Discussion:
[linux-elitists] Browser fingerprinting
Don Marti
2013-10-06 18:11:46 UTC
Permalink
Corporate speak: "Tawakol and Ingis both said the
new technology, which is still under development,
would allow companies to use alternative approaches
that are sometimes called statistical or probabilistic
tracking, while remaining in compliance with industry
privacy standards."

Translation: "Fine, you smug cookie-blocking nerds.
We're going to go all browser fingerprinting on you."

http://blog.sfgate.com/techchron/2013/10/04/ad-groups-prepare-for-cookieless-future-develop-opt-out-tool-for-alternative-tracking/

Mozilla has been working on cleaning up the
third-party cookie problem, and making a dent in it,
as you can tell by the complaints from the creepy
adtech business.

Unfortunately, Firefox appears to be highly
fingerprintable.

https://panopticlick.eff.org/ says "Your browser
fingerprint appears to be unique among the 3,458,043
tested so far."

Ouch. Got to get my act together here. But of
course the more that I customize, the more unique my
browser looks.

Who's got a browser that comes up reasonably generic
on Panopticlick, and what did you do?
--
Don Marti +1-510-332-1587 (mobile)
http://zgp.org/~dmarti/ Alameda, California, USA
***@zgp.org
Andy Bennett
2013-10-06 18:23:11 UTC
Permalink
Hi,
Post by Don Marti
Unfortunately, Firefox appears to be highly
fingerprintable.
https://panopticlick.eff.org/ says "Your browser
fingerprint appears to be unique among the 3,458,043
tested so far."
Ouch. Got to get my act together here. But of
course the more that I customize, the more unique my
browser looks.
Who's got a browser that comes up reasonably generic
on Panopticlick, and what did you do?
I'm running Iceweasel on Debian and I'm unique in their set as well.

Judging from their summary table, the "System Fonts" entry seems to be
the thing that identifies me. Fonts from my ~/.fonts/ directory are
being listed there so I guess I've got the system set plus my personal
set. I wonder how unique the system set is and how much of it comes from
the base OS and how much is contributed from selectable packages.

Perhaps Debian's popcon can be put to work to shed some light on
possible font packaging refactoring?




Regards,
@ndy
--
***@ashurst.eu.org
http://www.ashurst.eu.org/
0x7EBA75FF
Raistlin Majere
2013-10-06 19:54:33 UTC
Permalink
I was rather surprised that it also indicated that mine was unique ..
I simply run Firefox 24 on Linux, with no scripts and cookies turned
off .. I would have thought that to be relatively common among
security conscience Linux folks.

R.M.
Post by Andy Bennett
Hi,
Unfortunately, Firefox appears to be highly fingerprintable.
https://panopticlick.eff.org/ says "Your browser fingerprint
appears to be unique among the 3,458,043 tested so far."
Ouch. Got to get my act together here. But of course the more
that I customize, the more unique my browser looks.
Who's got a browser that comes up reasonably generic on
Panopticlick, and what did you do?
I'm running Iceweasel on Debian and I'm unique in their set as
well.
Judging from their summary table, the "System Fonts" entry seems to
be the thing that identifies me. Fonts from my ~/.fonts/ directory
are being listed there so I guess I've got the system set plus my
personal set. I wonder how unique the system set is and how much of
it comes from the base OS and how much is contributed from
selectable packages.
Perhaps Debian's popcon can be put to work to shed some light on
possible font packaging refactoring?
Don Marti
2013-10-06 22:12:16 UTC
Permalink
Post by Raistlin Majere
I was rather surprised that it also indicated that mine was unique ..
I simply run Firefox 24 on Linux, with no scripts and cookies turned
off .. I would have thought that to be relatively common among
security conscience Linux folks.
32-bit or 64-bit Linux? The user agent string in
Firefox for Linux is a monstrosity that only a build
and release nerd could love.

https://developer.mozilla.org/en-US/docs/Gecko_user_agent_string_reference#Linux

(Besides, you're probably the one Linux user who
_doesn't_ tweak out your browser, so you're as
recognizable as a sheep to the shepherd, just like
the rest of us.)
--
Don Marti +1-510-332-1587 (mobile)
http://zgp.org/~dmarti/ Alameda, California, USA
***@zgp.org
Raistlin Majere
2013-10-06 23:17:33 UTC
Permalink
64 bits Fedora 19

Raistlin Majere
Leader of the red robes!
Email: ***@majere.net
GPG Key: 0xc7585803
Fingerprint: 012E 9607 0066 57A8 897F 71FD 4BBC 4AF6 C758 5803
Post by Don Marti
Post by Raistlin Majere
I was rather surprised that it also indicated that mine was unique ..
I simply run Firefox 24 on Linux, with no scripts and cookies turned
off .. I would have thought that to be relatively common among
security conscience Linux folks.
32-bit or 64-bit Linux? The user agent string in
Firefox for Linux is a monstrosity that only a build
and release nerd could love.
https://developer.mozilla.org/en-US/docs/Gecko_user_agent_string_reference#Linux
(Besides, you're probably the one Linux user who
_doesn't_ tweak out your browser, so you're as
recognizable as a sheep to the shepherd, just like
the rest of us.)
Rick Moen
2013-10-07 23:18:45 UTC
Permalink
Post by Raistlin Majere
I was rather surprised that it also indicated that mine was unique ..
I simply run Firefox 24 on Linux, with no scripts and cookies turned
off .. I would have thought that to be relatively common among
security conscience Linux folks.
Proper use of NoScript is the single most effective measure to reduce
the ability of Web sites to collect and abuse that information. That's
because JavaScript is really the key user-side tool that gets abused in
various ways, and is the glue that lets tracking firms reach a variety
of user-side datastores.

http://samy.pl/evercookie/

(Samy's browser-interrogating script on http://samy.pl/ doesn't get
very far with my browser. I.e., it gets nothing.)
Rick Moen
2013-10-07 23:38:31 UTC
Permalink
Post by Andy Bennett
I'm running Iceweasel on Debian and I'm unique in their set as well.
Judging from their summary table, the "System Fonts" entry seems to be
the thing that identifies me. Fonts from my ~/.fonts/ directory are
being listed there so I guess I've got the system set plus my personal
set. I wonder how unique the system set is and how much of it comes from
the base OS and how much is contributed from selectable packages.
I'm just guessing that these data are being probed via the CSS
@font-face feature somehow(?). Panopticlick is unable to query
System Fonts data from my system, and I'm pretty sure it's because I
have NoScript's 'Forbid @font-face' control enabled (Preferences,
Embeddings, Forbid @font-face).

I note:
http://hackademix.net/2010/03/24/why-noscript-blocks-web-fonts/
Eugen Leitl
2013-10-07 06:08:53 UTC
Permalink
Post by Don Marti
Who's got a browser that comes up reasonably generic
on Panopticlick, and what did you do?
Installed Tor Browser Bundle?
Eugen Leitl
2013-10-07 07:09:52 UTC
Permalink
----- Forwarded message from coderman <***@gmail.com> -----

Date: Mon, 7 Oct 2013 00:09:04 -0700
From: coderman <***@gmail.com>
To: Eugen Leitl <***@leitl.org>
Cc: Cypherpunks list <***@al-qaeda.net>, ***@postbiota.org, zs-***@zerostate.is
Subject: Re: [linux-elitists] Browser fingerprinting
Post by Don Marti
...
Who's got a browser that comes up reasonably generic
on Panopticlick, and what did you do?
Tor Browser... just use it in an isolated environment like Qubes,
Whonix, Tails, etc.

----- End forwarded message -----
--
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org
AC894EC5: 38A5 5F46 A4FF 59B8 336B 47EE F46E 3489 AC89 4EC5
Eugen Leitl
2013-10-07 11:40:09 UTC
Permalink
----- Forwarded message from Stephan Neuhaus <***@tik.ee.ethz.ch> -----

Date: Mon, 07 Oct 2013 13:20:09 +0200
From: Stephan Neuhaus <***@tik.ee.ethz.ch>
To: coderman <***@gmail.com>, Eugen Leitl <***@leitl.org>
CC: Cypherpunks list <***@al-qaeda.net>, zs-***@zerostate.is, ***@postbiota.org
Subject: Re: [linux-elitists] Browser fingerprinting
Message-ID: <***@tik.ee.ethz.ch>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:24.0) Gecko/20100101 Thunderbird/24.0
Post by Don Marti
...
Who's got a browser that comes up reasonably generic
on Panopticlick, and what did you do?
Firefox with NoScript and Ghostery. About 10 bits of entropy. Not
perfect, but not bad either.

Stephan

----- End forwarded message -----
--
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org
AC894EC5: 38A5 5F46 A4FF 59B8 336B 47EE F46E 3489 AC89 4EC5
Tony Godshall
2013-10-07 21:29:23 UTC
Permalink
I'm getting...

"Within our dataset of several million visitors, only one in 56,746
browsers have the same fingerprint as yours. ... Currently, we
estimate that your browser has a fingerprint that conveys 15.79 bits
of identifying information."

Firefox 24, noscript, self-destructing cookies

Turning on scripts for eff.org, I'm much more identifiyable

"Your browser fingerprint appears to be unique among the 3,461,492
tested so far. ... Currently, we estimate that your browser has a
fingerprint that conveys at least 21.72 bits of identifying
information."

Of course, who's taking this test? People like us.
Post by Eugen Leitl
Date: Mon, 07 Oct 2013 13:20:09 +0200
Subject: Re: [linux-elitists] Browser fingerprinting
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:24.0) Gecko/20100101 Thunderbird/24.0
Post by Don Marti
...
Who's got a browser that comes up reasonably generic
on Panopticlick, and what did you do?
Firefox with NoScript and Ghostery. About 10 bits of entropy. Not
perfect, but not bad either.
Stephan
----- End forwarded message -----
--
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org
AC894EC5: 38A5 5F46 A4FF 59B8 336B 47EE F46E 3489 AC89 4EC5
_______________________________________________
Do not Cc: anyone else on mail sent to this list. The list server is set for maximum one recipient.
linux-elitists mailing list
http://zgp.org/cgi-bin/mailman/listinfo/linux-elitists
--
--
Best Regards.
This is unedited.
Tony Godshall
2013-10-07 21:43:22 UTC
Permalink
Hmmm.... closed tab and came back with scripts disabled and ...

"Your browser fingerprint appears to be unique among the 3,461,514
tested so far.
... Currently, we estimate that your browser has a fingerprint that
conveys at least 21.72 bits of identifying information."

I think it thinks it uniquely identified me again, but since the
cookies self-destructed, I'm a different unique. Or am I interpreting
that wrong?

Tony
Post by Tony Godshall
I'm getting...
"Within our dataset of several million visitors, only one in 56,746
browsers have the same fingerprint as yours. ... Currently, we
estimate that your browser has a fingerprint that conveys 15.79 bits
of identifying information."
Firefox 24, noscript, self-destructing cookies
Turning on scripts for eff.org, I'm much more identifiyable
"Your browser fingerprint appears to be unique among the 3,461,492
tested so far. ... Currently, we estimate that your browser has a
fingerprint that conveys at least 21.72 bits of identifying
information."
Of course, who's taking this test? People like us.
Post by Eugen Leitl
Date: Mon, 07 Oct 2013 13:20:09 +0200
Subject: Re: [linux-elitists] Browser fingerprinting
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:24.0) Gecko/20100101 Thunderbird/24.0
Post by Don Marti
...
Who's got a browser that comes up reasonably generic
on Panopticlick, and what did you do?
Firefox with NoScript and Ghostery. About 10 bits of entropy. Not
perfect, but not bad either.
Stephan
----- End forwarded message -----
--
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org
AC894EC5: 38A5 5F46 A4FF 59B8 336B 47EE F46E 3489 AC89 4EC5
_______________________________________________
Do not Cc: anyone else on mail sent to this list. The list server is set for maximum one recipient.
linux-elitists mailing list
http://zgp.org/cgi-bin/mailman/listinfo/linux-elitists
--
--
Best Regards.
This is unedited.
--
--
Best Regards.
This is unedited.
Eric De Mund
2013-10-07 22:49:32 UTC
Permalink
All,

On Sun, Oct 6, 2013 at 11:07 PM, Eugen Leitl <***@leitl.org> wrote:
] Who's got a browser that comes up reasonably generic on Panopticlick,
] and what did you do?

On Mon, 07 Oct 2013 13:20:09, Stephan Neuhaus <***@tik.ee.ethz.ch>:
] Firefox with NoScript and Ghostery. About 10 bits of entropy. Not
] perfect, but not bad either.

Useful. Thank you.

With those two, I was able to get my number down to:
...only one in 203,627 browsers have the same fingerprint as yours
(Whereas before, I was "unique among the 3,461,672 tested so far".)

Going further, using NoScript, Ghostery, *and* User Agent Switcher
0.7.3, aiming for the "middle of the population bulge" by selecting:
Browsers - Windows > Firefox 21.0.1 (Win 8 64)
(even though I'm running Iceweasel under Debian), I was able to get my
Panopticlick number down to:
...only one in 8,088 browsers have the same fingerprint as yours

One can fetch the large list of user agents I used for this experiment
from this page of the author of User Agent Switcher:
http://forums.chrispederick.com/discussion/7/a-large-regularly-updated-import-list-of-user-agents
where he mentions (points to):
http://techpatterns.com/forums/about304.html
The file there is useragentswitcher.xml and can be imported directly by
User Agent Switcher (Tools > Default User Agent > User Agent Switcher >
Options... > Import/Export > Import...).

Regards,
Eric
--
"Whereas economic man maximises, selects the best alternative from among
all those available to him, his cousin, administrative man, 'satisfices',
looks for a course of action that is satisfactory or 'good enough'. Be-
cause he treats the world as rather empty and ignores the interrelated-
ness of all things (so stupefying to thought and action), administrative
man can make decisions with relatively simple rules of thumb that do not
make impossible demands upon his capacity for thought." --Herbert Simon

Eric De Mund
***@ixian.com
Rick Moen
2013-10-07 23:10:43 UTC
Permalink
Unfortunately, Firefox appears to be highly fingerprintable.
Yes, it is.

Unfortunately, following the main advice of
http://linuxmafia.com/faq/Web/user-agent-string.html results in Firefox
being somewhat _more_ fingerprintable.

If I set User-Agent to

Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

...instead of to

W3C standards are important. Stop f---ing obsessing over user-agent already.

...I get a result of 'only one in 24,208 browsers have the same
fingerprint as yours' / 'your browser has a fingerprint that conveys
14.56 bits of identifying information'.
Who's got a browser that comes up reasonably generic
on Panopticlick, and what did you do?
I'm thinking that operating a local proxy that screws with the data that
fingerprinting relies on, and that changes it at semi-random intervals,
might be a good solution.
Ruben Safir
2013-10-07 23:18:56 UTC
Permalink
Post by Rick Moen
Post by Don Marti
Who's got a browser that comes up reasonably generic
on Panopticlick, and what did you do?
I'm thinking that operating a local proxy that screws with the data that
fingerprinting relies on, and that changes it at semi-random intervals,
might be a good solution.
_______________________________________________
Do not Cc: anyone else on mail sent to this list. The list server is set for maximum one recipient.
linux-elitists mailing list
http://zgp.org/cgi-bin/mailman/listinfo/linux-elitists
Or maybe not :)

Sunday - front page of the NY Times:

It has truly reached a point where there awt to bealaw.



http://www.nytimes.com/2013/10/06/technology/selling-secrets-of-phone-users-to-advertisers.html?_r=0

Selling Secrets of Phone Users to Advertisers
By CLAIRE CAIN MILLER and SOMINI SENGUPTA

SAN FRANCISCO — Once, only hairdressers and bartenders knew people’s
secrets.

Now, smartphones know everything — where people go, what they search
for, what they buy, what they do for fun and when they go to bed. That
is why advertisers, and tech companies like Google and Facebook, are
finding new, sophisticated ways to track people on their phones and
reach them with individualized, hypertargeted ads. And they are doing it
without cookies, those tiny bits of code that follow users around the
Internet, because cookies don’t work on mobile devices.

Privacy advocates fear that consumers do not realize just how much of
their private information is on their phones and how much is made
vulnerable simply by downloading and using apps, searching the mobile
Web or even just going about daily life with a phone in your pocket. And
this new focus on tracking users through their devices and online habits
comes against the backdrop of a spirited public debate on privacy and
government surveillance.

On Wednesday, the National Security Agency confirmed it had collected
data from cellphone towers in 2010 and 2011 to locate Americans’
cellphones, though it said it never used the information.

“People don’t understand tracking, whether it’s on the browser or mobile
device, and don’t have any visibility into the practices going on,” said
Jennifer King, who studies privacy at the University of California,
Berkeley and has advised the Federal Trade Commission on mobile
tracking. “Even as a tech professional, it’s often hard to disentangle
what’s happening.”

Drawbridge is one of several start-ups that have figured out how to
follow people without cookies, and to determine that a cellphone, work
computer, home computer and tablet belong to the same person, even if
the devices are in no way connected. Before, logging onto a new device
presented advertisers with a clean slate.

“We’re observing your behaviors and connecting your profile to mobile
devices,” said Eric Rosenblum, chief operating officer at Drawbridge.
But don’t call it tracking. “Tracking is a dirty word,” he said.

Drawbridge, founded by a former Google data scientist, says it has
matched 1.5 billion devices this way, allowing it to deliver mobile ads
based on Web sites the person has visited on a computer. If you research
a Hawaiian vacation on your work desktop, you could see a Hawaii ad that
night on your personal cellphone.

For advertisers, intimate knowledge of users has long been the promise
of mobile phones. But only now are numerous mobile advertising services
that most people have never heard of — like Drawbridge, Flurry, Velti
and SessionM — exploiting that knowledge, largely based on monitoring
the apps we use and the places we go. This makes it ever harder for
mobile users to escape the gaze of private companies, whether insurance
firms or shoemakers.

Ultimately, the tech giants, whose principal business is selling
advertising, stand to gain. Advertisers using the new mobile tracking
methods include Ford Motor, American Express, Fidelity, Expedia, Quiznos
and Groupon.

“In the old days of ad targeting, we give them a list of sites and we’d
say, ‘Women 25 to 45,’ “ said David Katz, the former general manager of
mobile at Groupon and now at Fanatics, the sports merchandise online
retailer. “In the new age, we basically say, ‘Go get us users.’ “

In those old days — just last year — digital advertisers relied mostly
on cookies. But cookies do not attach to apps, which is why they do not
work well on mobile phones and tablets. Cookies generally do work on
mobile browsers, but do not follow people from a phone browser to a
computer browser. The iPhone’s mobile Safari browser blocks third-party
cookies altogether.

Even on PCs, cookies have lost much of their usefulness to advertisers,
largely because of cookie blockers.

Responding to this problem, the Interactive Advertising Bureau started a
group to explore the future of the cookie and alternatives, calling
current online advertising “a lose-lose-lose situation for advertisers,
consumers, publishers and platforms.” Most recently, Google began
considering creating an anonymous identifier tied to its Chrome browser
that could help target ads based on user Web browsing history.

For many advertisers, cookies are becoming irrelevant anyway because
they want to reach people on their mobile devices.

Yet advertising on phones has its limits.

For example, advertisers have so far had no way to know whether an ad
seen on a phone resulted in a visit to a Web site on a computer. They
also have been unable to connect user profiles across devices or even on
the same device, as users jump from the mobile Web to apps.

Without sophisticated tracking, “running mobile advertising is like
throwing money out the window. It’s worse than buying TV
advertisements,” said Ravi Kamran, founder and chief executive of
Trademob, a mobile app marketing and tracking service.

This is why a service that connects multiple devices with one user is so
compelling to marketers.

Drawbridge, which was founded by Kamakshi Sivaramakrishnan, formerly at
AdMob, the Google mobile ad network, has partnerships with various
online publishers and ad exchanges. These send partners a notification
every time a user visits a Web site or mobile app, which is considered
an opportunity to show an ad. Drawbridge watches the notifications for
behavioral patterns and uses statistical modeling to determine the
probability that several devices have the same owner and to assign that
person an anonymous identifier.

So if someone regularly checks a news app on a phone in bed each
morning, browses the same news site from a laptop in the kitchen, visits
from that laptop at an office an hour later and returns that night on a
tablet in the same home, Drawbridge concludes that those devices belong
to the same person. And if that person shopped for airplane tickets at
work, Drawbridge could show that person an airline ad on the tablet that
evening.

Ms. Sivaramakrishnan said its pinpointing was so accurate that it could
show spouses different, personalized ads on a tablet they share. Before,
she said, “ad targeting was about devices, not users, but it’s more
important to understand who the user is.”

Similarly, if you use apps for Google Chrome, Facebook or Amazon on your
cellphone, those companies can track what you search for, buy or post
across your devices when you are logged in.

Other companies, like Flurry, get to know people by the apps they use.

Flurry embeds its software in 350,000 apps on 1.2 billion devices to
help app developers track things like usage. Its tracking software
appears on the phone automatically when people download those apps.
Flurry recently introduced a real-time ad marketplace to send
advertisers an anonymized profile of users the moment they open an app.

Profiles are as detailed as wealthy bookworms who own small businesses
or new mothers who travel for business and like to garden. The company
has even more specific data about users that it does not yet use because
of privacy concerns, said Rahul Bafna, senior director of Flurry.

Wireless carriers know even more about us from our home ZIP codes, like
how much time we spend on mobile apps and which sites we visit on mobile
browsers. Verizon announced in December that its customers could
authorize it to share that information with advertisers in exchange for
coupons. AT&T announced this summer that it would start selling
aggregated customer data to marketers, while offering a way to opt out.

Neither state nor federal law prohibits the collection or sharing of
data by third parties. In California, app developers are required to
post a privacy policy and to clearly state what personal information
they collect and how they share it. Still, that leaves much mystery for
ordinary mobile users.
Rick Moen
2013-10-07 23:40:49 UTC
Permalink
Post by Ruben Safir
Or maybe not :)
If you don't believe in smartphones lacking Cyanogenmod, they can't hurt
you.

(Mind you, Cyanogenmod is just a good place to start.)
Ruben Safir
2013-10-07 23:46:39 UTC
Permalink
Post by Rick Moen
Post by Ruben Safir
Or maybe not :)
If you don't believe in smartphones lacking Cyanogenmod, they can't hurt
you.
(Mind you, Cyanogenmod is just a good place to start.)
The real key paragraph here is that they are connect indivudal behaviors
to phones, work stations, and tablets all together. They don't care
about cookies and web browser signatures. They have gotten way past it.

I'm not sure even tor can help you. It is just time to get off the
grid.

Ruben
Post by Rick Moen
_______________________________________________
Do not Cc: anyone else on mail sent to this list. The list server is set for maximum one recipient.
linux-elitists mailing list
http://zgp.org/cgi-bin/mailman/listinfo/linux-elitists
--
So many immigrant groups have swept through our town
that Brooklyn, like Atlantis, reaches mythological
proportions in the mind of the world - RI Safir 1998
http://www.mrbrklyn.com

DRM is THEFT - We are the STAKEHOLDERS - RI Safir 2002
http://fairuse.nylxs.com
http://www.nylxs.com - Leadership Development in Free Software
http://www2.mrbrklyn.com/resources - Unpublished Archive
of articles from around the net
http://www.coinhangout.com - coins!
http://www.brooklyn-living.com
Rick Moen
2013-10-08 01:09:18 UTC
Permalink
Post by Ruben Safir
The real key paragraph here is that they are connect indivudal behaviors
to phones, work stations, and tablets all together. They don't care
about cookies and web browser signatures. They have gotten way past it.
Long discussion is possible here, which I must demur on. A couple of
points, though:

1. Article is somewhat vague on technological specifics. But:
2. Some of the specifics are that

(a) '[Flurry's] tracking software appears on the phone automatically
when people download those apps.' Well, Don't Do That, Then.

(b) '[Drawbridge] has partnerships with various online publishers
and ad exchanges' which send 'a notification every time a user
visits a Web site or mobile app' and identifies a user but not
his/her name by spotting behavioural patterns across multiple
devices. Sounds pretty fallible, and I think it rather more likely
that most of what data matching they are able to do come from
matching data voluntarily granted by the user.

Also, I notice that it doesn't work particularly well against my
browsing patterns in multiple locations. To the extent I'm not able to
block Web ads, I'm not seeing effective tailoring.
Don Marti
2013-10-08 01:22:27 UTC
Permalink
Post by Ruben Safir
The real key paragraph here is that they are connect indivudal behaviors
to phones, work stations, and tablets all together. They don't care
about cookies and web browser signatures. They have gotten way past it.
I'm not sure even tor can help you. It is just time to get off the
grid.
Depends on what your threat model is and what your
goals are.

One of my goals is to assist the budget-making,
ssh-tunneling, good-example-setting side of my brain,
by keeping advertising that's targeted at me from
reaching the covetous, slothful, short-term-thinking
side of my brain.

If I hadn't been blocking targeted ads
before, I would have started right after reading this:
http://www.theatlantic.com/technology/archive/2013/10/is-this-the-grossest-advertising-strategy-of-all-time/280242/
. Whatever the male equivalent is, I don't think I
want to know.

But I do let the Project Wonderful
ads through, because they're cleverly
and signalfully not targeted by user:
https://www.projectwonderful.com/advertisewithus.php
--
Don Marti +1-510-332-1587 (mobile)
http://zgp.org/~dmarti/ Alameda, California, USA
***@zgp.org
Ruben Safir
2013-10-08 06:05:55 UTC
Permalink
Post by Don Marti
Post by Ruben Safir
I'm not sure even tor can help you. It is just time to get off the
grid.
Depends on what your threat model is and what your
goals are.
I don't think so. Individuals should be stalked for any purpose.
Post by Don Marti
One of my goals is to assist the budget-making,
ssh-tunneling, good-example-setting side of my brain,
by keeping advertising that's targeted at me from
reaching the covetous, slothful, short-term-thinking
side of my brain.
If I hadn't been blocking targeted ads
http://www.theatlantic.com/technology/archive/2013/10/is-this-the-grossest-advertising-strategy-of-all-time/280242/
. Whatever the male equivalent is, I don't think I
want to know.
Can't trust the Atlantic. Their reporting and fact checking is
terrible. I don't care if they advertise on Monday beauty products
because on Monday women feel vernibable. What I care about is that they
track my daughter on her trip to school.
Post by Don Marti
But I do let the Project Wonderful
ads through, because they're cleverly
https://www.projectwonderful.com/advertisewithus.php
--
Don Marti +1-510-332-1587 (mobile)
http://zgp.org/~dmarti/ Alameda, California, USA
_______________________________________________
Do not Cc: anyone else on mail sent to this list. The list server is set for maximum one recipient.
linux-elitists mailing list
http://zgp.org/cgi-bin/mailman/listinfo/linux-elitists
--
So many immigrant groups have swept through our town
that Brooklyn, like Atlantis, reaches mythological
proportions in the mind of the world - RI Safir 1998
http://www.mrbrklyn.com

DRM is THEFT - We are the STAKEHOLDERS - RI Safir 2002
http://fairuse.nylxs.com
http://www.nylxs.com - Leadership Development in Free Software
http://www2.mrbrklyn.com/resources - Unpublished Archive
of articles from around the net
http://www.coinhangout.com - coins!
http://www.brooklyn-living.com
Tony Godshall
2013-10-08 18:36:37 UTC
Permalink
... Individuals should be stalked for any purpose. ...
I'm staying away from you
Jeremy Hankins
2013-10-09 13:28:09 UTC
Permalink
Post by Ruben Safir
I don't care if they advertise on Monday beauty products
because on Monday women feel vernibable. What I care about is that they
track my daughter on her trip to school.
You have this exactly backwards, imo. Neither my daughter nor I are
under any particular _personal_ threat from tracking. In that sense I
sympathize with people who say "Who the f** cares?" about tracking,
targeted ads, and so on.

The mistake they make is the same as the one you're making. They fail
to appreciate that these things shape our culture. Even if (hopefully)
my daughter has enough self esteem and personal strength not to be
affected by these ads, she's still living in a culture that they're
shaping.
--
Jeremy Hankins <***@nowan.org>
Ruben Safir
2013-10-14 05:04:19 UTC
Permalink
Post by Jeremy Hankins
Post by Ruben Safir
I don't care if they advertise on Monday beauty products
because on Monday women feel vernibable. What I care about is that they
track my daughter on her trip to school.
You have this exactly backwards, imo. Neither my daughter nor I are
under any particular _personal_ threat from tracking.
Yes - you are actually. And being so tracked is for FARM ANIMALS and
and extermination camps, but incompatible with living as a free human
being.
Post by Jeremy Hankins
In that sense I
sympathize with people who say "Who the f** cares?" about tracking,
targeted ads, and so on.
The mistake they make is the same as the one you're making. They fail
to appreciate that these things shape our culture.
That is someones error, but not mine.
Post by Jeremy Hankins
Even if (hopefully)
my daughter has enough self esteem and personal strength not to be
affected by these ads, she's still living in a culture that they're
shaping.
--
_______________________________________________
Do not Cc: anyone else on mail sent to this list. The list server is set for maximum one recipient.
linux-elitists mailing list
http://zgp.org/cgi-bin/mailman/listinfo/linux-elitists
--
So many immigrant groups have swept through our town
that Brooklyn, like Atlantis, reaches mythological
proportions in the mind of the world - RI Safir 1998
http://www.mrbrklyn.com

DRM is THEFT - We are the STAKEHOLDERS - RI Safir 2002
http://fairuse.nylxs.com
http://www.nylxs.com - Leadership Development in Free Software
http://www2.mrbrklyn.com/resources - Unpublished Archive
of articles from around the net
http://www.coinhangout.com - coins!
http://www.brooklyn-living.com
Ruben Safir
2013-10-08 15:34:22 UTC
Permalink
Sometimes, it is just better to get off the grid for a while

Loading Image...
/dev/rob0
2013-10-08 23:06:17 UTC
Permalink
Post by Ruben Safir
Sometimes, it is just better to get off the grid for a while
http://images.mrbrklyn.com/marilyn_jean_fishing/IMG_2984.JPG?width=1600
"You should have seen the one that got away!"
--
\ A
Post by Ruben Safir
<////o>
/ V
Eugen Leitl
2013-10-14 07:00:33 UTC
Permalink
----- Forwarded message from Bill Stewart <***@pobox.com> -----

Date: Sun, 13 Oct 2013 17:06:22 -0700
From: Bill Stewart <***@pobox.com>
To: Eugen Leitl <***@leitl.org>
Cc: ***@al-qaeda.net, ***@postbiota.org, zs-***@zerostate.is, Don Marti <***@zgp.org>, linux-***@zgp.org
Subject: Re: [linux-elitists] Browser fingerprinting
X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9
Date: Sun, 6 Oct 2013 11:11:46 -0700
Translation: "Fine, you smug cookie-blocking nerds.
We're going to go all browser fingerprinting on you."
...
Unfortunately, Firefox appears to be highly fingerprintable.
One reason Firefox is highly fingerprintable is that it sends a list
of your available fonts to the web server so the server can format its
pages with cool fonts instead of boring fonts if you're able to read
them. That often turns out to be surprisingly unique, at least if you
like fonts, and AFAIK it's not just the fonts you've configured into
your browser, it's the fonts configured into your computer.

For instance, my work PC has a font for the $DAYJOB corporate logo,
and has since acquired a couple more fonts so I can display their
newer marketing presentations correctly in Powerpoint, plus it's got
the dozen or two different monospace console fonts I was trying out to
find a good one for programming use, and the usual collection of
Bocklin and Dwarvish and Tibetan that old hippies usually have on our
computers, just in case we might need to count to nine billion or have
an appropriate password entry form. When I first tested it with the
panopticlick tool, it was unique; there are now a couple other similar
machines (but that's "my machine's IE", "my machine's Firefox", and
"my machine running Win7 with the Long Term Support version of Firefox
that Corporate IT department makes us use", so it's still unique in
reality.)

Sure would be nice if Mozilla had an option for "only announce the
standard vanilla web fonts".


----- End forwarded message -----
--
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org
AC894EC5: 38A5 5F46 A4FF 59B8 336B 47EE F46E 3489 AC89 4EC5
Eugen Leitl
2013-10-14 10:40:49 UTC
Permalink
----- Forwarded message from Georg Koppen <***@jondos.de> -----

Date: Mon, 14 Oct 2013 10:06:50 +0000
From: Georg Koppen <***@jondos.de>
To: tor-***@lists.torproject.org
Subject: Re: [tor-dev] [linux-elitists] Browser fingerprinting
Check out firegloves. It's outdated, and I'd love to see it getting
some love, but it's a great POC for anti-fingerprinting in Firefox.
Firegloves is broken last time I checked. All the hooks are not applied
if you are sending your payload via FTP as the extension is doing the
hooking via an HTTP observer which is not triggered if you are loading
ftp resources. The Firegloves authors are aware of this issue AFAICT but
I never heard (and looking at the code recently I did not found it
either) they implemented a fix for that.

Georg




_______________________________________________
tor-dev mailing list
tor-***@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev


----- End forwarded message -----
--
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org
AC894EC5: 38A5 5F46 A4FF 59B8 336B 47EE F46E 3489 AC89 4EC5
Loading...