Discussion in 'privacy general' started by lotuseclat79, Dec 1, 2010.
Race Is On to 'Fingerprint' Phones, PCs.
Without reading the fine details of it - it sounds dreadful.
Yet something else to try and circumvent ?
I think a Linux live-cd would twart his idea, since e.g. a standard live Ubuntu has the same user-agent, time, fonts and firefox-addons.
I can't see, how he should manage to get info about the pc, if something like NoScript was installed.
This is all just so old-school. For the most part, my physical computers only access the internet for software updates. I use VMs for all email, web browsing, etc. Each of my online identities uses a distinct VM, and all of my pseudonymous online identities use Linux VMs connecting via xB and other VPNs. And, as raspb3rry notes, one can use Linux LiveCDs to be totally generic.
For example, do I really care that some database associates the signature of the VM I'm using right now as hierophant? I never attempt to hide the fact that I'm hierophant. OTOH, perhaps it'd be wise to periodically migrate to a new VM, just to mess with them.
Also, although being targeted for online ads is a minor concern, it's readily stymied by using Adblock Plus, NoScript and OptimizeGoogle.
I don't see what this would really gain them. Why bother figerprinting the PC when they already have your IP address? Even with that data, I'd like to see them try to push those targeted ads onto my system without Proxomitron filtering them out.
Well, they don't have your real IP address as long as you connect via Tor or a VPN. However, once they fingerprint a computer, they can link together all available information about it, including the IP addresses that it connects through.
For example, they might learn that noone_particular uses a computer with fingerprint XYZ for posting to Wilders via Tor, and that John Smith of Dallas, TX, USA uses the same computer to update his Facebook page. That might be problematic, no?
time being the emphasis is can and not must. all providers such as blogs, forums, webpages in general would have to fingerprint the hardware profile of each visitor and feed it back into a gigantic database in order to cross link profiles, which however with IP6 will become much easier.
just let us hope that certain bodies do not make it mandatory by law one day, though it would not come as a surprise then considering current efforts to get inet users under control.
perhaps the business goal of that entity is right now marketing but on the long run to become a top source for a cross linking database.
Once they fingerprint your Mac Address on both your router and your computer - they have you unless you know how to change it every time randomly (i.e. every session)) on both, and always use either Tor or a VPN on all of your computer's external transactions - despite what time a particular transaction might have taken place with a dhcp pool assisned IP Address with your ISP assignment to your router.
The point is that the hardware device has been identified on both your router and your computer. After that with comprehensive traffic analysis with times and IP addresses - if you neither use Tor nor a strong VPN - they will connect the data points together and it points to your computer and router.
In one of the other threads, I've posted a randomizing change mac address script that works on Linux/Unix and might also work in a cygwin environment that has an awk executable (awk.exe) specifically to execute in a Windows environment. It is composed of one file to copy from the thread post, and results in two files - the script .sh file which must be executable, and the awk file which is embedded in comments in the script text that must be separated into a readable, uncommented file in the same folder/directory as the script.
Whether one uses a VM or not, all that matters to them is getting the hardware device's identity.
I doubt this will become law; way too much influence in Congress by companies and individuals who don't want it, and nothing that I can see could/would limit tracking by non-U.S. entities.
in which tier are the mac addresses of router and computer are transmitted, afaik no via the http layer? TOR/VPN do not change either MAC, thence both would be useless, if the MAC being transmitted.
concur, but such organizations have to make a statement every now and then to prove their purpose, btw, the article talks about tracking, which is technically a different pair of shoes than fingerprinting, though latter certainly can support the former
is the question what sort of non-US entities would have an interest to track US inet users (not talking about high level espionage)? Do not reckon that overseas vendors would do so, most of them are forced to have a branch in the US, which then again answers to US litigation
I was referring primarily to offshore gambling and porn sites as well as (for instance) foreign companies specializing in tourism and non-US investment "opportunities".
Although I believe you should accept the risk, that doesn't address the real issue of peripheral damage to others who might use the same computer.
as you pointed out, this is another topic.
I probably should have started another thread.
Mac addresses are covered as LAN protocols which comprise the bottom two layers of the OSI Reference Model, i.e. the physical and data link layers.
The idea is to spoof both Mac addresses that are transmitted, i.e. the router's Mac address and the computer's Mac address.
See: post #30 in MAC & IP address (Page 2) for script/awk details/code.
thanks tom for the input. I fail to see how LAN is connected to fingerprinting as intended in the article and this thread - pardon my ignorance... usually LAN traffic stays there and does not leak into the inet for somebody to fingerprint.
local machine fingerprinting has been done since long, as outlined in the article. not sure whether particular data is getting submitted outside when using smartphones and tablets of certain brands. reckon that iphones must be fingerprinted when connecting to the itunes store
That's true. AFAIK, geolocation via wireless router MAC address depends on the web browser (or possibly, another app) reporting that information. Although it's a separate topic, I'm sure that MAC geolocation data will end up in the same databases as computer fingerprints, IP address, browsing habits, login names, and whatever else they can sniff.
Just to clarify my previous post: There are two levels of the data link layer, and the MAC address is handled by the lower data link layer - i.e. closest to the hardware physical layer.
Also, not all routers are capable to clone, i.e. let you spoof its real Mac address by using the computer's - which is easy to spoof (especially, if you spoof the computer's Mac address before connecting to the network - i.e. bringing up the router to get an IP address). It is either allowed or not in the router's configuration.
Separate names with a comma.