Thanks, but I was thinking around the amount of information the gorillas can ingest and correlate, and that are on your devices and local networks, mac addresses, disk serial numbers etc. - even if nominally not available to the browser. And the extent to which they can co-opt visitors on grotty Android phones to provide them with information you never consented to - similar to people sharing your contact details on social media without consent, or facial recognition. Now I'm supposed to change my SSIDs to say _nomap for something which others can ignore, to salve Google's conscience and maybe their legal liability. Bah! None of it OK as far as I'm concerned, but then I'm not important.
Yes, you are right. It's a crazy world. What especially peeves me is the facial recognition. Soon you can't go to anywhere without wearing sunglasses and hat (and even then the damn !#¤%&/ ask you to take them away in some places like airport .... )
Thanks, that cleared my first question and educated me more! Much appreciated. I'm still not sure how browserleaks.com detected MisterB's real location. If I understand it correctly, MAC address don't fly over internet and are only used on LAN (by MAC address table & ARP table). So I guess the site runs javascript to get MAC address. If so, disabling javascript might help. Yeah, these smartphones send all wifi's info (BSSID in particular) it sees with geolocation, and Googld did this even when GPS was disabled. Terrible.
You are right, it needs javascript. The JS uses maps.google.com to determine location. The browser will usually ask permission to allow maps.google.com to useI just did the test again and passed this time. I looked at the Wifi networks around and there are none active at the moment that would locate me. What the script does is look at access points in the area and check it against the location database so you don't have to be connected to the access point that gives away the location. I just did the test on 3 different browsers and only one gave any result at all and that was a false location based on the VPN IP so google location services will try multiple approaches to get a location. It should be. If the client VM has no access to the wifi and can't see the available access point BSSIDs, it should be safe. From the tests I've run, google geolocation will prioritize cell towers and access points over IPs. Obviously, those are what will give the most precise location. The IP and DNS server will just give the region while an access point or cell tower will give location to a few meters. I just did a quick search and found code examples of how to get BSSIDs with Javascript pretty quickly. https://gist.github.com/Maksims/6084210 This also turned up which gives a pretty good run down of the process. https://milo2012.wordpress.com/2012/02/23/geolocation-via-wireless-access-points/
Yes, that's right. You don't see MAC addresses in the public Internet but inside LANs (home users/small businesses) or WANs (big operators, companies). ARP table lookups get MAC address when only IP address is known inside those private network while RARP lookup (obsolete now, replaced by DHCP) did get the reverse, IP address when only MAC is known. My WWAN (3G modem) connection uses operator NAT. And my router that the 3G modem is connected is also NATed for my own personal LAN. So in effect when I startup, my 3G modem in the router get's "public" IP address that in reality is already NATed (I can see that the IP address my 3G modem is bindto and the IP address I get when visiting any IP check site are different). And here's the thing: I have no doubt, whatsoever, that my operator can see my 3G modem MAC address (because it's inside their own private network, WAN) so even tought it's very unlikely that my 3G modem MAC address would leak to Internet, I still do the MAC spoofing because I don't really trust my operator My god you are right http://www.zdnet.com/article/how-google-and-everyone-else-gets-wi-fi-location-data/ No wonder that I have not seen Google cars long time now....
@MisterB @Stefan Froberg Thx, all my questions're now solved! TBH I didn't know that can be done via javascript. So disabling javascript will work as a mitigation, but once you allowed script for a website trying to get your MAC address (and threw it to Google Map API), you're at risk and then running VPN on VM separated from physical network will be solution. Thx again Stefan for teaching me basics, tho I had to read 3 or 4 times to understand the gist of what you said Wow, that's quite old article...but still relevant. These are the latest addition to the story. http://www.zdnet.com/article/google-admits-tracking-users-location-even-when-setting-disabled/ http://insider.foxnews.com/2018/02/...report-silicon-valley-surveillance-capitalism
Wellcome Wow! That's quite nasty of Google! Hmmm...now my little app shows the approximate radius where the cell tower should be. Satellite image: Zoomed to max...damn, still no visible cell tower EDIT: From https://qz.com/1131515/google-colle...ons-even-when-location-services-are-disabled/ "Many people realize that smartphones track their locations. But what if you actively turn off location services, haven’t used any apps, and haven’t even inserted a carrier SIM card?" and: "Even devices that had been reset to factory default settings and apps, with location services disabled, were observed by Quartz sending nearby cell-tower addresses to Google. Devices with a cellular data or WiFi connection appear to send the data to Google each time they come within range of a new cell tower. When Android devices are connected to a WiFi network, they will send the tower addresses to Google even if they don’t have SIM cards installed." Ok, I just lost the final, 1% of trust that I had left for Google....
@Stefan Froberg - So hey, are you indeed selling this app? What's the OS? What are you asking for it?
Yes I am. Linux at the moment but if wanted, I can easily make Windows version of it. Hmmm...would $5 be okay?
Sure. Wow! My first customer I will first polish it a lil bit and try to make a one, statically linked binary of it. That way it could be run in any Linux distro without me having to create separate package for each one.
OK, please let me know, and share a Bitcoin address. I did an "Ask HN" and got no answers. So maybe you'd want to do a "Show HN" after some beta testing Or I could post it.
HN = Hacker Network? Sure, that would be great if you could do a review and test there One thing, I found out that I have not updated my very very very old bitcoin wallet for ages..... How much does the offline bitcoin wallet need disk space nowadays?
Just use Electrum. It doesn't download the full blockchain, and so doesn't contribute to the network. But it's still a local wallet, and you have complete ownership of your keys. The blockchain is many GB at this point.
Thanks @mirimir I try to get all setup during this week. Also, got this nice cell tower sqlite table now ready with 39 million tower locations so it would be easy to just select the country/operator (aka mcc/mnc) from one list and then from another list the available towers (lac/cellid) for that country/operator combo.
Well, I have the following ready now: Freely available, XZ compressed cell tower SQLite database: Code: https://www.orwell1984.today/cell_towers.db.xz User guide: Code: https://www.orwell1984.today/CellTowerFinder_Quick_Guide.pdf And the actual program but, uh, how is this bitcoin transaction going to work? I send you my bitcoin address here (or PM?) wait for the $5 (0.000699 BTC?) and then PM you temporary download link? Or how? The only money I have in my bitcoin wallet is from few bitcoin faucets that I collected 5 - 6 years ago ... EDIT: God I need sleep now ...
Just PM me with the Bitcoin address to use. And then PM me the temporary download link? Does this app work on PCs, using WiFi MACs?
Okay Um, you mean does it run with PC's with Wifi? Sure. As long as have 64-bit Linux distro underneath and the dependency listed in that quick user guide is installed. But if you meant does it list PC's with Wifi MACs' that's a good question. I have had not much luck getting any Wifi device to appear to map, no matter what MAC addresses I used, I even tried the manual method listed at the end of Google's docs Code: https://developers.google.com/maps/documentation/geolocation/intro but nothing I am beginning to suspect that either the Google Geolocation just does not work for Wifi or I have had super bad luck and choosed addresses that are not in their database. Cell tower location with or without Google Geolocation works fine tought I try some of the other Wifi tracking options that are out there and integrate into next version which will be free for old customers
Back to the OP, I found IVPN says they use CentOS. I haven't used CentOS as I understand it is server OS, so no idea how secure it is, but hope IVPN has taken additional measures to secure them when necessary.
I have been searching for how each VPN provider have responded against past vulns. Unfortunately, there's no place which aggregates them so I had to search with keywords and each provider name. (A small exception may be this but it's about website, not service itself.) It has been meaningful, but then suddenly I think of another way, and searched in plaintextoffender. You'll see some VPN providers (proxy.sh, froot, Boleh, Strong, etc.) store user passwd in plain text in their server (full list is here). It won't be security risk if the pwd is only for using service w/out bandwidth limitation, but it can be risk if the same account is tied to e.g. payment info, the provider's forum, etc.
