Scary or just what the doctor ordered?

[DMc]

Tracking PCs anywhere on the Net

A University of California researcher says he has found a way to identify computer hardware remotely, a technique that could potentially unmask anonymous Web surfers by bypassing some common security techniques. (link)

[raymor]

That's interestring and I'll be reading his paper, but only
because I've been fingerprinting remote systems for years
and his idea gives me yet another way to increase the accuracy
of my printing. Strongbox fingerprints the remote system
whenever a user logs in to your pay site so that we can
block password trading without relying on unreliable techniques
such as simply counting IP addresses.

[Joe]

What's new? Microsoft has been doing this for years.

[WWCDonMike]

There is no such thing as privacy these days. Everything you do or say online is tracked somewhere.

[raymor]

BTW after reading the full 15 page paper, I learned that
the technique isn't as effective as you might think from the
short article. Essentially it lets you classify all remote
computers into about 50 groups. It's as though there were
only 50 different fingerprints shared by everyone in the world.
If the suspects's fingerprints are different from those at
the scene of the crime you could say they didn't commit
the crime. If they do match, they would also match
100,000,000 other people besides the suspect so
it's not that useful.

So it's not too much more useful than standard techniques
we've used for a long time - classifying users by what browser
they use, what operating system, etc. It just provides one
more criteria to distinguish between groups of users.
It's a criteria we might use in Strongbox, though.
Currently Strongbox is only about 15,000 times accurate
than something like Pennywize. Adding the skew factor
multiplies that by 50, so it'll be 750,000 times more accurate.
Actually that's not entirely true though, after making various
adjustments it'll be maybe 300,000 times as accurate.

[RawAlex]

Raymor, just a dumb question, but how much information are you LEGALLY allowed to collect from an end user about their computer before you have violated their right to privacy? Are things like the SN for their media player, nic card ID, etc acceptable to collect and retain? Do you have to disclose this to the end user?

Alex

[LindaMight]

With all the hackers, password sharers and generally idiotic and mean and greedy people in cyberspace, Strongbox is the best I have seen by far. It sure helps my site with the idiots.



go Ray.

Linda

[raymor]

Quote:

Originally Posted by RawAlex

Raymor, just a dumb question, but how much information are you LEGALLY allowed to collect from an end user about their computer before you have violated their right to privacy? Are things like the SN for their media player, nic card ID, etc acceptable to collect and retain? Do you have to disclose this to the end user?

Alex

Unfotunately the MAC address for the NIC isn't available unless the server
is on the same ISP as they are in the same facility and the same cage,
which would be a very rare case.
If there are routers between the two machines, which is almost
always the case, you'll see only an IP address and not a MAC address.
Thus in the general case you don't have any specific identifying information.
Without a cookie at least, the best you can do is categorize the
connections in certain ways. For example you can say that this particular
connection came from a Win98 SE user running a 3 year old browser called IE 6
whose clock is off by about 4 minutes, they have Excel installed
but not Acrobat Reader, and they logged in as "joebob".
The best indentifier is the username that
they gave you specifically to let you identify them.
The other information, such as operating system,
identifies only a class of machines, not a
particular machine or user.
Of course one could also offer a cookie at
signup time and if the user chooses to
give you that cookie info back you'd be able to
associate it with the sign info they gave you.

I never finished law school, but as far as I'm aware
there are no laws about keeping logs of what
types of operating systems etc. have used your site.
Personally indentifiable information such
as name and phone number can;t be collected
from those under 13 years of age without parental
consent in the US. Otherwise if they choose
to give you that info I don't know of any laws
against keeping the info around.

Strongbox primarily uses passive data collection.
It only analyzes information that the user offers
as opposed to seeking out information (except for requesting the user/pass).
I don't see any issues legally or ethically with using
information that the user provides for security purposes.
Obviously selling personal information like names and email addresses
to spammers would be an ethical violation, though
probably not a legal one at this time. Because Strongbox doesn't share
information with outsiders but only uses it for
internal security I haven't had to delve into these issues.
Strongbox does have one active component
but essentially it just records whether or
not the remote machine choose to grant us permission
to do certain things. We don't do anything
that anyone would complain about, we
simply ask permission to do things and
then record whether or not we got permission.

[ClickBuster]

Nice dude I always like reading that kind of threads. Sounds cutting edge, when it's not really that speacial. Do you know what I hate about that kind of systems as yours, they abuse something that I can't stop. For fuck' sake, why the hell my IE says it's IE and additionally it says OS, version and a bunch of shitz I can't stop. In order to do that kind of manipulation (stop the data flow) I have to bury myself in a shitload of docs and read thru tons of articles and whitepapers to find 10 lines of information explaining the whole thing and where should I look to change details (ie e replace the strings saying "Internet Explorer" and "6.0"). Of course I do stats myself, I mean I collect some of the information as you (most of the time not so detailed as in your case, but who knows, I may start some day).

What I would suggest (in hardcore mode data collecting) is to perform a quick scan on the client's machine - some port probing and additionally version identification on network services running on the box. There're many internal AND filetered protocols that are used for software packages to communicate with each other, as there're many protocols that are somehow related to hardware installed on the machine (again communication/control tools). The trick is to use a separate client to do the job (ie, get a queue of hosts to scan and scan them (as long as it's legal of course)).

I'm sorry, I just had to speak with somebody about that kind of thins The need burns my soul... I hope we continue the conversation... GG/MML get a Hi-Tech forum guys!

Best wishes,
Andrew

[raymor]

There are good reasons your IE 6 browser says it's IE 6.
Because we know that you are using an ancient (3 years old)
browser that was written with the specific goal of distorting
or violating internet standards, we know better than to send
you standards compliant HTTP responses or standards compliant
HTML because you're browser won't handle them properly.
Take a look in your web server config some time and you'll see
various hacks that are done to send IE the invalid or unrecommended
crap that it expects. That stuff won't work or won't work as well
as in standards compliant browsers, so we can sort them out from
your granny browser and speak proper http to modern browsers.

If you blocked that info you'd make IE unusable because you'd start
getting standards compliant web pages via standards compliant
http and IE would totally choke.

[ClickBuster]

True, but still not very polite.

Here's the deal. First of all, browser version has shit to do with the HELO request my browser is sending to get the damn headers and body that your server sends. Although it's not only HELO, but again it's not the browser version that is important in that case. You're the one that can exploit the browser vulnerability, not the browser that can hack your server (not that you can't hack with browser, I'm not talking about this). The server sends response headers the browser does or doesn't understands depending on the version, etc - there's no chance that your Apache or IIS or whatever you're using is sending different headers depending on the browser version, BECAUSE all popular browsers are made to understand HTTP the way it is now, because it haven't changed for YEARS... or maybe you're saying that IE 4 sends different "give me the page" headers that IE 6.5? There may be some vulnerabilities that are in version 4 and are not in version 6, but that's not the same thing.

Your JS is the one identifying my browser version and redirects me to a server-side app that will do whatever it has to do to send me the proper HTML that is understandable by my browser (if you ever create that kind of code), which although is a good thing, meaning that you (the webmaster) can provide HTML that is compatible to any browser (don't forget that 99% of the Internet doesn't care that much about that kind of things).

However, getting my browser version with JS may lead to the hack. For instance, the surfer have a vuln. browser and is redirected to a script that executes the JS exploit OR the buffer overflow exploit (for example caused by a vulnerable header parser). Well, a hacker wouldn't test this in general and would try to exploit everything he can, but what about version dependent variable values that would complete the hack? What about the fact that OS identification (JS code again) may lead to further attacks. Data collecting is good thing for the hackers as a general meaning, so please, don't explain to me how good it is that my browser can give away all that info for free There're tons of cases that this can be proved bad.

I understand getting plugin version for instance (no matter that most of the time it something like "Flash 5 for Windows XP"), but this is something else.

I want to say something here to the paysite owners that may read this thread. From what I'm hearing and reading about Strongbox - it's a good service, don't get me wrong, that will boost your business and reduce the password exchange, which will increase yours and your webmasters' income for sure.

However Ray, what your company is doing here is that it exploits a major flaw in the browsers themselves and that's a fact, no matter what you'll say. By flaw, please don't understand vulnerability, just something that I find somesort needless or that needs to be replaced with something else that is more secure (which, again, won't happen).

And Ray, I hope you're not offended in any way from this discussion I really enjoy it

Regards and best wishes,
Andrew

PS>
I'm using FireFox

[raymor]

Quote:

irst of all, browser version has shit to do with the HELO request my browser is sending to get the damn headers and body that your server sends.
...
there's no chance that your Apache or IIS or whatever you're using is sending different headers depending on the browser version, BECAUSE all popular browsers are made to understand HTTP the way it is now, because it haven't changed for YEARS... or maybe you're saying that IE 4 sends different "give me the page" headers that IE 6.5?

BTW, HELO is a part of a POP3 request to retrieve mail.
It's not used by browsers or for web pages. Web browsers
send GET, HEAD, and POST requests.
Perhaps my last message wasn't very clear.
The whole point of my last message is that indeed
almost all web servers respond very differently
to IE (versions 4, 5, 5.5, AND 6) than they do to
other, standards compliant browsers. They do so based
entirely on the request sent by the browser, which looks
something like this:

GET /somepage.html HTTP/1.1
CONNECTION: Keep-Alive
USER-AGENT: Mozilla/4.0 (compatible; MSIE 5.22; Mac_PowerPC)
PRAGMA: no-cache
HOST: www.dcs.napier.ac.uk
Accept-Language: en-gb
Accept-Encoding: gzip, deflate
ACCEPT: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*

There are many other headers that can be included, of course.
The above example has no cookie being returned, no CGI
data, etc. but it's fairly typical of a basic request. It tells us that
it's MSIE 5.22 on PowerPC preferring British English, among
other things.

There's no JavaScript involved I don't know where you got that idea,
or the idea that Strongbox redirects the user to some other web page.
Check your httpd.conf and
you likely to find all of these hacks for IE and many more:
<IfDefine SSL>
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive \
ssl-unclean-shutdown \
downgrade-1.0 \
force-response-1.0
</IfDefine>

These particular lines say that if it's IE trying to do SSL
than use HTTP 1.0 and close the connection even though
IE says it can handle keeping the connection open
for the next request. IE can't handle HTTP 1.1 at all
with SSL even though indeed HTTP 1.1 has been the standard
for over 6 years now. IE also sends a keep alive request,
asking the server to leave the connection open for the
next request, but in fact it chokes if the server does that.
You'll see other directives in there that do in fact send
different reponses to IE4 vs. IE5 vs. IE6 precisely because
none of them follow the standards very closely at all and
they don't even all behave the same. If you responded to
IE4 with a response designed for IE6 that would choke IE4.
It's not _supposed_ to ne that way, no. They are all supposed
to speak standard HTTP. But they don't. Not by a long shot.

Some of this is just bugs in IE, MS quality control is not too good.
Some of it is Microsft's written policy of intentionally "warping"
standards such as HTTP and HTML so that people will start designing
pages and servers for IE, in which case they won't work with other browsers.
Remember those icons you used to see on _SO_ many web pages
saying that the page was designed for MSIE? That wasn't an accident.
MS excutives testified that MS worked very hard to make sure that
IE wouldn't accept "generic" standards compliant pages and that
pages designed for IE wouldn't work in other browsers in a largely
succesful attempt to get all pages designed for IE and make sure
that everyone therefore had to use IE in order to use the pages fully.

Strongbox uses no Javascript, so I'm not sure where you're getting that,
and it doesn't exploit any browser vulnerabilities either.
Strongbox simply records and analyzes information to protect
your site.
Personally I don't see it as impolite for Strongbox to record the fact
that so far today the user name "sureimlegit" has logged
in using MSIE 6, Firefox 1.0, and Mozilla 1.7.3, as well as the fact
that on different occasions "sureimlegit" has preferred American
English, British English, and Chinese, so it's probably NOT the
same person loggin in 3 times and the password is probably compromised.

[RawAlex]

Raymor, I would think that if you haven't already spent some time with a lawyer, I think you really should. Your collection of info RELATED TO and with the intent of indentifying a single user is VERY borderline. You need a lawyer that is not only up to date on US privacy laws, but those of Canada, Europe, and Asia.

In effect, your system has recorded a "machine set" for an individual user, and you decline access from machines that don't match that "machine set". (machine set being timeclock, extensions supported, browser, version, java enabled, and so on). Somewhere for each installation there is a list of users and a hash of their machine set.

I really do recommend a few moments with a lawyer, your potential liability right now is VERY high.

Alex

[Cleo]

All I know is that except for the issue of WMV files on the Mac Strongbox is the most perfect solution that I have ever seen.

Strongbox simple rocks. Since putting in Strongbox over at FoxyAngel we now look forward to having her login information posted to the password sharing sites as they often buy memberships after giving up on trying to hack in.

[ClickBuster]

About the HELO thing, I never looked at the HTTP RFC for more info, I just tried "telnet www.greenguysboard.com 80" and typed a HELO to see what happens. The output was the index of the site, which is why I decided my memory is not making jokes with me. However, I'm sure you're correct here as I'm sure that you're very experienced with what you're doing.

I made my conclusion based on the way other systems are logging that kind of information - counters. I know that web counters are getting tons of data using JS, which in the end produces that stats report for the site's usage. I thought you may be working in the same manner, mentioning the fact that I never have looked at your backend, so it's just an assumption.

Thanks for all the information you posted here. It's really interesting. I hope I have time to spend on protocol analysis in order to learn more about the net itself. I have some good experience with server/client side coding and thought I had it all explained in my head, it seems now it's not like this Thanks for your time Ray, I really appreciate the conversation.

Regards,
Andrew

[raymor]

Thanks for the advice re lawyers, RawAlex. Indeed we've spent quite
a bit of time with quite a few lawyers. Mostly related to our patents,
and other issues, but I think we have the privacy thing covered.
Note also that Strongbox doesn't store very much more info than
a typical web server log. It just analyzes that information in a different way.
Your normal stats program might tell you which usernames,. browsers,
operating systems, etc. accessed your site based on the Apache log data.
Strongbox simply divides that data differently than Webalizer etc. by
stripping out all usernames except the one of interest at the moment,
so it see which browsers, OSes, etc. submitted a particular username.

[raymor]

Oh I forgot to say I've enjoyed discussing this with you as well,
ClickBuster. You posted some interesting ideas.

[tickler]

Raymor:
I know that the actual SN#s for the PC can be accessed through various programming languages like VisualBasic, etc. I would assume JAVA also.

Do you think it will reach the point where an Java applet is inserted to permit users access to the paysite as a signup condition. I thinking of something like 35M without all the crap.

Curious, because I am starting to work on some AI stuff that will be using some way of identifying different people, to permit interactions between non-formal systems.

[raymor]

Quote:

Originally Posted by tickler

Raymor:
I know that the actual SN#s for the PC can be accessed through various programming languages like VisualBasic, etc. I would assume JAVA also.

Do you think it will reach the point where an Java applet is inserted to permit users access to the paysite as a signup condition. I thinking of something like 35M without all the crap.

So far processor serial number have been a one year thing.
Intel started using them in 1999. There was a big stink and
later that year a complaint was filed against Intel with the FATC.
By 2000 Intel ceased putting serial numbers in their chips.
To my knowledge, for the last 5 years there hasn't been any serial number that any
program could access, only something stamped in ink that has be
be read with a flashlight and some human eyes.

I certainly hope it never goes back to having a serial number within the
chip itself. Microsoft + processor serial number = very bad.
Not to even mention the possibilities if citizens were dumb enough
to let the goverment go any where near that serial number.
Of course if that did happen within 60 days or so I'd expect plenty
of software to be available to block it and I expect a large percentage of users,
including myself, would use such software.

On the other hand, hardware dongles are being used for authentication.
This scenario is different because the user specifically purchases
the dongle in order to positively indentify themselves and inserts it
into a USB slot only when they wish to prove their identity.
Though I may use such technology as part of protecting sensitive
data in A&M research labs (if that contract goes through), I don't
expect many porn sites to use them any time soon because so
many users won't have them or won't want to use them it would be very bad for sales.
20-50 years from now I wouldn't be at all suprised if that changed.
I can see a memory stick on your keychain which serves as
your credit card, perhaps your entire wallet, which you'd swipe/scan
to make the initial purchase and then again to log in.