

Race Is On to 'Fingerprint' Phones, PCs - mikeknoop
http://online.wsj.com/article/SB10001424052748704679204575646704100959546.html

======
jakevoytko
I foresee a future where the Adblock crowd runs a plugin that randomizes the
data returned by browsers. It wouldn't take many variations in user agent
strings, reported browser plugins, and system fonts to give you a quasi-
anonymous footprint each time you visit a website.

~~~
neworbit
or a completely identical infoblock - anonymity of the crowd

~~~
pierrefar
Surely by labelling yourself with this identical info block you're marking
yourself as a type of person?

~~~
neworbit
Obligatory "Life Of Brian": We are all individuals!

You're correct. Whether this ends up being more distinctive or demarcative
depends on how widely deployed it is. A few hundred and it's not very helpful,
but if you have tens of millions of browsers reporting only "LOLCAT BROWSER"
(or for old sk00l credit, "AOL") it may give data miners some headaches.

It's kind of like Tor (or if I remember right, anonymizer.com) in those
respects - until you have scale, it probably gets associated with shenanigans;
once you hit the tipping point, it operates as desired/intended.

But hell, I don't mind marking myself as a type of person who doesn't want
intrusive ads. (Why yes, I do run adblock!)

------
holdenc
Based on this article you can "fingerprint" a computer using the following
combination of attributes:

\- Precise timestamp

\- Monitor size

\- User agent

\- Browser plugins

\- and fonts (!)

Really?? I use several browsers, and switch out a few external displays for my
laptop. Plugins come and go with the browser version. My system time is synced
to a timeserver (as I imagine are many other computers) but sometimes not.
Based on these data, it's hard to believe anyone could truly trace my hardware
over time.

~~~
jakevoytko
The EFF tested this themselves. They run a website,
<http://panopticlick.eff.org>, comparing with computers that have visited in
the past. They have over a million fingerprints at this point, and my Chrome
install is "unique."

It displays all data it lifted from your machine, along with how rare each
datum appears to be. On my Chrome 7.0.517.44 install, I appear to be
identifiable by my user agent (1 in 182,518), browser plugins (1 in 1,277,632)
and system fonts (1 in 638,816).

~~~
kolmogorovcmplx
Even the default IE8 on my stock Windows 7 Enterprise appears to be unique. In
that case it's the browser plugins which identifies it (1 in 1277688). My
installed plugins are nothing out of the ordinary: Java, Flash and
WindowsMediaplayer.

~~~
trotsky
Sample size seems to be a significant issue here. I'm one of two people on the
site that had my user agent (1 in 638851), and while it's rare, sure, there
are obviously a lot more than two people in the world running chromium x64
opensuse. Looking at the data it seems like most of the responses are bog
standard for my particular software install, so it's basically saying I'm
unique because:

* user-agent * time zone * screen size

Surely my TZ=EST and screen=1366x768x24 can't be too helpful in a large sample
size.

And once chromium updates yet again, I think I'll be lost to the EFF test.
It'll still see me as unique, but I'll be a different "unique" than the last
time.

It does seem like browsers could easily cut back on user-agent details to the
benefit of their customers privacy and security. Is it really necessary to
tell every website I visit that I'm x64 instead of i386 just in case I'm not
smart enough to know which download now button to click? It's probably most
useful to malware domains for determining which version of the latest flash
0-day to push to me. And are we sure we need the exact build number of every
browser? Most revisions of chrome aren't changing anything in the rendering
behavior.

------
fingerprinter
(throw away account...)

Full disclosure: I wrote one of these systems (AMA)

1\. You'd probably be surprised what we can figure out from this. You'd also
be surprised that there isn't much you can do to stop it from happening b/c
we've been able to find ways to get information that is actually outside the
browser.

2\. You'd probably be surprised to see how embedded this is already. I'm
guessing most people have had their browser fingerprinted at least once...for
some reason. Knowing who used the services I wrote, I can tell you that they
are everywhere...and given that I know our competitors also have this
technology and who they work with...well...

3\. There are legitimate uses to this tech besides spam. Its just that the
money is in spam. I'm near 100% certain that most people will use this for
spam in the next year or two.

~~~
pyre

      > You'd also be surprised that there isn't much you can
      > do to stop it from happening b/c we've been able to
      > find ways to get information that is actually outside the
      > browser.
    

I find it hard to believe that you're going outside of the browser if
Java/Flash/JavaScript are uninstalled or disabled. Are you claiming to be
using 0-day browser exploits to get information from outside of the browser?

------
orangecat
_BlueCava says the information it collects about devices can't be traced back
to individuals_

Well that's just blatantly false.

------
Silhouette
The question we should all be asking is: why on Earth do browsers transmit all
of this information to web servers in the first place?

A _few_ details, window size for example, might have a legitimate purpose and
could at least be requested by the web server and provided optionally.
However, this sort of fingerprinting technique is pretty obvious to anyone
who's ever stuck an analyser on their system and looked at what a typical HTTP
transaction to fetch a web page looks like. As far as I can see, there is no
need for most of it.

~~~
qjz
In my experience, there's enough basic information in the HTTP transaction to
identify a unique visitor for most forensic purposes. However, the level of
detail available for fingerprinting goes far beyond this. I just performed a
little experiment, disabling as much as I could in Firefox to affect my
uniqueness at <http://panopticlick.eff.org/>. I was surprised when disabling
plugins (font info comes from java & flash) and even cookies had virtually no
effect. It wasn't until I disabled JavaScript before I dramatically lowered it
from 7 figures to 5. I'm going to try surfing this way and adding exceptions
to see if I can sustain the experience for a while.

~~~
Encosia
The thing about Panopticlick is that the two most "accurately" identifying
methods aren't stable fingerprints. As soon as you install an update to one of
your plugins (the constant Adobe updates come to mind), your fingerprint is
altered. Similar with the font list; programs seem to be installing new fonts
on my system all the time, which makes that fingerprint unstable as well.

~~~
eru
Yes. If you wanted to get serious, you should deal with unstable
characteristics. Perhaps with Bayesian filtering or something? And maybe
adding some outside information, like when the new flash plugin is released;
and tracking if a user is likely to upgrade or not.

If you have a working solution for unstable characteristics, you can also add
more more characteristics, than they do at the moment.

My scree1050x3360x24

~~~
eru
Oops, I wanted to write: My resolution and colour depth alone (1050x3360x24)
identifies me for 18 bits at that site.

------
kolmogorovcmplx
This is an effective demonstration: <http://panopticlick.eff.org/>

------
runjake
I worked on this a long time ago and knew of others working on the same idea.
I didn't pursue it for financial gain because it seemed too sleazy.

If you're curious what kinds of information your browser gives to a remote
server, creating a "test.php" file with the contents "<?php phpinfo(); ?>",
and opening that page in a browser is a good start. There are some other
ingenious (read: I didn't think them up) methods, but I don't want to help the
spammers n' spies.

These days, I use them in forensics.

------
omh
I wonder how this deals with corporate PCs.

We have dozens of desktops running identically imaged copies of
Windows/browser/plugins and all behind a single NATed IP. I imagine that
they'd all look the same to one of these systems.

If they start serving up adverts then perhaps I'll start seeing ads targeted
at something one of my co-workers has been searching for. That could get
interesting!

------
binarymax
I remember some while back (8 or 10 years? I cant remember exactly when) -
Intel was trying to give each processor a GUID so that certain transactions
could be traced back to the chip. Didn't go over well at all and Intel
eventually pulled back.

I wonder if the same uproar will happen this time around?

------
cicero
When I saw the title, I thought it was going to be about the FBI trying to
find the source of WikiLeaks material.

------
deutronium
They could use TCP time stamps to estimate the clock skew of devices, as they
access web services.

See "Remote physical device fingerprinting - Tadayoshi Kohno, Andre Broido, kc
claffy"

~~~
xtacy
Doesn't nmap have a whole bunch of such fingerprints stored in a database?

~~~
deutronium
Nmap only gives you information on the version of OS and of network
applications.

e.g.

    
    
       nmap -sV 127.0.0.1
    
       Starting Nmap 5.00 ( http://nmap.org ) at 2010-12-01 18:28 GMT
       Interesting ports on localhost (127.0.0.1):
       Not shown: 997 closed ports
       PORT      STATE SERVICE   VERSION
       631/tcp   open  ipp       CUPS 1.4
       2000/tcp  open  callbook?
       24800/tcp open  kvm       Synergy KVM

------
palewery
This sounds great until the spammers get involved.

