Question for XB Steve - Geo Location defeats Xerobank

I was a little shocked to see that geo location could defeat Xerobank.

With all of my browser plugins it does not work. It shows Texas......while I am connected to Canada's exit node. But when I uninstalled Firefox, reinstalled with no addons, and went to this blog http://blog.mozilla.com/webdev/2009/05/01/geolocation-in-the-browser/ with Xerobank connected, it easily gave almost my exact location......within a stone's throw of my home.

True, it does not work with XB Browser. But how many customers even know about this problem?? And not everyone uses XB Browser all the time.

How is my location being revealed while I am connected to Xerobank? Is there some kind of satellite connection? And by disabling the geo location feature in fireox, does this *really* mean that this problem is resolved?? It seems like a whole new issue altogether.

 

Re: Qustion for XB Steve - Geo Location defeats Xerobank

Geolocation stuff from Firefox is sent within packet traffic from your computer. A VPN protects the identity of your connection (IP address) but it doesn't inspect packets for what you (or your browser chooses to send.

If Firox is getting accurate info for you then you must be using a local wifi network.

Yes, disabling geolocation in Firefox will prevent it from doing geolocation. If you are a bit paranoid then you can remove the link referenced by geo.wifi.uri in about:config (then even if enabled it wouldn't know a sevice to resolve with).

 

Re: Qustion for XB Steve - Geo Location defeats Xerobank

@caspian

Yes, it's the WiFi. Basically, Firefox looks at all of the WiFi routers that your computer can see, gets their MAC addresses, and looks them up in an online database (Google's by default, and there are others). I don't see why it couldn't log signal strength as well. In an urban context, they could probably determine which room you're in!

Bottom line -- don't use WiFi when you're being anonymous. Or do as mvario recommends, and trust that some other app isn't doing it.

 

Re: Qustion for XB Steve - Geo Location defeats Xerobank

running firefox 3.6 here and Xerobank through canada & USA it tracks me down to within 100yards at this site

http://3liz.org/geolocation/

damn thats scary. fine i can turn it off or use xerobank browser but its the other bits i don't know about that worry me. suddenly that monthly vpn payment seems alot larger. though yes, turning off wifi does help...rather alot.

 

Re: Qustion for XB Steve - Geo Location defeats Xerobank

Do you expect your VPN to protect your info if you email someone and tell them where you are? No, of course not. Think of geolocation services (at least all the ones NOT done by IP address) as the same thing. It's out of the purview of the VPN. Your browser is sending the info based on other factors. Right now the primary one is look-ups in a database of wireless access point MAC addresses. In the future as more computers start containing integrated GPS then that will be the primary means. The information is sent from layer 7, so you have to control it at the application.

Remember, you are the one to choose whether to send the info, and at least with Firefox you can disable it entirely. It's not tracking you, you are (your browser actually) telling where you are. The VPN is doing exactly what it is supposed to do.

 

Re: Qustion for XB Steve - Geo Location defeats Xerobank

Very true. it does really highlight how carefull you have to be if you really do want to have and sense of anonymity or privacy. Or at the least how little info needs to be let "slip" to have you identified.

 

Re: Qustion for XB Steve - Geo Location defeats Xerobank

Yeah, and geolocation is coming everywhere. Firefox has it, I believe the latest Chrome does also, and there are lab builds of Opera with it so expect that browser to have it soon.

And gmail is using IP based geolocation now for gmail security:
http://edition.cnn.com/2010/TECH/03/25/gmail.geolocation/index.html?eref=rss_tech&utm_source=twitterfeed&utm_medium=twitter&utm_campaign=Feed%3A+rss%2Fcnn_tech+%28RSS%3A+Technology%29

Mobile phones even more so. So many already have GPS built in, and if not phone geolocation falls back to tower info.

 

Re: Qustion for XB Steve - Geo Location defeats Xerobank

It seems it indeed does:

POST: https://www.google.com/loc/json

That's the data that was sent from my machine, the ROUTERNAME was the unique name i set in my router and the ISPNAME was my ISP with the number which is obviously a tower number.

But there's signal strengths from 3 devices in there.

 

Re: Qustion for XB Steve - Geo Location defeats Xerobank

Right. "ROUTERNAME", "DLINK" and "MYISP2063" are the three WiFi routers that your machine was seeing. Given the locations of those three routers, one could triangulate your machine's location. And BTW, you may want to redact those MACs, if they're real.

 

Re: Qustion for XB Steve - Geo Location defeats Xerobank

Yes i had changed some numbers in each MAC address, as well as the signal strengths so the data isn't real but still conveys exactly what was sent via POST to the Google json URL.

Triangulation indeed, my location was marked as across the street from my house so it was within 50 meters (150 feet) and i'm in rural Australia. If you go in to street view where the geo location marked, you can see my house.

So yes quite concerning indeed, especially with Google holding the keys.

 

Re: Qustion for XB Steve - Geo Location defeats Xerobank

If it is any consolation Firfox did early testing with Skyhook/Loki as the geolocation provider, but decided to use Google because they felt they had a better privacy policy.

http://www.google.com/privacy-lsf.html

http://www.loki.com/privacy-policy

 

BTW, this is particularly insidious for the privacy-minded because WiFi leeching is part of some SOPs.

 

Yeah, but it requests before sending, and it's easily disabled.

Just an fyi, geolocation is coming in Chrome 5
http://www.ghacks.net/2010/03/05/geolocation-added-to-google-chrome-5/

and it is in beta for Opera, so it should be coming soon there also. Though with Opera also it can be disabled (opera:config, uncheck Enable Geolocation)

"the privacy-minded because WiFi leeching is part of some SOPs"

Why? It's seriously riskier than geolocation as you open yourself up to all kinds of man-in-the-middle snooping.

 

@mvario

I suspect that leeching WiFi is to CYA if your anonymity/privacy solution fails. IMHO, that's no longer such a great strategy. Also, I'm not very comforted by the fact "it's easily disabled" in browsers. Perhaps it'll show up in less obvious ways.

 

I didn't think that your MAC address was visible on the internet. But anyway, I downloaded one of those free MAC address changers and ran it. It had no effect on the geo location.

Here is my concern. Just because firefox asks your permission, does that mean that some other process is not doing it without your permission? How about other applications like Skype? Can they do this too? Is there really any way to know?

If I turn off my router and plug my connection directly into the computer will that prevent this from happening? Or does anyone truly know?

 

Your MAC address isn't visible on the Internet, and your MAC address isn't used for geolocation. The mac addresses that are used are those of the wireless access points that your computer can see. Geolocation providers, like Google and Loki, have large databases of access point MAC addresses and corresponding locations.

Is there really any way to know what any application is doing? If you don't trust the application don't install it. There are worse things an application can do than just get your location information. But no, there is nothing inherent in the geolocation process that forces it to ask for permission. All it does is send the list of the MAC addresses it sees to a database that sends back longitude and latitude information.

Sure. Without access point data geolocation falls back to using your IP address to try and determine where you are. It might not happen immediately though, I'm not sure if the MAC info is cached for any length of time. And you don't have to turn off your router, just use a wired connection and disable your on your computer.

 

I am confused. My computer connects through my wireless router. Are you saying that Google has my router on their list?

 

Possibly. At minimum, the MAC address of at least one of the wifi access points that your computer can "see". That's how it works. Google, and Skyhook/Loki, and some other companies have databases of wireless access point MAC addresses and locations.

 

It actually show me as being around the corner and down the street a little. I may just start connecting straight into the computer for most of the time. Thanks for bringing this to light.

 

Where do Google etc. get physical addresses for WiFi routers? They must be using physical addresses for IPs from whois databases, yes?

The physical address listed for my true IP is several Km from here. However, the physical addresses for some of my neighbors' IPs are different, because they use different ISPs. I can see how averaging over all of the WiFi routers within range could yield a more-accurate physical address. Or not.

Perhaps I'll fire up a notebook and experiment some.

 

No. The location has nothing to do with IP address, it's purely tied to the wireless MAC address. I'm not sure of the specifics on how Google compiled their database. Skyhook/Loki does their's by wardriving (http://en.wikipedia.org/wiki/Skyhook_Wireless). I would assume Google does it the same way. I wouldn't be surprised if the vans they use to collect image data for Street View do double-duty collecting wireless data.

Here's a web interface to another location provider called Geomena, this one is open/Creative Commons, and their database is pretty tiny by comparison, so chances are your AP won't be in their database:
http://geomena.org/

Here's an interesting article on various types of positioning systems:
http://www.gps-practice-and-fun.com/positioning-systems.html
I believe I read that Microsoft will be using Navizon.

 

This makes me think of an article I posted a while back about a technique that was used to catch some people sharing child porn. They (the child porn guys) were using a peer to peer network. I assume something like Limewire?? But the investigators would somehow get an idea as to where there person was and drive up to their house and point some kind of device at their router. I think they called it a "copy router" or something.

Another member here, Jesus, said that it was probably some kind of geo location. In the article they said that to do this, the ISP had to install some kind of software, but after that the ISP did not have to do anything. I bet the software gives away your general location without the need for any assistance from Firefox. And then maybe when they point that device around trying to pin point the exact location, they are picking up some kind of unique identifier that the software has created.

So sure this can be used to quickly identify people sharing child porn. And it can also identify whistle blowers, anonymous bloggers, peace groups, gay rights activists, the Wiccans or just about anyone that you can think of.....with no need for probable cause, oversight, or a warrant. Fishing Season is now open.

 

Seems like a very interesting topic. To summarize how to avoid geolocation so far:

1.) Dont use wireless access points if you want to be as anonymous as possible..

2.) If you do, ensure your browser has geolocation disabled.

In Firefox, enter about:config and turn off the geo.enabled preference.
I also cleared out the websites (google and mozilla were listed) in the geo-wifi and browers.geo preference tabs.

Anymore suggestions?

 

The simplest,
Just Say No
when you get the pop-down asking if you want to share your location info if you don't wish to do so.
I expect Chrome users may have to do that as I haven't heard of a way to permanently disable it in version 5, though I guess one could block the locations services lookup address at the firewall.

Also, the browser.geolocation.warning.infoURL setting is simply a pointer to the location-aware browsing faq: http://www.mozilla.com/en/firefox/geolocation/

Also, there is no "100% anonymous" on the Internet. It's two-way communication and can always be traced as long as the person tracing has the resources (legal, monetary, technical, etc).

 

How can I disable it?