HardOCP News
[H] News
- Joined
- Dec 31, 1969
- Messages
- 0
There is a new tracking tool out there that researchers claim is virtually impossible to block. The creator claims to have been “looking for a cookie alternative.” Riiiight.
![[H]ard|Forum](/styles/hardforum/xenforo/logo_dark.png){kind=logo}
The Online Tracking Device That is Virtually Impossible to Block
- Thread starter HardOCP News
- Start date
Benzino
[H]ard|Gawd
- Joined
- Mar 3, 2005
- Messages
- 1,668
Gonna check that list and check out the blocking cookie. Not cool.
Looks like it is about time to start sandboxing everything. I hate cookie tracking and targeted ads as it is.
Plus, if it is not user based (computer based only from what it sounds) then it is not going to be reliable at all on multi-user computers.
The extent to what advertisers go to to shove their wares down your throat is amazingly stupid. The same goes for data mining sites.
Plus, if it is not user based (computer based only from what it sounds) then it is not going to be reliable at all on multi-user computers.
The extent to what advertisers go to to shove their wares down your throat is amazingly stupid. The same goes for data mining sites.
The insidious part here is they are using your system's drawing/display differences. Those passthrough most sand boxes, otherwise you'd face a performance hit.
The browser would need to create generic virtual images while allowing the image to draw normally and show the generic virtual image upon a readback attempt.
Armenius
Extremely [H]
- Joined
- Jan 28, 2014
- Messages
- 42,093
So what use is this to advertisers if I can't see ads anyway because I'm blocking them (except on the [H], of course)? Targeted advertising doesn't work if you have no advertising penetration to begin with.
fixedmy7970
Gawd
- Joined
- Jul 20, 2013
- Messages
- 524
evidently tor browser can send a blank canvas, so is there a program yet where we can draw pictures on the canvas and send them? i have several ideas for pictures i would enjoy sending...
For something like whitehouse.gov, I can sort of see it. It's data mining to see who is engaged with the site. As a service to content creators, this kind of tracking makes some sense.
To advertisers? It's a hostile audience that at best you will build a profile of what they already buy, and that you don't have to work to sell to them. You aren't going to have much success with competitive intrusion via ads as odds are if you ahve to resort to this level of tracking, they are blocking the ad.
To advertisers? It's a hostile audience that at best you will build a profile of what they already buy, and that you don't have to work to sell to them. You aren't going to have much success with competitive intrusion via ads as odds are if you ahve to resort to this level of tracking, they are blocking the ad.
This..... can we send malicious images.. aka, ones that will install a virus to wipe their servers?
GaryJohnson
[H]ard|Gawd
- Joined
- Feb 1, 2010
- Messages
- 1,053
The above quote claims each computer has a completely unique fingerprint. In reality it seems every computer with the same Browser, OS, & GPU from the same family has the same fingerprint.
Source:
http://cseweb.ucsd.edu/~hovav/dist/canvas.pdf
It looks like this relies on javascript. So if you're really worried about it just block all javascript. Problem solved. You're probably already blocking it if you're at all concerned about tracking and privacy.
Arcygenical
Fully [H]
- Joined
- Jun 10, 2005
- Messages
- 25,066
The majority of this test's specificity is hardware based difference mapping in WebGL rendering, and Web Fonts.
The pdf paper states that disabling web fonts makes you "stand out" and does you a disservice as, compared to their test data, you're more easily identified. I personally believe, however, that while it does force you to stand out - OUTSIDE their n=300 sampling (where only 4 users had it disabled), it would greatly decrease the reliability of distinguishing you from OTHER users with web-fonts disabled. Sure, compared to the norm, you would be identified, but identifying the machine fingerprint between other similar users would lose half it's potency. With an n of, say, 300000000, even if the incidence of web-font enabled computers was 10% of that in their test data, you're still looking at 400k other users, and now your test loses half it's potency.
And I run with WebGL off most of the time anyways, and have a separate chrome shortcut for when I need it on. I think I've needed web GL, perhaps, 3 times since I re-formatted windows in January. Not to mention that driver updates, OS updates, card changes, differences in power settings, and over/underclocking can all affect the pixel map of the rendering. Even a few pixel difference is enough to ruin their continuing testing, as I believe they make a hash of all their data.
The pdf paper states that disabling web fonts makes you "stand out" and does you a disservice as, compared to their test data, you're more easily identified. I personally believe, however, that while it does force you to stand out - OUTSIDE their n=300 sampling (where only 4 users had it disabled), it would greatly decrease the reliability of distinguishing you from OTHER users with web-fonts disabled. Sure, compared to the norm, you would be identified, but identifying the machine fingerprint between other similar users would lose half it's potency. With an n of, say, 300000000, even if the incidence of web-font enabled computers was 10% of that in their test data, you're still looking at 400k other users, and now your test loses half it's potency.
And I run with WebGL off most of the time anyways, and have a separate chrome shortcut for when I need it on. I think I've needed web GL, perhaps, 3 times since I re-formatted windows in January. Not to mention that driver updates, OS updates, card changes, differences in power settings, and over/underclocking can all affect the pixel map of the rendering. Even a few pixel difference is enough to ruin their continuing testing, as I believe they make a hash of all their data.
ya no, its even worse for something like whitehouse.gov. you post something one administration likes and the next one doesn't they now have you in a database to target if they want to fuck that
Red Falcon
[H]ard DCOTM December 2023
- Joined
- May 7, 2007
- Messages
- 12,447
Why would someone make something like this?
What an asshole!
What an asshole!
D
Deleted member 93354
Guest
About 4+ years ago, the TOR Project released a POC (Proof of Concept) showing how browsers are uniquely identifiable based on computer queries supported by all browsers.
This is somewhat old news.
This is somewhat old news.
D
Deleted member 93354
Guest
I agree with this.
Linkage?
D
Deleted member 93354
Guest
Google: tor project browser fingerprinting
D
Deleted member 93354
Guest
BTW: Googling this and clicking any link to TOR Project will get you on NSA's watch list.
cptnjarhead
Crossfit Fast Walk Champion Runnerup
- Joined
- Mar 9, 2010
- Messages
- 1,669
I use noscript, and while it does dampen my browsing experience, I would rather deal with that, then be tracked all the time, I cannot even post this without temporarily allowing this site to run.
Phoenix333
2[H]4U
- Joined
- Nov 27, 2009
- Messages
- 3,510
This sort of crap is precisely why I use NoScript in FF, then selectively enable content on sites as I need it, while keeping third-party sites blocked. If I trust a site, like the [H], I'll run scripts on it. If not, I'll determine how much I really need to be there and decide if I want to enable any kind of scripts or not. Some people think that's overkill, but it doesn't sound so paranoid now. I hate being right.
cptnjarhead
Crossfit Fast Walk Champion Runnerup
- Joined
- Mar 9, 2010
- Messages
- 1,669
This sort of crap is precisely why I use NoScript in FF, then selectively enable content on sites as I need it, while keeping third-party sites blocked. If I trust a site, like the [H], I'll run scripts on it. If not, I'll determine how much I really need to be there and decide if I want to enable any kind of scripts or not. Some people think that's overkill, but it doesn't sound so paranoid now. I hate being right.
Yep, noscript rocks.
I remember this.
dgz
Supreme [H]ardness
- Joined
- Feb 15, 2010
- Messages
- 5,838
Why is this even news in 2014? Laughable. You can do plenty with canvas and tracking isn't the worst of it.
dgz
Supreme [H]ardness
- Joined
- Feb 15, 2010
- Messages
- 5,838
People should browse with TOR, cookie blocker, and JS disabled by default.
It could, or it could be used like polling to build a metric of who you have to pander to.
Either way, there is sense to it. It achieves something. Unlike advertisers using it. You can figure out I like x and y, and can what bundle them and charge me less than you were getting before if I even see your ads?
And who isn't on the NSAs watch list?
The real issue is that we continue to use the internet for more than it should be. We've already gone TOO FAR over the line for "convenience."
The real answer is that browsers should not be doing this stuff and sites shouldn't be asking for it.
There needs to be a social/societal backlash against the loss of privacy. It's wayyyyyyy past time that we start demanding that our software DO LESS and be MORE SECURE.
We could knock out 80% of the crap functionality of browsers and the internet in general and in the end the things we REALLY NEED TO GET DONE... would work just the same.
Even without all the issues we have with any kind of web browsing today, we'd still have massive privacy issues with 3rd party software such as our antivirus, cloud storage and online services such as Origin and Steam collecting a fair amount of our usage data.
But having to worry about every single website we visit and every crapware tool that comes bundled with anything becoming a spy tool to track our every move for sale and profit? We need to rebel against this crap en masse.
The real answer is that browsers should not be doing this stuff and sites shouldn't be asking for it.
There needs to be a social/societal backlash against the loss of privacy. It's wayyyyyyy past time that we start demanding that our software DO LESS and be MORE SECURE.
We could knock out 80% of the crap functionality of browsers and the internet in general and in the end the things we REALLY NEED TO GET DONE... would work just the same.
Even without all the issues we have with any kind of web browsing today, we'd still have massive privacy issues with 3rd party software such as our antivirus, cloud storage and online services such as Origin and Steam collecting a fair amount of our usage data.
But having to worry about every single website we visit and every crapware tool that comes bundled with anything becoming a spy tool to track our every move for sale and profit? We need to rebel against this crap en masse.
Advil, not that I actually disagree but you have to come back to a reality here. The US doesn't "own" the Internet anymore, we gave it up. We can only try, and I emphasize the word try, to control what we do or do not do with it. All at the same time that all the other countries are doing the same thing in their own way while others try to exert control over the internet for all kinds of reasons. It's going to get much much messier before it ever get's better.
As for your societal backlash, that's doomed before it ever got started. My wife is from Korea, she is a US Citizen now and no longer has their equivalent of an SSN, so she can't get on any Korean websites unless she cheats using a relative's number. That is the level of privacy the exists in most of the world so the US isn't going to get any help in this and we no longer have any control either. In essence, tracking in the US is "veiled glove" approach to what most countries do openly and without any hidden trickery. They make you divulge your identity in everything you do.
Now you can stand up and say that that's just not the American way and you would be correct from our point of view, but the rest of the world mostly just doesn't see it that way and the US can't force itself on the rest of the world anymore. We gave up that Crown.
As for your societal backlash, that's doomed before it ever got started. My wife is from Korea, she is a US Citizen now and no longer has their equivalent of an SSN, so she can't get on any Korean websites unless she cheats using a relative's number. That is the level of privacy the exists in most of the world so the US isn't going to get any help in this and we no longer have any control either. In essence, tracking in the US is "veiled glove" approach to what most countries do openly and without any hidden trickery. They make you divulge your identity in everything you do.
Now you can stand up and say that that's just not the American way and you would be correct from our point of view, but the rest of the world mostly just doesn't see it that way and the US can't force itself on the rest of the world anymore. We gave up that Crown.
Pieter3dnow
Supreme [H]ardness
- Joined
- Jul 29, 2009
- Messages
- 6,784
According to Ghostery this is blocked it is listed under widgets.
Phoenix333
2[H]4U
- Joined
- Nov 27, 2009
- Messages
- 3,510
That's why I search for all my bird porn in the open. You really want to spy on the bird? Well then you're going to LEARN about birds, whether you want to or not!
Kalabalana
[H]ard|Gawd
- Joined
- Aug 18, 2005
- Messages
- 1,313
I would love to see this technology used for minimal importance security verification.
I see tremendous value using this approach for all basic activity tied to an identity.
I see tremendous value using this approach for all basic activity tied to an identity.
I have to watch some people but there are so many people how do I segregate them so I can focus on the important ones?
I know, I'll create a watch list so I can focus my effort.
Man, every time I add a new guy to the watch list I have to work harder to sort through them all.
I know, my watch list will have a watch list
I know, I'll create a watch list so I can focus my effort.
Man, every time I add a new guy to the watch list I have to work harder to sort through them all.
I know, my watch list will have a watch list
mastaBlasta
Gawd
- Joined
- Jan 27, 2011
- Messages
- 605
To me this actually sounds much better than cookies. Cookies can be used to store everything you're doing in an easily retrieved and readable format. Cookies hold information way beyond just your identity.
The canvas image is just a unique identifier. It can differentiate your computer from other computers, but it can't tell where you clicked and how long you stayed there and so forth.
For now at least. I'm sure they'll figure out a way to catalog browsing activity through this eventually.
The canvas image is just a unique identifier. It can differentiate your computer from other computers, but it can't tell where you clicked and how long you stayed there and so forth.
For now at least. I'm sure they'll figure out a way to catalog browsing activity through this eventually.