lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Mon, 16 Mar 2009 18:32:03 +0545
From: Bipin Gautam <bipin.gautam@...il.com>
To: Intelligence-Studies <Intelligence-Studies@...glegroups.com>, 
	NepSecure <NepSecure@...glegroups.com>
Cc: Full Disclosure <full-disclosure@...ts.grok.org.uk>
Subject: Google to base ads on surfing behaviour

google is evil : http://news.zdnet.co.uk/internet/0,1000000097,39625962,00.htm

"These ads will associate categories of interest — say sports,
gardening, cars, pets — with your browser, based on the types of sites
you visit and the pages you view,"
...
As with any other cookie, this tracking file can be cleared by the
user at any time. By visiting Google's ad-preferences page, the user
can opt out of having their surfing habits tracked, or input their own
preferences for the subject matter of ads they would like to see.

However, as clearing the browser's cookies would effectively remove
the opt-out cookie itself, Google has also released a plug-in for
browsers that provides a permanent opt-out from the service.
...

This is no option to general users who dont have much clue about
internet privecy.
And we all know where all this is heading to......
------snip------------
old article: http://groups.google.com/group/Intelligence-Studies/browse_thread/thread/5f78afce9d9736c0#

A third party JS can also be used for a targeted surveillance of an
identity by a third party. Such stat counter  JS can act as a passive
honeypot running across lots of websites that can be used for
surveillance and profiling as it could know every websites /content
you visited whereever such JS are used.

You may use different nick names online, use anonymous proxy servers
while browsing, clear their cookies often, dont use social networking
sites etc for your privacy concerns. But JS can leak information like,
Windows Media Player(WMP) UniqueID[2]. Operator can use a ClientID
request in browser to pull off a machine's unique default serial
number generated by WMP. There are also other applications that does
the similar and such information can uniquely identify a machine
regardless of its IP.

Impact: Say, Website_Evil1 has recorded your WMP UID and associated
some of your profile to it and shared it to Website_Evil_Gang. Now
whether you are accessing internet from your laptop from library or
coffee shop or home or in the office any website that is associated to
Website_Evil_Gang will know its you browsing about (say) "dating" in
Website_Evil1, looking about (say) "contraceptives" in Website_Evil30
and looking (say) "weight loss tips" in Website_Evil50. You could be
uniquely identified online even if you clear browser cache at every
logoff or use different IP/ISP all the time. Advertising serving
scripts, web counters, third party banners etc has the potential like
above which can have big impact on users privacy.

But sadly this is just one example that can breach your quest to
maintain your online privacy. There are lots of other ways (that vary
in reliability) using which a computer can be identified in the
internet / a region, and the machine identification features can be be
associated to online identities that uniquely point to a computer
system. From a surveillance prospective, if you have control over a
some networks/websites its easy to associate such information from
multiple source for tracking machine/software specific features and
associate this with user identity. This way an attacker
(Website_Evil_Gang) can have a wider view of your digital identity and
can track you beyond having to relie on your registration information
or IP's or cookie.

Information like Your browser name and it version, clock skew of your
system from standard time, your screen resolution/DPI, OS/ OS specific
info, fonts installed info, your internet bandwidth/delays, browser
specific features, browser plugins information about which softwares
versions are installed in your computer like open office, real player,
JRE, flash support, quick time player, acrobat reader etc can be
detected by remote website. Via css websites you last visited can also
leak. All of such information when put together can act as unique
machine identification information that can be associated to your
identity anyways.

All of such information when put together can be used to track
identities online[3]. As these info don't change often regardless of
your IP. All of such information leak when put together for analysis
prospective it will yield lots of user details.

-------------------------------------------------------

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ