and get a telnet account on a old UNIX server in a country where the police force are not savvy enough to be able to read the dialup log files.
... I don't think so! :-)
good: No-one will ever know where you live!
bad: Using the net will be a pain, and you won't be able to do anything usefull.
moral: It's all a trade-off between useability and personal space. You sacrifice one for the other.
Would the medieval version of slashdot be so concerned when boats roamed through the seas and produced those things you earth-people called "maps"
Still, if the ISP hopped on board, could they not divulge who was using what IP at what time? Could be an interesting way for ISPs to offer "free" or discounted service.
All privacy issues aside the financial value of this sort of thing is tremendous. But what confuses me is that I though LDAP was supposed to make it so everyone could find everyone. Wouldn't they be better to incent people to give their personal information (name, address, ip number, etc). Then they could sell access to the DB to companies that care, it's a lot more likely to be up to date, and nobody's undies get bunched up.
The way I look at it, anyone can already have my name -> (address || phone number) by just buying the phone book on CD. Letting them know my IP number on top of it isn't going to subject me to anything but more advertising which is largly getting ignored anyway. If I need my some or all of my information to be secret, I'll have to encrypt it anyway so how cares if they're sniffing, monitoring, etc.
ok maybe i'm wrong but it seems like you could easily do this with a simple script, just ping every user that request your web page then use a lookup table to determine where the IP's physical location probably is. it seems like this is a very bogged down way to go about this.
A blog about stuff.
But god forbid you try to read the article without having to scroll endlessly in that annoying little box they have.
The article is actually here:0 &_ref=2090582999
h ttp://w ww.securityfocus.com/templates/article.html?id=11
Try reading that with JavaScript turned on and you'll be redirected back to that horrible layout of theirs.
Security Focus is a great site, but they've got one of the worst designs (in terms of usability) I've ever seen.
--
Turn on, log in, burn out...
Here is a crazy idea? why don't you just go talk to ARIN/CIDR and find out who owns what IPs? A 15-minute phone call or flooding ICMP across the internet.
People are all stupid, just some more than others
I just don't see why this is such a big issue...so what if they know the approximate location of everybodies machine. As it is, you can find people's locations with arin's whois information on the ip blocks. Not to mention simply reversing the ip, most dialup/dynamic ip user's hosts have the state/city in it. So what is the big issue? What makes it soo important? Who cares if they send a ping, or a few udp packets, or whatever. It doesn't affect a thing, and they know nothing more about you than if they used the tools already available. It's their money, let them waste it on their pointless projects.
David
Future News Article:
The small area of Phuket, located in the bustling country of Thailand, has seen it's GDP rise exponentially, due to the introduction of their latest service, Phuket Fun. Using Phuket Fun, security minded individuals can browse safely and anonymously, having their IP address completely masked.
Should a company or individual do a lookup on the idea, they will see that the user is coming from Phuket U. A new era in privacy has thus been issued in, with companies like Akamai and services like geoTrace being told what they should have been rightfully told when they suggested such services - to Phuket.
In all seriousness (which is rare for me), what would be the effect of using one of the many anonymous proxies out there which effectively mask your IP? Agreebly, these companies would have logs of your IP, but toss one of these companies into some off shore third world country (note: I simply used Phuket for the fun of the word), where the government can't control the people or the information, but thanks to grants/loans from places like the World Bank have been able to establish some form of information infrastructure, and you'd be safe! (And you'd also have a run-on sentance, but that is besides the point)
In either event, I'm more concerned about the IPv6 potential for damage/abuse/blatent violations of rights than I am about having someone figure out that I live in Georgia (even though a Neotrace lookup from multiple people repeatedly implies I am in sunny California - don't I wish). It seems like just another company had some peeved geek sarcasticly tell the marketering guy "Oh, you want your database to be done by eunichs?!? Yeah, sounds like a great idea. While you're at it, why don't I create a program to find out where internet l-users live. That's another really great idea."
Oh well, there's my two cents (Out of pity for having to endure my poor jokes).
Information is the catalyst for revolution
They're gonna have a lot of fun with our firewall/router/nat. Its right in front of me, located in Worcester, MA (yes, near boston) but our dumbass dsl company likes to route all of its traffic through san jose, CA. So as far as they're concerened, I'm in CA.
Oh well, they aren't the first to presume this [mapquest, lycos, excite, myav are all culprits too]. It's kind of funny when you think about it.
Lemure, wtf! Don't you mean Lemur?
Your're right, knowing the MAC today is useless.
However, come IPv6, and for the case where
someone _did_ use the MAC as part of the address,
you will be uniquely identified...
Anyway, with abundant IP-addresses, ISPs will be more inclined to give out static addresses to users (for ID-/logging-purposes). Thus, you're
scr***d, whether the MAC is included or not.
Yes, a globally unique interface ID allows quite nice tracking based on IPv6 addresses alone.
i pngwg-default-addr-select-01.txt
i pngwg-addrconf-privacy-03.txt
But, look at a couple of drafts for remedies:
http://www.ietf.org/internet-drafts/draft-ietf-
- chapter 4, rule 7: Prefer anonymous addresses
- these are the ones where you generate a sequence of random 64 bit suffixes from the original ID, mentioned in this draft:
http://www.ietf.org/internet-drafts/draft-ietf-
- explains the procedure for creating those random IDs, see chapter 3.3
So people are working on these issues, no panic.
Ok time to correct any missconceptions of what happened in Belgrade -
Anatomy of a revolution
Any sufficiently advanced man is indistinguishable from God
There are some, for example there is a British MEP (Minister of the European Parliament) Nick Clegg who has been the driving force in pushing through leglislation to unbundle the local loops of incumbant telcos in the EU, without him we in Europe would be facing years of slowly deployed, expensive xDSL services and Europe would fall further and further behind the US and other countries, with unbundling being pushed forward we in Europe may be a bit behind the US in terms of broadband, but not so much that we fall into a dial up only abyss.
Any sufficiently advanced man is indistinguishable from God
Unless I'm being really stupid, how can you figure out geography by "scanning every address on the internet"? What could that possible reveal about a computer's location?
--- Speaking only for myself,
Superficial interpretation.
I/O Error G-17: Aborting Installation
Even gone to download NT SP X high-encrytion (yes I hate MS, but we are force to use it by our "less-inteligent" counter parts)? If you dont have a really good IP and set-up etc. Like if you are at a school, then it gives you a message about a non-geographic IP adress. Aka they couldn't figure out where I am... He He HE (except it wouldnt let me download). So now I guess they can. Eh, oh well.
snowulf.com
The problem of course is, that the domain is hosted by a company in New Jersey.
I don't really think that my potential customers and prospects really go for an add for a franchise of a special waste deposit or are extremely likely to frequent the Tax Fee shop in Newark and take advantage of this really special offer that lasts for only three days.
(Of course this whole scenario only applies if there are more then maybe 20 hits a month, but you get the picture...)
Methinks the business model has a couple flaws in the age of global networking.
ich bin der musikant
mit taschenrechner in der hand
kraftwerk
Hell, I'm a network administrator on shift this very instant. I'd just got done looking into an alarmed node. Perhaps the buggers passed by tonight.
Un-seriously speaking, of course.
ICEPHREAK
But you don't really seem to care about that since it's also on your homepage:)
I just refreshed this story, and what banner advert should fill my screen?
Think Geek advertising poster depicting Map of the Internet!
So are we now boycotting Think Geek for commercially violating our address space? Or more to the point, isn't this actually an interesting visualisation of the virtual space we inhabit?
Call me a doctor! I think I'm gonna die laughing!!
Not to mention that a lot of ISPs are now making it painfully obvious where you live thanks to the preschool level naming scheme they give to their routers. [cough]@Home[cough]PacBell[cough]
/who *.scrmnt1.ca.home.com and then messaging them all.
= -
I mean, if an advertiser wanted to send out some spam to customers in, say, Sacramento CA it's as easy as getting on a chat network and typing
- JoeShmoe
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
-- I wonder which will go down in history as the bigger failure: the War on Drugs or the War on Filesharing
Let's see a company is abusing bandwidth for their own personal gain, causing heart ache to sys admins everywhere, gee isn't this a low layer equivalent of spamming?
I hardly think this is causing poor sys admins to have nightmares. If your sys-admin breaks out in a sweat everytime someone ping-sweeps the network, I'd say it's time for a new sys admin!
Take a look at RealMapping, they really provide a lot of information.
I would do a reverse dns and a whois on each ip of interest, you would in best case get adress information for the technical contact that often, but by no means allways are located in the same office as that server
;)
This will not work in every case but perhaps it's good enough in a statistical perspective.
Then there is allways snmp syslocation
(Sorry, but Security Focus is not designed for direct linking; click on the link that says "Scanning Mystery Solved.")
This link was clearly marked on the bottom of the news report. It seems they like the linkage just fine.
Karma: Dyn-o-mite!(mostly affected by Jimmy Walker reading your comments)
They really couldn't be very accurate, but that probably doesn't matter as long as their advertisers and marketers who purchase their data beleive it.
I wonder if this data is worth as much as they think it is. A couple of years ago, everyone thought that having people browsing/search/ad click habits would be a goldmine. I've yet to see anyone making real revenue off that data.
--- Speaking only for myself,
This means that, in the best case scenario, they have traced 93.1322574615478515625% of the IP addresses; and at worst case, 100%. All the more reason for IPv6; so they'll have to toil just to trace them again!
"Ancillary does not mean you get to rule the world." --U.S. Circuit Judge Harry Edwards, speaking to the FCC's lawyer
I wonder if machines (firewalls) that are set up to ignore pings fell under the radar, or did they still show from the old router logs of their provider?
The truth shall set you free!
Ironically, there is a product one can find in oriental markets with this very brand name. I live near a vietnamese community and thus, I'm near a huge oriental market. I was perusing the isles of this huge supermarket and came upon "phuket fish sauce." I kid you not!!! I almost died laughing right then and there. I almost bought the bottle just for laughs and then I thought to myself "fuck it" - or should that be phuket? Anyhoo, back to the subject, I think that you're right on the money with anonymous services abroad. If privacy becomes a concern we can always use them.
The firm is privately funded (including cash from NewEconomy, a Dutch VC firm,) and the company's management have told me they don't necessarily intend to take the firm public, since the cost of creating the database was so low.
On the one hand, it could be a very handy thing for companies wanting to provide localised content - very relevant to those of us living outside North America, as we usually don't qualify for freebies or special offers - and on the other hand, I really don't want companies knowing where I am surfing from and what my viewing habits are. The same argument goes for cookie, but this is a lot more intrusive.
Try http://www.realmapping.com
Of course, one way of getting round this would be to use Anonymizer or Freedom.
Golf; a good walk spoiled. -Mark Twain
Up until now you could stop companies from tracking you browsing by turning off cookies on your browser (or at least from 3rd party ppl). Now they can track your usage no matter what. And it is just a matter of time before the gov't wants to use it to trace you.
Perhaps they'll even go as far as tracing your web browsing patterns with your tax returns, census information and medical records. They don't need much more to get a "profile" on you and arrest your for being a potential murderer.
We built this network to allow IP scanning.
Geographic locations are (roughly) approximated by various IP registries & domain registries, which is publicly available information.
What's the big deal?
Oh.. and who gets prosecuted for scanning? I mean, sure, your ISP can put in your TOS that no scanning is to be done because it causes them a headache.. but that's only an issue with small residential connnections. If you have big pipes, you are NOT told what to do.
I'm not sure I am very fond of the idea of having my IP address targeted by advertisers based on my physical location, it would be interesting to see how many times the company pinged people's boxes. One ping from an IP address should be one of the least worriesome things a system administrator will encounter. If they used a hundred pings, then I can see people be suspicious and alarms going off -- this is not to mention what the heck do they need 100 pings for to build a map anyway.
:)
If you have a box connected to the Internet, you should expect to get pinged. Heck, way back when I first discovered pings, I pinged random IP addys for kicks (Yeah, yeah, easily amused
I find it hard to believe this Geo database is accurate.
1. First of all registration data about the location means nothing since an ISP registers everying via their home office. Even though the IP addresses are used world wide.
2. Measuring packet delay from known point, well there are million reasons why this approach will not work. Take your pick.
3. Trying to break down and interpet the symbolic names assigned to devices in the path to the device. Some ISP use logical city abbreviations and some don't. There no standards in the space and I don't believe someone read every traceroute.
i think they did one on the whole web too.. would show the old DARPA and NCSA backbones..
odd .. no one complained about it back then..
-b
This information is already available in the ARIN database. And truthfully, I can't think of any reason they shouldn't sell it. Even in the ARIN database, it's not very accurate (but probably is good enough for the stated purposes -- things like defaulting languages).
:-))
So..., how in the world does this company expect to make money with a less accurate version of information that can obviously be provided cheaply from another source
An engineer who ran for Congress. http://herbrobinson.us
One more reason to buy your PPP account with a good Russian ISP. Then, browse the net from your r00ted .edu boxes. Long distance? Not with your [red|yellow|blue|plad] box.
Daniel
Wont this type of activity add signicantly to an already overburdened and congested internetwork (the internet)?
It is possible to asertain a geographical area just by doing a tracert (or tracxeroute for those you specifcally use unix) or in the case of some cable modems by dns/computer name?
Heck , i can spook ppl on ICQ by naming thier hometown, by doing a traceroute on thier ip address.
Let's see a company is abusing bandwidth for their own personal gain, causing heart ache to sys admins everywhere, gee isn't this a low layer equivalent of spamming?
BTW: I pay for my own bandwidth, they don't they shouldn't earn money of me without my consent, even if it is an ICMP or whatever they use packet.
EPOS --Evil Pissed-Off Sys admin
I'm working on a new system to scan all host-scanning systems out there. On every scan initiated by my system, which I call geoFUBAR the host-scanning system is scanned about 2million times/sec for a few minutes.
It may melt a few servers, but it generates remarkably accurate data. I don't expect any legal troubles.
Maybe you put a / on the end.
/news/110/ doesn't.
/news/110 works,
Hands in my pocket
If you are using a stand-alone system with dial-up (modem or ISDN) access then what is the address of your NIC?
On the technical side, besides the "we tracerouted everybody" hack, if they did use traceroute, they're also getting a lot of correlation information on what's connected to what, and on how long those distances are. And most of their connections are going to go through the NAPs, or through their ISP's peering relationships with other carriers, which are usually in a small number of cities, so they get a lot of correlation on locations they can exploit (they could even get fancy and reduce their traceroute load by taking advantage of serial searches.)
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
Good points. I'll add:
A) I think a ping falls under the category of 'background traffic', i.e. you should expect to be pinged when you're on the internet, and you take on the responsibility of paying for it in (miniscule) bandwidth.
C) 3) Generally true, except I'm sure they took city abbreviations into account. aol is a special case because all of their proxy servers are in the same physical location.
Hands in my pocket
If you are using a stand-alone system with dial-up (modem or ISDN) access then what is the address of your NIC?
Good point, you don't a MAC then. Plus you can change the MAC on most cards. Plus you don't have to use your MAC to generate the IPv6 address, you can use any number. So it's all not that scary, really.
How they were able to "pinpoint the location" based on what ICMP probes returned? OK, you can guess much from the names of the routers that IP datagrams go through on their way to the target, but not much more as to which country and possibly big city the packets are going. An ICMP echo (ping) won't tell you much more than simple information that the host is alive and possibly which TCP/IP stack implementation it is using. But anyway, it could be possible to at least tell in which country given IP is.
But then you have dialups - which give same IP again and again to people in quite large areas. Then you have various forms of encapsulation used on transport layer - FR or ATM links don't appear in the traceroute. Then you have corporate networks where users either appear under same IP from all the offices in the world or appear using IP's from class (classes) who have access point in the US but are used throughout the world. Then you have VPNs of various kinds.
I really don't get it - how they are able to get around all those problem and "pinpoint the location"? Because in my opinion knowing which country (or state) the datagrams are coming from is far from "pinpointing".
Right, well, the point was, they were systematically scanning the entire freaking address space, and they wouldn't tell anybody why; they had a bunch of noncommital biz-speak for a website, with no good contact information... it wasn't necessarily the fact of being scanned, but the fact they were being blatant and secretive at the same time, that set people off.
You tell me, if you had, say, a class B network, and logged 65,000 ping requests from one address, what would you figure was the *legitimate* reason for someone to be paying that much attention to you? Would you still think so if they didn't respond to any attempts at contact?
oh boy. I just looked at their website... They're pitching, not only zip-code level target-marketing, but the ability to
"Comply with domestic and international distribution restrictions on Webcasts,
music downloads, video clips, and other online content by limiting access from unauthorized areas."
Yep, these guys are creepy alright.
-- 'intellectual property' is oxymoronic
anyone out there compiled a list of technology aware politicians? (global) anyone think there ARE any? even if this isn't fully working now, people will continue to try...
This is better at tracking you than a database based on reverse IP lookups because what exactly? (Keeping in mind that with IPv6 there's going to be *much* more data about you in each of those packets....)
I have a blog.
I tried this link repeatedly (the poster originally provided that one, and I made the change -- any fault is mine, not his).
But when I tried that link, I always got the "sorry, could not find this page" message. So I changed it.
Dunno what the problem is / was, but that's why I didn't link directly.
timothy
jrnl: http://tinyurl.com/c2l8yr / foes: http://tinyurl.com/ckjno5
Cease and Desist
all they claim is that you can say "where is this IP located?" and it gives a general approimation of the geographical location it would be located in. businesses could target ads using the geographical location of the IP as a guide for what a person might be more interested in buying(like mariners caps for IPs located in seattle, a sea world discount pass for people in florida or san diego, etc). it doesnt mean they claim to be able to track usage of somebody based on their IP.
so i don't even have a real ip address (sucks), and neither does anyone else on charter's cable network (at least in my area)...so i guess i'm safe
I've opened a case number with UU.net. Send them your logs of being scanned! I'm sure UU.net will not be pleased with someone tying up their network with pings, (Is Quova the biggest script kiddie ever?) let alone making money from it. If you have logs showing Quova tapping at your doorway, send them to security@uu.net and we can take care of these people.
Stop wasting bandwidth. It's precious.
/. is a commercial entity. goto slashdot.com
Our office address is in Delaware, our Accounting Dept. is in Australia, Development is in Malaysia, Hosting Service is in California and the servers are in Georgia.
.com.tw domains with us and as we assign static IPs, we tend to get in bulk from whereever available. The last bunch [some of which were assigned to the Taiwanese customer] suggest a sub-net in Latin America.
We have aclient that hosts
I'm not even getting into the weird holding structures of our mix-and-match corporate set-up.
I don't believe that any IP can conclusively pinpoint any location.
And I'm talking about static IP's not randomly assigned ones [which should be completely impossible to pin point - other than finding the ISP and checking the server logs and contacting the telco provider to find the address of the number, of course].
This is even more so as their are no identity or address checks or anything when a domain name is being registered.
Obviously the story would be different with IPv6.
As ICANN's Esther says, this will fix everything.
But it will also permit permanent IPs for every gadget on the planet - with IPs likely to replace Social Security and Passport numbers over time.
Every Child born is stamped his/her IP and assigned subs for every future gadget it might own [car, cash, id, house, etc]. everything has the owner's IP embedded...
Brave new world - the only crime that is possible is IP theft and hacking...
MAC addresses where not meant to be changed. However, you can on most cards. For some, there even exist linux-utilities to do so (You don't even have to reboot if your kernel have the card-driver as a module). For an example for 3com-cards, you can grab my modified version of Donald Becker's 3c5x9setup here.
--The knowledge that you are an idiot, is what distinguishes you from one.
Seriously. They're doing nothing except sending icmp packets, and not many of them neither. This isn't a denial of service attack (a couple of pings don't constitute a dos). Its not very much of a probe neither, since you do not return very much information. IF you're scared by the information a ping gives out, then you're a paranoid idiot, nothing less.
.. how dumb is it possible to get? One, or ten, or fifty, ping packets doesn't hurt you. Its not a DoS. Its not like it gathers much information about you ("are you alive, and what travel-time do you have to me?").
.. which is what? traceroutes are either sending udp or icmp packets with a TTL starting with 1, and going upwards until you reach your destination host (so that the routers along the way send an icmp-ttl-exceeded or whatever its called when the TTL goes down to '0' at their point).
And, comparing it to portscanning is dumb too. If you portscan, you scan a lot of ports, raising all kinds of bells'n whistles, in addition to that is exactly what scriptkiddies do before an attack. But a ping? Get real. Should they be harassed if they established tcp connections to port 80 on every host on the net too? *bllagh*.
I think this is one of the most stupid news-items I've evern seen. People get excited because of PINGS! Its like
Oh! And, do anybody remember those lovely "internet-maps" that was made some time ago? That got that great coverage on slashdot, with people wanting them and so forth? How do you folks think those were made? Just picked out of thin air? NO! They were made by traceroutes
God. I really, really, really think this entire shit about quova inc is sooo stupid. As a Security administrator, I think its even MORE stupid to get excited because of a couple of pings.
/RANT
--
"Rune Kristian Viken" - http://www.nwo.no - arca
"In gathering this information, they set off alarms all over the world, and yet, it seems that this is an accceptable practice in the eyes of the law"
I wonder which law timothy thinks the Internet is under. In particular in conjunction with the words 'all over the world'...
Cheers,
--fred
1 reply beneath your current threshold.
If we assume that the advertising isn't wasted on someone living in the actual town (a questionable assumption but necessary for this discussion), then I don't see where it would be ENTIRELY wasted on you. Certainly, if there's an ad for Mom's Diner on the corner of 1st and Main in that town, it's wasted on you. But if there's an ad for parkas on sale at Wal-Mart while the weather channel is reporting a huge blizzard headed your way, the advertising is just as effective for you as it is for someone in that particular town. IOW, most "targeted" advertising isn't aimed that precisely. If they know what region of the country you're in, you're probably within their target area.
"The legitimate powers of government extend only to such acts as are injurious to others." Thomas Jefferson.
What a sinister and evil scheme to sabotage quality businesses the likes of Double Click or those fine folks discussed in this thread.
I'm duely shocked, sir, Er! yes...
ich bin der musikant
mit taschenrechner in der hand
kraftwerk
As always, individual users can be tracked using just their IPs, but this is unreliably due to dynamic IPs, shared IPs, rotating IPs etc. Cookies are still the most reliable way to track people between sites.