Question for XB Steve - Geo Location defeats Xerobank

Discussion in 'privacy technology' started by caspian, Mar 25, 2010.

Thread Status:
Not open for further replies.
  1. caspian

    caspian Registered Member

    Joined:
    Jun 17, 2007
    Posts:
    2,301
    Location:
    Oz
    I was a little shocked to see that geo location could defeat Xerobank.

    With all of my browser plugins it does not work. It shows Texas......while I am connected to Canada's exit node. But when I uninstalled Firefox, reinstalled with no addons, and went to this blog http://blog.mozilla.com/webdev/2009/05/01/geolocation-in-the-browser/ with Xerobank connected, it easily gave almost my exact location......within a stone's throw of my home.

    True, it does not work with XB Browser. But how many customers even know about this problem?? And not everyone uses XB Browser all the time.

    How is my location being revealed while I am connected to Xerobank? Is there some kind of satellite connection? And by disabling the geo location feature in fireox, does this *really* mean that this problem is resolved?? It seems like a whole new issue altogether.
     
  2. mvario

    mvario Registered Member

    Joined:
    Sep 16, 2008
    Posts:
    339
    Location:
    Haddonfield, IL
    Re: Qustion for XB Steve - Geo Location defeats Xerobank

    Geolocation stuff from Firefox is sent within packet traffic from your computer. A VPN protects the identity of your connection (IP address) but it doesn't inspect packets for what you (or your browser chooses to send.

    If Firox is getting accurate info for you then you must be using a local wifi network.

    Yes, disabling geolocation in Firefox will prevent it from doing geolocation. If you are a bit paranoid then you can remove the link referenced by geo.wifi.uri in about:config (then even if enabled it wouldn't know a sevice to resolve with).
     
  3. hierophant

    hierophant Registered Member

    Joined:
    Dec 18, 2009
    Posts:
    854
    Re: Qustion for XB Steve - Geo Location defeats Xerobank

    @caspian

    Yes, it's the WiFi. Basically, Firefox looks at all of the WiFi routers that your computer can see, gets their MAC addresses, and looks them up in an online database (Google's by default, and there are others). I don't see why it couldn't log signal strength as well. In an urban context, they could probably determine which room you're in!

    Bottom line -- don't use WiFi when you're being anonymous. Or do as mvario recommends, and trust that some other app isn't doing it.
     
  4. ArtemisX

    ArtemisX Registered Member

    Joined:
    Aug 14, 2009
    Posts:
    19
    Re: Qustion for XB Steve - Geo Location defeats Xerobank

    running firefox 3.6 here and Xerobank through canada & USA it tracks me down to within 100yards at this site

    http://3liz.org/geolocation/

    damn thats scary. fine i can turn it off or use xerobank browser but its the other bits i don't know about that worry me. suddenly that monthly vpn payment seems alot larger. though yes, turning off wifi does help...rather alot.
     
  5. mvario

    mvario Registered Member

    Joined:
    Sep 16, 2008
    Posts:
    339
    Location:
    Haddonfield, IL
    Re: Qustion for XB Steve - Geo Location defeats Xerobank

    Do you expect your VPN to protect your info if you email someone and tell them where you are? No, of course not. Think of geolocation services (at least all the ones NOT done by IP address) as the same thing. It's out of the purview of the VPN. Your browser is sending the info based on other factors. Right now the primary one is look-ups in a database of wireless access point MAC addresses. In the future as more computers start containing integrated GPS then that will be the primary means. The information is sent from layer 7, so you have to control it at the application.

    Remember, you are the one to choose whether to send the info, and at least with Firefox you can disable it entirely. It's not tracking you, you are (your browser actually) telling where you are. The VPN is doing exactly what it is supposed to do.
     
  6. ArtemisX

    ArtemisX Registered Member

    Joined:
    Aug 14, 2009
    Posts:
    19
    Re: Qustion for XB Steve - Geo Location defeats Xerobank

    Very true. it does really highlight how carefull you have to be if you really do want to have and sense of anonymity or privacy. Or at the least how little info needs to be let "slip" to have you identified.
     
  7. mvario

    mvario Registered Member

    Joined:
    Sep 16, 2008
    Posts:
    339
    Location:
    Haddonfield, IL
    Re: Qustion for XB Steve - Geo Location defeats Xerobank

    Yeah, and geolocation is coming everywhere. Firefox has it, I believe the latest Chrome does also, and there are lab builds of Opera with it so expect that browser to have it soon.

    And gmail is using IP based geolocation now for gmail security:
    http://edition.cnn.com/2010/TECH/03/25/gmail.geolocation/index.html?eref=rss_tech&utm_source=twitterfeed&utm_medium=twitter&utm_campaign=Feed%3A+rss%2Fcnn_tech+%28RSS%3A+Technology%29

    Mobile phones even more so. So many already have GPS built in, and if not phone geolocation falls back to tower info.
     
  8. 1boss1

    1boss1 Registered Member

    Joined:
    Jun 26, 2009
    Posts:
    401
    Location:
    Australia
    Re: Qustion for XB Steve - Geo Location defeats Xerobank

    It seems it indeed does:

    POST: https://www.google.com/loc/json
    That's the data that was sent from my machine, the ROUTERNAME was the unique name i set in my router and the ISPNAME was my ISP with the number which is obviously a tower number.

    But there's signal strengths from 3 devices in there.
     
  9. hierophant

    hierophant Registered Member

    Joined:
    Dec 18, 2009
    Posts:
    854
    Re: Qustion for XB Steve - Geo Location defeats Xerobank

    Right. "ROUTERNAME", "DLINK" and "MYISP2063" are the three WiFi routers that your machine was seeing. Given the locations of those three routers, one could triangulate your machine's location. And BTW, you may want to redact those MACs, if they're real.
     
  10. 1boss1

    1boss1 Registered Member

    Joined:
    Jun 26, 2009
    Posts:
    401
    Location:
    Australia
    Re: Qustion for XB Steve - Geo Location defeats Xerobank

    Yes i had changed some numbers in each MAC address, as well as the signal strengths so the data isn't real but still conveys exactly what was sent via POST to the Google json URL.

    Triangulation indeed, my location was marked as across the street from my house so it was within 50 meters (150 feet) and i'm in rural Australia. If you go in to street view where the geo location marked, you can see my house.

    So yes quite concerning indeed, especially with Google holding the keys.
     
  11. mvario

    mvario Registered Member

    Joined:
    Sep 16, 2008
    Posts:
    339
    Location:
    Haddonfield, IL
  12. hierophant

    hierophant Registered Member

    Joined:
    Dec 18, 2009
    Posts:
    854
    BTW, this is particularly insidious for the privacy-minded because WiFi leeching is part of some SOPs.
     
  13. mvario

    mvario Registered Member

    Joined:
    Sep 16, 2008
    Posts:
    339
    Location:
    Haddonfield, IL
    Yeah, but it requests before sending, and it's easily disabled.

    Just an fyi, geolocation is coming in Chrome 5
    http://www.ghacks.net/2010/03/05/geolocation-added-to-google-chrome-5/

    and it is in beta for Opera, so it should be coming soon there also. Though with Opera also it can be disabled (opera:config, uncheck Enable Geolocation)

    "the privacy-minded because WiFi leeching is part of some SOPs"

    Why? It's seriously riskier than geolocation as you open yourself up to all kinds of man-in-the-middle snooping.
     
  14. hierophant

    hierophant Registered Member

    Joined:
    Dec 18, 2009
    Posts:
    854
    @mvario

    I suspect that leeching WiFi is to CYA if your anonymity/privacy solution fails. IMHO, that's no longer such a great strategy. Also, I'm not very comforted by the fact "it's easily disabled" in browsers. Perhaps it'll show up in less obvious ways.
     
  15. caspian

    caspian Registered Member

    Joined:
    Jun 17, 2007
    Posts:
    2,301
    Location:
    Oz
    I didn't think that your MAC address was visible on the internet. But anyway, I downloaded one of those free MAC address changers and ran it. It had no effect on the geo location.

    Here is my concern. Just because firefox asks your permission, does that mean that some other process is not doing it without your permission? How about other applications like Skype? Can they do this too? Is there really any way to know?

    If I turn off my router and plug my connection directly into the computer will that prevent this from happening? Or does anyone truly know?
     
  16. mvario

    mvario Registered Member

    Joined:
    Sep 16, 2008
    Posts:
    339
    Location:
    Haddonfield, IL
    Your MAC address isn't visible on the Internet, and your MAC address isn't used for geolocation. The mac addresses that are used are those of the wireless access points that your computer can see. Geolocation providers, like Google and Loki, have large databases of access point MAC addresses and corresponding locations.

    Is there really any way to know what any application is doing? If you don't trust the application don't install it. There are worse things an application can do than just get your location information. But no, there is nothing inherent in the geolocation process that forces it to ask for permission. All it does is send the list of the MAC addresses it sees to a database that sends back longitude and latitude information.

    Sure. Without access point data geolocation falls back to using your IP address to try and determine where you are. It might not happen immediately though, I'm not sure if the MAC info is cached for any length of time. And you don't have to turn off your router, just use a wired connection and disable your on your computer.
     
    Last edited: Mar 27, 2010
  17. caspian

    caspian Registered Member

    Joined:
    Jun 17, 2007
    Posts:
    2,301
    Location:
    Oz
    I am confused. My computer connects through my wireless router. Are you saying that Google has my router on their list?
     
  18. mvario

    mvario Registered Member

    Joined:
    Sep 16, 2008
    Posts:
    339
    Location:
    Haddonfield, IL
    Possibly. At minimum, the MAC address of at least one of the wifi access points that your computer can "see". That's how it works. Google, and Skyhook/Loki, and some other companies have databases of wireless access point MAC addresses and locations.
     
  19. caspian

    caspian Registered Member

    Joined:
    Jun 17, 2007
    Posts:
    2,301
    Location:
    Oz
    It actually show me as being around the corner and down the street a little. I may just start connecting straight into the computer for most of the time. Thanks for bringing this to light.
     
  20. hierophant

    hierophant Registered Member

    Joined:
    Dec 18, 2009
    Posts:
    854
    Where do Google etc. get physical addresses for WiFi routers? They must be using physical addresses for IPs from whois databases, yes?

    The physical address listed for my true IP is several Km from here. However, the physical addresses for some of my neighbors' IPs are different, because they use different ISPs. I can see how averaging over all of the WiFi routers within range could yield a more-accurate physical address. Or not.

    Perhaps I'll fire up a notebook and experiment some.
     
  21. mvario

    mvario Registered Member

    Joined:
    Sep 16, 2008
    Posts:
    339
    Location:
    Haddonfield, IL
    No. The location has nothing to do with IP address, it's purely tied to the wireless MAC address. I'm not sure of the specifics on how Google compiled their database. Skyhook/Loki does their's by wardriving (http://en.wikipedia.org/wiki/Skyhook_Wireless). I would assume Google does it the same way. I wouldn't be surprised if the vans they use to collect image data for Street View do double-duty collecting wireless data.

    Here's a web interface to another location provider called Geomena, this one is open/Creative Commons, and their database is pretty tiny by comparison, so chances are your AP won't be in their database:
    http://geomena.org/

    Here's an interesting article on various types of positioning systems:
    http://www.gps-practice-and-fun.com/positioning-systems.html
    I believe I read that Microsoft will be using Navizon.
     
    Last edited: Mar 29, 2010
  22. caspian

    caspian Registered Member

    Joined:
    Jun 17, 2007
    Posts:
    2,301
    Location:
    Oz
    This makes me think of an article I posted a while back about a technique that was used to catch some people sharing child porn. They (the child porn guys) were using a peer to peer network. I assume something like Limewire?? But the investigators would somehow get an idea as to where there person was and drive up to their house and point some kind of device at their router. I think they called it a "copy router" or something.

    Another member here, Jesus, said that it was probably some kind of geo location. In the article they said that to do this, the ISP had to install some kind of software, but after that the ISP did not have to do anything. I bet the software gives away your general location without the need for any assistance from Firefox. And then maybe when they point that device around trying to pin point the exact location, they are picking up some kind of unique identifier that the software has created.

    So sure this can be used to quickly identify people sharing child porn. And it can also identify whistle blowers, anonymous bloggers, peace groups, gay rights activists, the Wiccans or just about anyone that you can think of.....with no need for probable cause, oversight, or a warrant. Fishing Season is now open.
     
  23. bangle40

    bangle40 Registered Member

    Joined:
    Mar 13, 2010
    Posts:
    23
    Seems like a very interesting topic. To summarize how to avoid geolocation so far:

    1.) Dont use wireless access points if you want to be as anonymous as possible..

    2.) If you do, ensure your browser has geolocation disabled.

    In Firefox, enter about:config and turn off the geo.enabled preference.
    I also cleared out the websites (google and mozilla were listed) in the geo-wifi and browers.geo preference tabs.

    Anymore suggestions?
     
    Last edited: Mar 29, 2010
  24. mvario

    mvario Registered Member

    Joined:
    Sep 16, 2008
    Posts:
    339
    Location:
    Haddonfield, IL
    The simplest,
    Just Say No
    when you get the pop-down asking if you want to share your location info if you don't wish to do so.
    I expect Chrome users may have to do that as I haven't heard of a way to permanently disable it in version 5, though I guess one could block the locations services lookup address at the firewall.

    Also, the browser.geolocation.warning.infoURL setting is simply a pointer to the location-aware browsing faq: http://www.mozilla.com/en/firefox/geolocation/

    Also, there is no "100% anonymous" on the Internet. It's two-way communication and can always be traced as long as the person tracing has the resources (legal, monetary, technical, etc).
     
  25. SafetyFirst

    SafetyFirst Registered Member

    Joined:
    Jan 26, 2007
    Posts:
    462
    How can I disable it?
     
Loading...
Thread Status:
Not open for further replies.