Study: Adobe Flash Cookies Pose Vexing Privacy Questions

Discussion in 'privacy general' started by ronjor, Aug 11, 2009.

Thread Status:
Not open for further replies.
  1. Pinga

    Pinga Registered Member

    Joined:
    Aug 31, 2006
    Posts:
    1,420
    Location:
    Europe
    Then surely you know and appreciate the value of proper academic referencing? Please substantiate your claims and guide us to the information you are referring to. Thanks!
     
  2. 1boss1

    1boss1 Registered Member

    Joined:
    Jun 26, 2009
    Posts:
    401
    Location:
    Australia
    Never heard of it, and i've been building/running sites for a very long time. Actually 1985 i first launched a 300baud BBS on the C64, so if you could provide any links that would be great.

    Maybe.. You are meaning sites capturing specific machine hardware numbers, that are normally not broadcast over the net like MAC addresses etc?

    This can't be done server side, but you can execute an applet on a users machine from a web page to capture hardware/adapter info and pass it back over the net which can be used to track individual machines. I have heard that Paypal is/was doing something similar but i have not looked in to it.
     
  3. Dregg Heda

    Dregg Heda Registered Member

    Joined:
    Dec 13, 2008
    Posts:
    830
    So how does one block this 1Boss1?
     
  4. 1boss1

    1boss1 Registered Member

    Joined:
    Jun 26, 2009
    Posts:
    401
    Location:
    Australia
    There is a hackish and unreliable way of doing it with just pure javascript, it only works in IE and you get the ActiveX warning but it's interesting. So i have put the code in Pastebin http://pastebin.com/f67f28bbd

    It's totally harmless and just shows the info to you. If you paste that in Notepad, save it to your desktop as mac.html and run it with IE you will see the info it divulges. For me it shows i'm using the Agnitum Firewall Miniport adapter and it's MAC, the Symantec Network Miniport and it's MAC, Bluetooth LAN adapter, My Realtek NIC address etc etc.

    That codes pretty basic, a whole swag more info can be obtained. So it has security implications (exposing AV/Firewall types) as well as machine level tracking/identification ability.

    But if you were serious about doing this on a web page, a Java Applet would be used to do away with the browser dependencies and warnings. I don't think it can be done with Flash, although i won't say it's impossible just that i've only seen it done with Java applets.

    Blocking it is fairly easy, not allowing interactive components/applets to run by default and only allowing those you trust to run. So it follows the same rule as other threats, default deny.

    HKEY, does the "Extended String" IP address you are talking about use machine level hardware ID's like i mention here or something else? I'm curious to know.
     
  5. Dregg Heda

    Dregg Heda Registered Member

    Joined:
    Dec 13, 2008
    Posts:
    830
    So something like NoScript is the answer?
     
  6. HKEY1952

    HKEY1952 Registered Member

    Joined:
    Jul 22, 2009
    Posts:
    657
    Location:
    HKEY/SECURITY/ (value not set)
    Now, I'm not sure if you are wanting to know this just for knowledge, or you have other intensions, and I will not go into any more details.
    On advice from my attorneys, I have been advised not to Post any more text or linked information regarding this subject within this particular Thread.


    HKEY1952
     
  7. chrisretusn

    chrisretusn Registered Member

    Joined:
    Jun 16, 2004
    Posts:
    1,567
    Location:
    Philippines
    o_O :rolleyes: LOLROTF
     
  8. LockBox

    LockBox Registered Member

    Joined:
    Nov 20, 2004
    Posts:
    2,327
    Location:
    Here, There and Everywhere
  9. markoman

    markoman Registered Member

    Joined:
    Aug 28, 2008
    Posts:
    188
    Now, this is a funny way to start the day! ROTFL
     
  10. trismegistos

    trismegistos Registered Member

    Joined:
    Jan 29, 2009
    Posts:
    363
    I think you need to stop laughing and try to get serious with this guy. In fact, I am now having doubts with our network security experts here saying that MAC address or the machine name is not transferrable by the internet and not seen by the ISP at the least, barring the use of scripting, applets or plugins.

    I tried testing the hypothesis of HKEY1952...

    Using a dial up internet using, first, ISP 'A'.
    I went to https://www.grc.com/x/ne.dll?bh0bkyd2 and it says I have no "REVERSE DNS". And so I have different IP's everytime I dial up.

    Now, using ISP 'B' is a different matter. When I went to the Grc shields up website, I came in with the same IP address and so my ISP can retrieve my 'machine name'.
    to quote what grc says:
    But I disagree with the idea that you can't change the Machine name as it is very trivial to any P2P users to change the MAC address. And so when I change the Mac address, lo and behold, I now have a different IP address. And going to check my IP address from the grc website with the same machine name or mac address, I end up with the same IP address. So in conclusion, you need to investigate this matter closely.
    And all our network security guys here need to revise their concept that the machine name is not transferrable over the internet only when scripting is enabled, as well as the plugins and applets etc. As now, by this little experiment it does prove that machine name is retrievable by any website even with scripting disabled.

    So to understand the concept, I'll end what Steve Gibson says about this "reverse dns":
     
    Last edited: Aug 20, 2009
  11. 1boss1

    1boss1 Registered Member

    Joined:
    Jun 26, 2009
    Posts:
    401
    Location:
    Australia
    No, the rDNS maps IP's to Hostnames and this info is a horrible way to track an individuals PC. Why? Because it can map to any machine, it can change tomorrow and map to another completely different machine just like an IP can.

    What your talking about is the basics of how the net works, and why people use proxies to change their IP it's not some secret string. It's as useless for tracking a machine as an IP is. You even proved this yourself right in the beginning, you went there with Dial-Up ISP "A" and it said you had no rDNS. You went there with ISP "B" and it said something different, now browse there with any online proxy like hidemyass.com and you will see totally different info again.

    It's not identifying your machine at all don't you agree?

    Also again, as i said a machines MAC address is not passed on to web sites and the only way to obtain it is execute some sort of applet/executable on the machine. So unless HKEY's lawyers have some special copy of Wireshark that see's magical super strings hidden between every byte of data the rest of the world can't see it's baloney.

    Believe me, if there was some magic code that identified individual machines as suggested it would save governments/companies billions in trying to track down individuals committing crimes on the net. I'd be getting a patent ASAP if i was HKEY.

    BTW You can see the IP's/Hostnames between you and the destination, for example some of the hops between me and the Wilders server:

    hops.png
     
  12. axle00

    axle00 Registered Member

    Joined:
    Jun 29, 2008
    Posts:
    92

    Either this guy is trolling, or he's smoking something really good. Probably both.
     
  13. Fly

    Fly Registered Member

    Joined:
    Nov 1, 2007
    Posts:
    2,201
    It seems that my ISP assigns IPs (and probably host names) based on MAC addresses. I get a different IP when I connect directly to the internet then when I put a router between my computer and my modem.
    I can switch back and forth between those two IP addresses.

    But what I don't understand is how an IP and host name are assigned to a router. Let's say I have a Sitecom router type WL-X. Does someone else who uses the same WL-X router get a different IP ? Is there a virtually unlimited amount of MAC addresses, so each user gets a different IP ?

    I once changed the MAC address of my previous router. After I did that I couldn't get it working again. I assume the reset didn't reset the cloned (?) MAC.
     
  14. chrisretusn

    chrisretusn Registered Member

    Joined:
    Jun 16, 2004
    Posts:
    1,567
    Location:
    Philippines
    This topic has gotten off topic from flash cookies that's for sure.

    Reverse DNS, big deal, so you can translate my IP address to a name. There is no real security, privacy risk with that.

    It is not possible to get your computers MAC address using your IP address.

    It is possible using a Java Applet that uses getHardwareAddress(); however, you have to first download and then allow that applet to run. A web site cannot get it on the fly.
     
  15. 1boss1

    1boss1 Registered Member

    Joined:
    Jun 26, 2009
    Posts:
    401
    Location:
    Australia
    IP delegation is up to the various ISP's, basically they get a pool of addresses and assign them to customers/machines as they see fit. Mine for example, will give me a new one if i turn the router off for about 60 seconds.

    Edit: I knocked together a simple page last year that shows hostname, IP, Flash/Java version etc. I mainly done it because when Chrome came out, Java had to be hacked to run so users could see if it worked plus see if their Chrome updated properly. It's kind of useful to see what info your divulging.

    Exactly... and thank you!
     
    Last edited: Aug 20, 2009
  16. Bensec

    Bensec Registered Member

    Joined:
    Aug 4, 2008
    Posts:
    177
    Location:
    China Changsha
    Welcome to the month of conspiracies and scary facts...:D
     
  17. caspian

    caspian Registered Member

    Joined:
    Jun 17, 2007
    Posts:
    2,362
    Location:
    Oz
    I recently posted an article about a technique that was being used. Unfortunately, since I decided to jump into a nearby phone booth and become an amateur sociologist, the thread was deleted.

    But law enforcement was able to install something through an ISP that would help them track child porn guys. They had some kind of device that they could drive up to a location and point it to a router. But they wouldn't say any more than that. They said the ISP had to agree to help, but they didn't have to do anything themselves. They did say that it had something to do with the router and that they could bypass encryption.

    So my guess is they can install some kind of software, and track people regardless of their IP address. Another poster, the amazing JesusJesus, suggested that there must be some kind of global positioning that doesn't need to consider what the IP address is. Maybe there is some kind of software that enables a router to send out signals?? Maybe a satelite is picking something up? I haven't a clue. And they aren't tellin'.
     
  18. trismegistos

    trismegistos Registered Member

    Joined:
    Jan 29, 2009
    Posts:
    363
    I agree totally that the machine MAC address is not passed on to the websites and one needs scripting enabled as well as the applets or plugins for the websites/servers to hack one's machine ID.

    But ISP's which have reverse DNS capability seems capable of retrieving my machine ID, as I demonstrated.
    Why does my dial-up ISP 'B' kept on assigning me the same IP address everytime I dial-up. And you are correct the next day, they will assign me a new IP address, but that IP address stays with me for that whole day even If I cycle in dialing up and off.

    You are right, that this is indeed a horrible way to track one user because it change every day. Unless of course the ISP has some way in logging all the IP changes with each machine ID, which is very possible in the light of 9/11. But no logical explanation by HKEY1952 is yet been given how that ISP keep assigning me that same IP address every time I dial up, unless they indeed can retrieve the machine ID. I'm just testing the hypothesis of HKEY1952.

    And the obvious explanation is aside from pure coincidence is that ISP could indeed retrieve my machine ID, the telephone's, i.e. the telephone number. Har har

    HKEY1952 must be rolling on the floor laughing, that some people fell to this trap of pure baloney. Unless he and his forty thieves(lawyers) (ha ha) would speak out. I'll give him the benefit of the doubt.

    Sorry, folks, for another crappy OT's.
     
    Last edited: Aug 22, 2009
  19. wrongway67

    wrongway67 Registered Member

    Joined:
    Apr 5, 2008
    Posts:
    45
    it seems that this ISP 'B' assigns to you a "static ip address" instead of a "dynamic ip address"

    see "What is a static IP address/dynamic IP address?"

    have you asked explanations to that ISP?

    what is called here "machine ID/machine name" is simply the Hostname
    see what is "Reverse-DNS" and why it's retrieved or not: http://www.dnsstuff.com/docs/ptr

    GRC/ShieldsUP is simply saying that if your ISP assigns to you a dynamic ip address, of course the Hostname will change too... if your ISP assings to you a static ip address, of course the Hostname will be always the same - Period
     
  20. trismegistos

    trismegistos Registered Member

    Joined:
    Jan 29, 2009
    Posts:
    363
    I know all of that. But you are wronged, because I didn't quite explain the situationer. Well, I am not supposed to be given a static IP address to begin with because this ISP 'B' as well as 'A' were both prepaid accounts. I didn't pay a premium to be given Static IP addresses, and I haven't have any contact whatsoever to those ISP's. It's prepaid, and it's like I am just a walk-in or a temporary thing and not an actual contract where I have personal contact to their office and register for their service. This is not a postpaid account where I have to pay a monthly subscription fee. And I understand that to have a static IP address, you have to request it and you would have additional charges on top of the monthly fee. And I again, I reiterate that these dial ups are prepaid and so no reason for me to be given preferential treatment of a static IP address. What a strange static IP address if it's good only for one day. har har

    Well, the logical explanation is still they tied my phone number as my machine ID and assign a temporary IP address that's good for one day. Because the next day, I will be given a new IP address. If that's static, I will have to have the same IP address, but it is not. Understood?
    Sorry again folks, for another off-topic meandering from yours truly. All because of this baloney extended strings. ha ha
     
    Last edited: Aug 23, 2009
  21. wrongway67

    wrongway67 Registered Member

    Joined:
    Apr 5, 2008
    Posts:
    45
    Being (to me) a strange behavior (I don’t see the reason for assigning the same IP address just for one day) that’s why I wrote “it seems that…” and not knowing which is the ISP and which is their offer, that’s why I wrote if “have you asked the ISP…
    Did they give you a “username” and a “password” to connect? If it is so, they don’t need to know your telephone number… they suppose you didn’t disclose them to anyone else, and therefore the one is connecting with those credentials are “you”, and they don’t care of your MACs, imaginary strings, or whatever else… however I still don’t understand why they assign the same IP…

    Maybe you could ask the ISP…
     
  22. trismegistos

    trismegistos Registered Member

    Joined:
    Jan 29, 2009
    Posts:
    363
    Indeed, it is a very strange behaviour for this ISP. For 3 days straight I have observed this static IP address or temporary address for only one day. Very strange, it is indeed possible for them to log my phone no. sort of a caller ID thing and tie it or assign a temporary static IP address for a day.
    This prepaid dial up internet card one buys in any convenience store and you will scratch the surface of the card to reveal the username and password. This card is very cheap. For this strange behaviour of this ISP, I would not bother ask them for I resolve never to use their service again. Thanks for the concern.
    Now, this strange behaviour is a mystery if one will disregard the possibility that they can track any user using their service by tying the IP address with a machine ID(whether MAC address or the phone no.). The latter seems the more plausible as the extended strings theory is still just that a theory or hypothesis.
     
  23. StevieO

    StevieO Registered Member

    Joined:
    Feb 2, 2006
    Posts:
    1,067
    trismegistos

    It sounds like they assign an IP to a phone number, rather than any MAC detect etc etc.

    Why ? who knows, but i presume it's so they can log what people do. So if at some point an investigation was conducted, they would have a database of www's visited etc.

    I'm guessing it's done under the guise of anti terrorism, but as we all know .GOV in league with the ISP's, can, do and will, use the info gained for whatever they want, legally or otherwise.

    Don't forget about that no so anymore ( secret ) monitoring room in San Francisco that was outed a few years ago. And that's just one of many scattered around, and ALL linked to you know who !
     
  24. jfd15

    jfd15 Registered Member

    Joined:
    Oct 12, 2007
    Posts:
    234
    Location:
    Sacramento, CA
    most of this is over my head...

    just wanted to contribute that i have mobile broadband and am near Sacramento, CA and when i get these targeted ads they think im in Newport Beach, CA(apparently many hot babes are searching for me there) or Stockton, CA or somewhere else in generally southern California....

    of course this is just business and not govt....i wouldnt put anything past govt...


    also, it appears that CCleaner is not cleaning some of the Flash cookies left in
    firefox folders...one program i have says there are several in Firefox DOM, whatever that is....hope i got the info right..
     
  25. Fly

    Fly Registered Member

    Joined:
    Nov 1, 2007
    Posts:
    2,201
    It seems Google knows my location. I don't know how. My IP is mostly static, but configured as dynamic. Using various websites/tools to get information about me by tracing my IP (machine/host name?) I get different cities. But only Google seems to know my location.
    I'd rather not get specific. I really don't like this.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.