The paranoid #! Security Guide

Discussion in 'privacy technology' started by Gitmo East, Nov 9, 2013.

Thread Status:
Not open for further replies.
  1. snerd

    snerd Registered Member

    Joined:
    Dec 8, 2007
    Posts:
    130
    Location:
    Arkansas USA
  2. TheCatMan

    TheCatMan Registered Member

    Joined:
    Aug 16, 2013
    Posts:
    327
    Location:
    sweden
    I had to sit down, yes both you guys are right. Turned out my foxgloves addon which is designed to assist to make your fingerprint better was not even switched on by default. Soon as I did that it now hits 950,000.

    But this firefox addon of foxgloves is not that good if you use multiple tabs it forgets to switch on by default on the new tab.... guess it ain't been updated it also messes up your fonts on pages !

    May uninstall it and retest it since even without these tweeks I was hitting 800,000 at one point although you are correct sometimes I run the site and it hits 1.2 million but sometimes higher or less:argh:

    Edit just uninstalled and retested and get this score now

    "Within our dataset of several million visitors, only one in 544,819 browsers have the same fingerprint as yours"

    Sometimes hits 800,000 region or 600,000. So guess too many folk used foxgloves ! No wonder why its not recommended or mentioned nor updated recently.....
     
    Last edited: Dec 7, 2013
  3. cb474

    cb474 Registered Member

    Joined:
    May 15, 2012
    Posts:
    351
    Yeah, Foxgloves did nothing for me. I think the most effective thing to do is disable javascript and Flash, since those are leaking the most information. But of course, that doesn't make many websites very usable. It seems ridiculous that every font and plugin on my machine has to be reported to webservers. I doubt much of that information matters, in terms of how the a web page is served up.
     
  4. TheCatMan

    TheCatMan Registered Member

    Joined:
    Aug 16, 2013
    Posts:
    327
    Location:
    sweden
    Yeah same I have noscript to block java/flash only enable on the sites I require.

    I still get 3.5 million and then one day ill try it and hit 500,000 so goodness knows whats going on. Either way I have followed the guide and am glad I did since so many things were left on when could have been off for better privacy and security.
     
  5. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    Panopticlick is useful in that it shows how browser fingerprinting works. It displays a portion of the identifying info sent by your browser. It then compares the results to the others who have had their systems checked there. By their formula, the higher the score, the more unique your system is. The "uniqueness" results can't be taken as accurate for several reasons.
    1, The sample set your system is being compared to does not represent typical users. Few if any "typical users" will ever click on that test. Your system is being compared to the systems of other privacy aware users, an atypical group to begin with.

    2, Their formula for uniqueness doesn't match reality. If your systems sends very little information, you'll get a score that shows you as less unique. In reality, the lack of identifiable data being sent makes your system more unique. Most systems send identifiable data. Not sending identifiable data does identify you as a user that is concerned about being identifiable. OTOH, the data sent by your PC can also make you appear completely unique. I visited their test with a friends PC. Her plugins and installed fonts were both unique in their sample set.

    Defeating browser fingerprinting is something of a 2 edged sword, depending on your reasons for wanting to defeat fingerprinting. Fingerprinting can serve 2 separate but related purposes. One is to identify and track you. The other is determining the best way to attack or exploit you. Most anti-fingerprinting tactics will address one of these two reasons but not both. A "typical" system accurately identifies itself. It gives them complete plugin data including version numbers. That alone is often enough info to successfully target that system. If I recall correctly, the presence of certain fonts make systems uniquely identifiable and targetable.

    How you approach browser fingerprinting will depend on which goal is your priority. If you want to truly "blend in to the masses" your system needs to send identifiable information. That info will need to contain all of the common stuff. If you choose to spoof or alter what info is sent, you then need to make certain that the data reported by the browser headers agrees with that sent via javascript, flash, etc. The devil is in the details here. Torbrowser for instance does a good job at making all of its users look the same, but it also identifies them as Torbrowser users.

    The other approach to fingerprinting is to send as little information as possible, and to make what data is sent unreliable or deceptive. This removes a lot of the info that a potential attacker could use against you. It does make you more identifiable when compared to those trying to blend in. By comparison, the typical user who takes no steps to protect their privacy is equally identifiable if not more so. If anything, withholding identifiable information identifies you as a more difficult target. On my system for instance, neither of my browsers reveal much. Both give different information. Because mine is also an exit node, most all of the traffic is from privacy conscious users, so mine blends right in.
     
  6. Balthazar

    Balthazar Registered Member

    Joined:
    Nov 8, 2013
    Posts:
    166
    Location:
    Earth
    Yes. That's what the guy in the video said as well. Don't do too much, don't try too hard. I think he specifically talked about the addons changing the header information being especially tricky.

    I did play around with the fonts but at one point the websites were ugly as hell so I undid my changes. I don't have as many as before, I think. (I can't keep record of all the changes I made in firefox - but it should be bold in about:config)
     
  7. cb474

    cb474 Registered Member

    Joined:
    May 15, 2012
    Posts:
    351
    @noone_particular Thanks. I think that's a good analysis of the complexities of the issues.

    I do wonder, hypothetically, if it must be true that anonymity and security (protection from potential attacks) are in opposition. Hypothetically, if you could completely control all information that your browser sends (including what javascript and flash reveal), then you could both make your system send false information and appear to be like a lot of other browsers.

    If you're running Linux but look like a typical Windows machines (fonts and all) and you reveal a small yet typical set of plugins, which is less than you're actually using, then I think you would get both the benefits of sending potential attackers on the wrong track and blending into the crowd for anonymity. Of course, that kind of control over the information browsers send does not seem to exist. But I don't see why hypothetically it couldn't in the future.

    That aside, it is certainly true that one can also achieve the opposite of what one intends. If you spoof a browser header that says you're running Windows, but your machine has a bunch of fonts on it that are only used in Linux, then that's going to make you more unique that both average Windows users and average Linux users, who could not have that header/font combination.

    I do like the setting that Firegloves has to send random information (if it worked, which it didn't more me). That also potentially solves both problems. It will throw off somone looking for exploit vectors on your system, since they're getting bogus information, and if you browser appears different every time, even if unique, that pretty much undermines tracking. Multiple highly unique browsers cannot clearly be said to be the same browser; that would, in fact, seem to obviate the problem of appearing unique.
     
  8. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
    I don't worry about how unique the browser on this Ubuntu VM is, because only mirimir uses it. What's important is that it's different from my other VMs, using other identities. I'm not very organized, and that adds variety ;)
     
  9. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    Theoretically, it's possible to make ones system completely misrepresent itself. The problem is the details, getting everything to agree. IMO, browser settings and extensions will not be sufficient to the task. Most if not all of the browser headers would have to be rewritten on the fly, as would all replies to javascript inquiries about the system. To carry this out, the user would need a strong knowledge of javascript and HTML. The only tool I know of that would be capable of rewriting everything on the fly is Proxomitron, and it may not be sufficient. There's another "identifier" with browser headers that's much harder to change, if it's possible at all. The data sent in the browser headers isn't the only variable. Different browsers send the individual headers in different orders. AFAIK, there is no way to change the order that the browser sends them. I strongly believe that this is deliberate, and probably coerced. Adversaries who are aware of this behavior can use it to determine when the data is being spoofed.
     
  10. cb474

    cb474 Registered Member

    Joined:
    May 15, 2012
    Posts:
    351
    @mirimir Yes that's seems like a good alternative strategy.

    @noone_particular I realize my argument was entirely hypothetical. Thanks for the further explanation of the details of how this works and how impractical it would be to have effective spoofing. I guess other solutions, such as mirimir's, are necessary.
     
  11. TheCatMan

    TheCatMan Registered Member

    Joined:
    Aug 16, 2013
    Posts:
    327
    Location:
    sweden
    thx all great reads especially noone_particular

    I tried panoclick again this morning and hit 1.8million yet yesterday it was 1 million.

    Either way noscript+ other addons and only using java/flash when needed and cookies switched off will hopefully be plenty to stop browser fingerprinting.
     
  12. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    Mirimir's Tor/VPN solutions will be effective at hiding your location, but they don't defeat all fingerprinting methods. If you're using the TorBrowser for instance, you can't completely hide the fact. Fingerprinting the TorBrowser might not identify you specifically but it will identify you as part of the group that's using it. Have you looked at this thread? Take a look at post 17, specifically the HTTP_ACCEPT headers for the 2 browsers I tested. They differ by a single space in the line. Similar variances have been seen in other browsers. These variances appear to be hard coded into the browsers. Combined with hard coded variations in the order the browser sends the headers, they're sufficient to identify specific browsers by name (FireFox, Palemoon, etc) and possibly the version number as well. An adversary who is aware of these variances (3 letter agencies) won't be fooled by spoofing user agents. Against these adversaries, attempting to spoof user agents and the OS being used will probably make you more identifiable. That said, the same techniques will probably work against most websites and servers.
    Their numbers jump all over the place. I don't think I've seen the same results on more than one day. The browser I'm using with Tor for instance gives this today:
    By their results, its uniqueness has varied by a factor of 10 in a few months. IMO, there is no realistic way to completely defeat fingerprinting. There's too many little variables hard coded into the browsers. I don't believe for one minute that these are accidents either.
     
  13. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
    In my approach, there are multiple VMs, with each connecting through some chain of VPNs and Tor. Each VM has its own browser, with its own fingerprint. Some use Firefox, some use Iceweasel, some use the Tor browser in Whonix, etc. They're all VirtualBox VMs, however, and that's probably discernible. Still, Firefox in this Ubuntu VM arguably has a fingerprint that's more similar to that of Firefox in other people's Ubuntu VMs than it is to the fingerprints of browsers in my other VMs.
     
  14. cb474

    cb474 Registered Member

    Joined:
    May 15, 2012
    Posts:
    351
    As mirimir said, it seems like his approach seeks to address the problem in a different manner. Rather than trying to create a highly non-unique fingerprint, he just has different fingerprints for different online identities, that operate through different VMs and IP addresses. So the point it to partition different identities from each other, rather than try to make them blend into the background.

    This also addresses the security issue, since the identity used for the most secure needs operates in a different VM that is not vulnerable to ways that less secure identities let themselves be vulnerable (by general net surfing, etc.). Although, I suppose even the VM purposed for the most secure needs has some vulnerability to hacks, to the extent that it broadcasts a accurate fingerprint.

    Anyway, mirimir's solution seems more pratcially applicable, than fingerprint spoofing. Mirimir correct me if I got anything wrong about your system.

    I do still wonder if something like Firegloves random setting (again, if it worked) would be useful. It might not create especially generic (non-unique) fingerprints. But if every time you start your browser it appears differently, it could be hard for an attacker to correlate all the different fingerprints as the same person. And to the extent that it misrepresents the browser header and plugins, it may provide some protection from attackers looking for vectors for hacks.
     
  15. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
    Right. My concern with the "non-unique fingerprint" strategy is that messing up might identify me as someone using a very unique strategy for appearing non-unique. That works for Tor Browser Bundle because everyone starts with the same setup.

    When I'm concerned about getting hacked, I use a LiveCD VM.

    You got it :)

    There are two eternal quests that I've given up: 1) nuking all logs in Windows; and 2) fingerprint spoofing to blend into the background. But I haven't yet given up on securing remotely-hosted servers ;)

    I could have a Firegloves identity, I suppose ;)
     
  16. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    I missed the fact that these were multiple operating systems being used. That said, the traffic from all of these OS is still passing through the same ISP, unless that is being changed for each OS as well.
    I don't have the hardware for multiple virtual systems and VPNs. My equipment is quite old. As interesting as the ideas look, I don't have a system that can implement them.
    Regarding:
    1, I haven't given this up yet. If I were stuck with Vista or newer, I would surrender the idea. On my default/host system, a stripped and modified 98SE, very little gets logged and in a limited number of places. A reboot wipes those completely. I'm fairly sure that I can modify a virtual XP unit sufficiently to destroy its value as a babysitter. I know for certain that this version of VPC keeps no records of what I do on a virtual system when I select "undo changes at shutdown". The file containing the changes is deleted. It's a fairly simple matter to make a batch file that will kill the virtual system and overwrite the temp file it creates. This virtual XP system is being built, stripped, and equipped completely offline. It won't see the internet until it's done, and then only through Tor.

    2, I've largely given up on the fingerprint spoofing as well. Thanks to the hard coded variances that uniquely identify browsers, I feel that spoofing their identity is impossible against well funded adversaries. Instead of spoofing the data, I've opted to send nothing. That does identify me as privacy conscious but they already know that. My IP is a named exit node. Most of the traffic coming from my IP is TorBrowser, Tails, or spoofed in some way. Mine fits right in with the rest. Separating mine from the rest won't be simple, or cheap. My contribution, raising their expenses to find nothing of value.
     
  17. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
    Yes, all of the traffic passes through the same ISP. But only the first VPN in my chains knows that.
     
  18. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    Do I have this right? So the traffic from all of the virtual systems passes through a common point, your ISP and a known IP address, and the traffic through that point is yours exclusively. From there it takes one of several paths, depending on which virtual system you're using. The next step on those paths is a VPN. If correct, how many layers of encryption are on your traffic at this point?
     
  19. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
    My VM host machine runs a client for one VPN service, VPN1. All Internet traffic to and from that host machine goes through the VPN1 server.

    There's a pfSense VM that runs a client for another VPN service, VPN2. All Internet traffic to and from that pfSense VM, and workspace VMs on its LAN, goes through the VPN1 server, and from there through the VPN2 server. Between my host machine and the VPN1 server, it's encrypted twice, first using VPN2 credentials, and then using VPN1 credentials. Between the VPN1 server and VPN2 server, it's encrypted using VPN2 credentials.

    My ISP sees only that I connect to VPN1. VPN1 sees that I connect from my ISP, and that I connect to VPN2. VPN2 sees that I connect from VPN1, and what websites I access. Websites that I access see that I connect from VPN2. Please see this diagram <https://www.ivpn.net/blog/wp-content/img/Connection-Two-VPNs.png>.

    In the same way, using additional pfSense VPN gateway VMs, I can establish VPN tunnels to other VPN providers through the VPN1>VPN2 chain. I can also route Tor through VPN chains, and other VPNs through Tor.
     
  20. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    I don't know if I'm getting 2 different things mixed together here or if I've just missed something. I think I see what you have with VPNs. It's similar to the layered encryption between Tor relays but is using VPNs instead, and that part of the paths is fixed.

    Regarding the user VMs, each has its own browser with a different fingerprint. Each has a different use. There's no interaction between them. Do I have it right so far? Does each of these VMs use the same VPN combinations?
     
  21. cb474

    cb474 Registered Member

    Joined:
    May 15, 2012
    Posts:
    351
    For what it's worth, used systems, not even that old, on eBay can be purchased ridiculously cheap. Once I realized this I never bought a new computer again. Even one year old systems (at least for laptops) can be half the cost of what they were new, while still being in essentially new condition (people buy stuff, hardly use it, and then sell at a big discount because they want the next latest thing). Hope that's helpful. Sometimes people don't think of it.
     
  22. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
    Yes, it's a very simple static form of onion routing.

    As far as I know, there's no interaction between them. Or at least, they are running in separate VMs, albeit on the same host machine.

    Generally, each VM uses a unique combination of VPNs and Tor.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.