|
2005-03-11, 10:30 AM | #1 |
A woman is like beer. They look good, they smell good, and you'd step over your own mother just to get one!
Join Date: Sep 2004
Location: Amsterdam
Posts: 54
|
Scary or just what the doctor ordered?
Tracking PCs anywhere on the Net
A University of California researcher says he has found a way to identify computer hardware remotely, a technique that could potentially unmask anonymous Web surfers by bypassing some common security techniques. (link) |
2005-03-11, 02:25 PM | #2 |
The only guys who wear Hawaiian shirts are gay guys and big fat party animals
|
That's interestring and I'll be reading his paper, but only
because I've been fingerprinting remote systems for years and his idea gives me yet another way to increase the accuracy of my printing. Strongbox fingerprints the remote system whenever a user logs in to your pay site so that we can block password trading without relying on unreliable techniques such as simply counting IP addresses. |
2005-03-11, 03:51 PM | #3 |
The information superhighway showed the average person what some nerd thinks about Star Trek
Join Date: Mar 2005
Location: California
Posts: 337
|
What's new? Microsoft has been doing this for years.
__________________
<a href="http://www.joes-porn-shack.com/cgi-bin/links2/add.cgi"><img src="http://www.joes-porn-shack.com/images/joes120x60.gif" width="120" height="60" alt="Submit to Joe's Porn Shack"></a> Joe's Porn Shack = Golden SE traffic |
2005-03-11, 05:46 PM | #4 |
Aw, Dad, you've done a lot of great things, but you're a very old man, and old people are useless
|
There is no such thing as privacy these days. Everything you do or say online is tracked somewhere.
__________________
DonMike@WorldWideContent.com - ICQ 329037721 Check out WorldWideContent.com version 2.0!!! |
2005-03-11, 06:42 PM | #5 |
The only guys who wear Hawaiian shirts are gay guys and big fat party animals
|
BTW after reading the full 15 page paper, I learned that
the technique isn't as effective as you might think from the short article. Essentially it lets you classify all remote computers into about 50 groups. It's as though there were only 50 different fingerprints shared by everyone in the world. If the suspects's fingerprints are different from those at the scene of the crime you could say they didn't commit the crime. If they do match, they would also match 100,000,000 other people besides the suspect so it's not that useful. So it's not too much more useful than standard techniques we've used for a long time - classifying users by what browser they use, what operating system, etc. It just provides one more criteria to distinguish between groups of users. It's a criteria we might use in Strongbox, though. Currently Strongbox is only about 15,000 times accurate than something like Pennywize. Adding the skew factor multiplies that by 50, so it'll be 750,000 times more accurate. Actually that's not entirely true though, after making various adjustments it'll be maybe 300,000 times as accurate. |
2005-03-11, 11:01 PM | #6 |
Took the hint.
|
Raymor, just a dumb question, but how much information are you LEGALLY allowed to collect from an end user about their computer before you have violated their right to privacy? Are things like the SN for their media player, nic card ID, etc acceptable to collect and retain? Do you have to disclose this to the end user?
Alex |
2005-03-12, 11:10 AM | #7 |
Oh! I haven't changed since high school and suddenly I am uncool
|
Strongbox
With all the hackers, password sharers and generally idiotic and mean and greedy people in cyberspace, Strongbox is the best I have seen by far. It sure helps my site with the idiots.
go Ray. Linda
__________________
The Woman with a Surprise |
2005-03-12, 04:21 PM | #8 | |
The only guys who wear Hawaiian shirts are gay guys and big fat party animals
|
Quote:
Unfotunately the MAC address for the NIC isn't available unless the server is on the same ISP as they are in the same facility and the same cage, which would be a very rare case. If there are routers between the two machines, which is almost always the case, you'll see only an IP address and not a MAC address. Thus in the general case you don't have any specific identifying information. Without a cookie at least, the best you can do is categorize the connections in certain ways. For example you can say that this particular connection came from a Win98 SE user running a 3 year old browser called IE 6 whose clock is off by about 4 minutes, they have Excel installed but not Acrobat Reader, and they logged in as "joebob". The best indentifier is the username that they gave you specifically to let you identify them. The other information, such as operating system, identifies only a class of machines, not a particular machine or user. Of course one could also offer a cookie at signup time and if the user chooses to give you that cookie info back you'd be able to associate it with the sign info they gave you. I never finished law school, but as far as I'm aware there are no laws about keeping logs of what types of operating systems etc. have used your site. Personally indentifiable information such as name and phone number can;t be collected from those under 13 years of age without parental consent in the US. Otherwise if they choose to give you that info I don't know of any laws against keeping the info around. Strongbox primarily uses passive data collection. It only analyzes information that the user offers as opposed to seeking out information (except for requesting the user/pass). I don't see any issues legally or ethically with using information that the user provides for security purposes. Obviously selling personal information like names and email addresses to spammers would be an ethical violation, though probably not a legal one at this time. Because Strongbox doesn't share information with outsiders but only uses it for internal security I haven't had to delve into these issues. Strongbox does have one active component but essentially it just records whether or not the remote machine choose to grant us permission to do certain things. We don't do anything that anyone would complain about, we simply ask permission to do things and then record whether or not we got permission. |
|
2005-03-12, 05:28 PM | #9 |
I'm normally not a praying man, but if you're up there, please save me Superman!
|
Nice dude I always like reading that kind of threads. Sounds cutting edge, when it's not really that speacial. Do you know what I hate about that kind of systems as yours, they abuse something that I can't stop. For fuck' sake, why the hell my IE says it's IE and additionally it says OS, version and a bunch of shitz I can't stop. In order to do that kind of manipulation (stop the data flow) I have to bury myself in a shitload of docs and read thru tons of articles and whitepapers to find 10 lines of information explaining the whole thing and where should I look to change details (ie e replace the strings saying "Internet Explorer" and "6.0"). Of course I do stats myself, I mean I collect some of the information as you (most of the time not so detailed as in your case, but who knows, I may start some day).
What I would suggest (in hardcore mode data collecting) is to perform a quick scan on the client's machine - some port probing and additionally version identification on network services running on the box. There're many internal AND filetered protocols that are used for software packages to communicate with each other, as there're many protocols that are somehow related to hardware installed on the machine (again communication/control tools). The trick is to use a separate client to do the job (ie, get a queue of hosts to scan and scan them (as long as it's legal of course)). I'm sorry, I just had to speak with somebody about that kind of thins The need burns my soul... I hope we continue the conversation... GG/MML get a Hi-Tech forum guys! Best wishes, Andrew
__________________
The tendency is to push it as far as you can -- Fear and Loathing In Las Vegas |
2005-03-12, 06:01 PM | #10 |
The only guys who wear Hawaiian shirts are gay guys and big fat party animals
|
There are good reasons your IE 6 browser says it's IE 6.
Because we know that you are using an ancient (3 years old) browser that was written with the specific goal of distorting or violating internet standards, we know better than to send you standards compliant HTTP responses or standards compliant HTML because you're browser won't handle them properly. Take a look in your web server config some time and you'll see various hacks that are done to send IE the invalid or unrecommended crap that it expects. That stuff won't work or won't work as well as in standards compliant browsers, so we can sort them out from your granny browser and speak proper http to modern browsers. If you blocked that info you'd make IE unusable because you'd start getting standards compliant web pages via standards compliant http and IE would totally choke. |
2005-03-12, 07:23 PM | #11 |
I'm normally not a praying man, but if you're up there, please save me Superman!
|
True, but still not very polite.
Here's the deal. First of all, browser version has shit to do with the HELO request my browser is sending to get the damn headers and body that your server sends. Although it's not only HELO, but again it's not the browser version that is important in that case. You're the one that can exploit the browser vulnerability, not the browser that can hack your server (not that you can't hack with browser, I'm not talking about this). The server sends response headers the browser does or doesn't understands depending on the version, etc - there's no chance that your Apache or IIS or whatever you're using is sending different headers depending on the browser version, BECAUSE all popular browsers are made to understand HTTP the way it is now, because it haven't changed for YEARS... or maybe you're saying that IE 4 sends different "give me the page" headers that IE 6.5? There may be some vulnerabilities that are in version 4 and are not in version 6, but that's not the same thing. Your JS is the one identifying my browser version and redirects me to a server-side app that will do whatever it has to do to send me the proper HTML that is understandable by my browser (if you ever create that kind of code), which although is a good thing, meaning that you (the webmaster) can provide HTML that is compatible to any browser (don't forget that 99% of the Internet doesn't care that much about that kind of things). However, getting my browser version with JS may lead to the hack. For instance, the surfer have a vuln. browser and is redirected to a script that executes the JS exploit OR the buffer overflow exploit (for example caused by a vulnerable header parser). Well, a hacker wouldn't test this in general and would try to exploit everything he can, but what about version dependent variable values that would complete the hack? What about the fact that OS identification (JS code again) may lead to further attacks. Data collecting is good thing for the hackers as a general meaning, so please, don't explain to me how good it is that my browser can give away all that info for free There're tons of cases that this can be proved bad. I understand getting plugin version for instance (no matter that most of the time it something like "Flash 5 for Windows XP"), but this is something else. I want to say something here to the paysite owners that may read this thread. From what I'm hearing and reading about Strongbox - it's a good service, don't get me wrong, that will boost your business and reduce the password exchange, which will increase yours and your webmasters' income for sure. However Ray, what your company is doing here is that it exploits a major flaw in the browsers themselves and that's a fact, no matter what you'll say. By flaw, please don't understand vulnerability, just something that I find somesort needless or that needs to be replaced with something else that is more secure (which, again, won't happen). And Ray, I hope you're not offended in any way from this discussion I really enjoy it Regards and best wishes, Andrew PS> I'm using FireFox
__________________
The tendency is to push it as far as you can -- Fear and Loathing In Las Vegas |
2005-03-13, 02:45 PM | #12 | |
The only guys who wear Hawaiian shirts are gay guys and big fat party animals
|
Quote:
It's not used by browsers or for web pages. Web browsers send GET, HEAD, and POST requests. Perhaps my last message wasn't very clear. The whole point of my last message is that indeed almost all web servers respond very differently to IE (versions 4, 5, 5.5, AND 6) than they do to other, standards compliant browsers. They do so based entirely on the request sent by the browser, which looks something like this: GET /somepage.html HTTP/1.1 CONNECTION: Keep-Alive USER-AGENT: Mozilla/4.0 (compatible; MSIE 5.22; Mac_PowerPC) PRAGMA: no-cache HOST: www.dcs.napier.ac.uk Accept-Language: en-gb Accept-Encoding: gzip, deflate ACCEPT: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */* There are many other headers that can be included, of course. The above example has no cookie being returned, no CGI data, etc. but it's fairly typical of a basic request. It tells us that it's MSIE 5.22 on PowerPC preferring British English, among other things. There's no JavaScript involved I don't know where you got that idea, or the idea that Strongbox redirects the user to some other web page. Check your httpd.conf and you likely to find all of these hacks for IE and many more: <IfDefine SSL> SetEnvIf User-Agent ".*MSIE.*" \ nokeepalive \ ssl-unclean-shutdown \ downgrade-1.0 \ force-response-1.0 </IfDefine> These particular lines say that if it's IE trying to do SSL than use HTTP 1.0 and close the connection even though IE says it can handle keeping the connection open for the next request. IE can't handle HTTP 1.1 at all with SSL even though indeed HTTP 1.1 has been the standard for over 6 years now. IE also sends a keep alive request, asking the server to leave the connection open for the next request, but in fact it chokes if the server does that. You'll see other directives in there that do in fact send different reponses to IE4 vs. IE5 vs. IE6 precisely because none of them follow the standards very closely at all and they don't even all behave the same. If you responded to IE4 with a response designed for IE6 that would choke IE4. It's not _supposed_ to ne that way, no. They are all supposed to speak standard HTTP. But they don't. Not by a long shot. Some of this is just bugs in IE, MS quality control is not too good. Some of it is Microsft's written policy of intentionally "warping" standards such as HTTP and HTML so that people will start designing pages and servers for IE, in which case they won't work with other browsers. Remember those icons you used to see on _SO_ many web pages saying that the page was designed for MSIE? That wasn't an accident. MS excutives testified that MS worked very hard to make sure that IE wouldn't accept "generic" standards compliant pages and that pages designed for IE wouldn't work in other browsers in a largely succesful attempt to get all pages designed for IE and make sure that everyone therefore had to use IE in order to use the pages fully. Strongbox uses no Javascript, so I'm not sure where you're getting that, and it doesn't exploit any browser vulnerabilities either. Strongbox simply records and analyzes information to protect your site. Personally I don't see it as impolite for Strongbox to record the fact that so far today the user name "sureimlegit" has logged in using MSIE 6, Firefox 1.0, and Mozilla 1.7.3, as well as the fact that on different occasions "sureimlegit" has preferred American English, British English, and Chinese, so it's probably NOT the same person loggin in 3 times and the password is probably compromised. |
|
2005-03-13, 03:12 PM | #13 |
Took the hint.
|
Raymor, I would think that if you haven't already spent some time with a lawyer, I think you really should. Your collection of info RELATED TO and with the intent of indentifying a single user is VERY borderline. You need a lawyer that is not only up to date on US privacy laws, but those of Canada, Europe, and Asia.
In effect, your system has recorded a "machine set" for an individual user, and you decline access from machines that don't match that "machine set". (machine set being timeclock, extensions supported, browser, version, java enabled, and so on). Somewhere for each installation there is a list of users and a hash of their machine set. I really do recommend a few moments with a lawyer, your potential liability right now is VERY high. Alex |
2005-03-13, 03:21 PM | #14 |
Subversive filth of the hedonistic decadent West
Join Date: Mar 2003
Location: Southeast Florida
Posts: 27,936
|
All I know is that except for the issue of WMV files on the Mac Strongbox is the most perfect solution that I have ever seen.
Strongbox simple rocks. Since putting in Strongbox over at FoxyAngel we now look forward to having her login information posted to the password sharing sites as they often buy memberships after giving up on trying to hack in. |
2005-03-13, 03:48 PM | #15 |
I'm normally not a praying man, but if you're up there, please save me Superman!
|
About the HELO thing, I never looked at the HTTP RFC for more info, I just tried "telnet www.greenguysboard.com 80" and typed a HELO to see what happens. The output was the index of the site, which is why I decided my memory is not making jokes with me. However, I'm sure you're correct here as I'm sure that you're very experienced with what you're doing.
I made my conclusion based on the way other systems are logging that kind of information - counters. I know that web counters are getting tons of data using JS, which in the end produces that stats report for the site's usage. I thought you may be working in the same manner, mentioning the fact that I never have looked at your backend, so it's just an assumption. Thanks for all the information you posted here. It's really interesting. I hope I have time to spend on protocol analysis in order to learn more about the net itself. I have some good experience with server/client side coding and thought I had it all explained in my head, it seems now it's not like this Thanks for your time Ray, I really appreciate the conversation. Regards, Andrew
__________________
The tendency is to push it as far as you can -- Fear and Loathing In Las Vegas |
2005-03-13, 04:09 PM | #16 |
The only guys who wear Hawaiian shirts are gay guys and big fat party animals
|
Thanks for the advice re lawyers, RawAlex. Indeed we've spent quite
a bit of time with quite a few lawyers. Mostly related to our patents, and other issues, but I think we have the privacy thing covered. Note also that Strongbox doesn't store very much more info than a typical web server log. It just analyzes that information in a different way. Your normal stats program might tell you which usernames,. browsers, operating systems, etc. accessed your site based on the Apache log data. Strongbox simply divides that data differently than Webalizer etc. by stripping out all usernames except the one of interest at the moment, so it see which browsers, OSes, etc. submitted a particular username. |
2005-03-13, 04:10 PM | #17 |
The only guys who wear Hawaiian shirts are gay guys and big fat party animals
|
Oh I forgot to say I've enjoyed discussing this with you as well,
ClickBuster. You posted some interesting ideas. |
2005-03-14, 04:38 AM | #18 |
If there is nobody out there, that's a lot of real estate going to waste!
Join Date: Dec 2003
Posts: 2,177
|
Raymor:
I know that the actual SN#s for the PC can be accessed through various programming languages like VisualBasic, etc. I would assume JAVA also. Do you think it will reach the point where an Java applet is inserted to permit users access to the paysite as a signup condition. I thinking of something like 35M without all the crap. Curious, because I am starting to work on some AI stuff that will be using some way of identifying different people, to permit interactions between non-formal systems. |
2005-03-14, 05:49 AM | #19 | |
The only guys who wear Hawaiian shirts are gay guys and big fat party animals
|
Quote:
Intel started using them in 1999. There was a big stink and later that year a complaint was filed against Intel with the FATC. By 2000 Intel ceased putting serial numbers in their chips. To my knowledge, for the last 5 years there hasn't been any serial number that any program could access, only something stamped in ink that has be be read with a flashlight and some human eyes. I certainly hope it never goes back to having a serial number within the chip itself. Microsoft + processor serial number = very bad. Not to even mention the possibilities if citizens were dumb enough to let the goverment go any where near that serial number. Of course if that did happen within 60 days or so I'd expect plenty of software to be available to block it and I expect a large percentage of users, including myself, would use such software. On the other hand, hardware dongles are being used for authentication. This scenario is different because the user specifically purchases the dongle in order to positively indentify themselves and inserts it into a USB slot only when they wish to prove their identity. Though I may use such technology as part of protecting sensitive data in A&M research labs (if that contract goes through), I don't expect many porn sites to use them any time soon because so many users won't have them or won't want to use them it would be very bad for sales. 20-50 years from now I wouldn't be at all suprised if that changed. I can see a memory stick on your keychain which serves as your credit card, perhaps your entire wallet, which you'd swipe/scan to make the initial purchase and then again to log in. |
|
|
|