

Chrome extension to randomize your User Agent (Underpants) - tantalor
https://github.com/tantalor/user-agent-entropy

======
z0r
If you give yourself the user agent of a terrible browser such as IE5, or if
you give yourself the user agent of a less popular web crawler, a lot of
companies won't bother to track your identity as it would be considered a
waste of resources. I'm speaking as the minion of a company that deals in such
things - for instance, my company won't track you for advertising purposes if
you are running Linux. No profit in it!

~~~
xcallmejudasx
What happens if I use Linux while browsing at home and Windows while browsing
at work? How does your company handle this? I can see a couple different
scenarios and am curious which is closest to practice.

1) Track data while at work. Display only at work. 2) Track data while at
work. Display at home and work. 3) Track data at home and work. Display at
work 4) Don't track data at all.

Of course there's a few cases I missed but from what you said I don't see the
reason they'd track me at home and display at work or any other various
combinations excluded.

~~~
aslewofmice
Do you work from home using the same IP?

If I understand your question correctly, the answer would be 1. In most cases,
they're doing cookie based tracking and you wouldn't have any crossover unless
it was site specific retargetting and you've logged into an account on both
platforms. If there's any crossover, its because you have the same browsing
behaviors on both platforms.

~~~
xcallmejudasx
No I don't use the same IP. I do however brows Hacker News, Facebook, Reddit,
etc from both work and home.

Interesting, thank you for the information.

------
Wilya
Oh, someone did beat me to it. I think too much (and slowly), it seems.

The useragent is much too random, though. As explained quite nicely on the eff
page, it defeats the purpose. You've managed to uniquely identify yourself as
someone with a very random-looking useragent.

I was more thinking along the lines of sending random "genuine" user-agents
(combinations of various versions of Chrome/Firefox/Safari on various OS). And
with some more clever way to make sure the cookies match, or fixing the user-
agent is a bit useless..

------
unbeli
You are actually identifying yourself as user of that extension. This is a
much smaller group than Chrome users.

------
aimacs
This counters the tracking method used by the "Underpants Project" but does
little to help against something more sophisticated that made full use of the
remaining bits of identifying information.

According to Panopticlick, the biggest leaks of identifying information are
the list of fonts and the plugin information string, neither of which seem to
be guarded against by any existing tool except NoScript, though disabling
Flash might help. However, even using NoScript, your information would still
probably leak to whatever popular site is in your whitelist (e.g. Google or
Facebook).

Unless someone hacks Flash to always sort the font lists and finds a way to
fix the plugin list leak, one way to get rid of many of these leaks is to
build a locked-down virtual machine containing a fixed set of fonts, a fixed
screen resolution, UTC timezone, and possibly a fixed browser together with
only the en-us locale to minimise HTTP_ACCEPT information leaks (which I
presume to be the most popular one). Assuming the filesystem remains mostly
untouched, the font list should always be in the same order for all instances
of the VM. It might not be necessary to use any specific browser, but I
presume there are many possible ways to identify a browser and perhaps even
its exact version from its behaviour even without using the user agent.

Even after fixing all of the leaks identified by Panopticlick, the behaviour
of the user could still be used for identification, perhaps by leaks caused by
the user or by bugs and inadequacies in the "anonymisation suite". To pre-
emptively counter this, an orthogonal approach like the one suggested by
obituary_latte could be used (<http://news.ycombinator.com/item?id=3880822>).
Such a "random browser" might need to be active most of the day to minimise
timezone leakage, though that might not be very practical, or even necessarily
a concern for many.

Finally, a yet another thing that might help would be to use popular VPN
services which would presumably reduce the amount of information leaked by
your IP address.

------
Natsu
You shouldn't randomize at all if you want to remove information. Instead, set
everyone to a single, common UA to make everyone look the same.

------
obituary_latte
I was looking into creating a bot that would randomly click and browse around
on the web whilst logged in to Google to add some entropy to my "persona".

Alas, programming is hard.

I don't know what it is--perhaps my get off my lawn mentality--but I am
terrified of not owning my anonymity. Though obviously not scared enough to
stop using these services...

~~~
azelfrath
That could end up going south quickly. Scenario:

 _randomly browse to 4chan_

 _randomly click on link_

 _randomly have FBI raid your house a few weeks later_

I like the concept, but it's not something I would run personally unless there
were a lot of checks in place.

~~~
obituary_latte
Great point.

Yes, would certainly be needing of some checks. Perhaps a dictionary of
acceptable link-words that would be OK to "click". Maybe also a blacklist of
"never-click" words and/or domains/netblocks.

Or even perhaps a whitelist of a few domains that are OK. Chances are slim
that Time.com or USAtoday or CNN links would lead to trouble and the
collection of "safe" links would grow exponentially with only a handful of
"safe" domains.

------
ionforce
And the purpose of this is for what?

~~~
azelfrath
I think the purpose is to show how easily some of these scare tactics can be
defeated. This took what, 40 minutes to get posted? Less than an hour to
thwart what is being hyped up as a big deal for anonymity.

As an aside, I think you should name it CoverAlls.

EDIT: I guess I worded that a bit harshly. Underpants is meant to be a PoC for
a tactic that _may_ work in some situations, but the feeling I got is that
people are taking it to be a lot more serious than it is.

~~~
simonbrown
40 minutes after what?

~~~
Wilya
<http://news.ycombinator.com/item?id=3878438> I guess. Though it's actually
more like 7 hours than 40 minutes.

------
jstalin
How about a version for firefox?

