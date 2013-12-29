For background, a HN submission a year ago about these kinds of ads linking to phones, from Ars Technica [1], which some choice comments being one naming such an ad company [2] while a different subthread explores another [3][4].
Prior art in this space includes the work of Boris Smus [5], who then went on to develop the guest pairing mode for Chromecast using this technique. There have been other efforts over the years, some before, but certainly after, and of course the use of sound to transmit digital information is an old trick that makes modems possible, but in those days the lines didn't have the bandwidth to carry ultrasound.
[1] https://news.ycombinator.com/item?id=10562207 [2] https://news.ycombinator.com/item?id=10563384 [3] https://news.ycombinator.com/item?id=10563369
[4] https://news.ycombinator.com/item?id=10563031 [5] https://news.ycombinator.com/item?id=10562787
>If the Tor user has his phone somewhere nearby and if certain types of apps are on his phone, then his mobile device will ping back one or more advertisers with details about his device, so the advertiser can build an advertising profile on the user, linking his computer with his phone.
This is pretty contrived...
Well it can't obviously, but lots of people (although maybe not the types of people who use tor) browse the internet with their speakers on and active. Most people don't unmute their speakers just before they're about to listen to something.
> How do they bypass the little sound notification on my tabs?
Admittedly they probably can't, but are you sure you're going to notice a flicker as a short sound is played and then stops?
I think the most contrived part is your mobile being always-on/always listening, given that you're likely to notice this due to reduced battery life. But given that certain hardware now has support for always-on keyword detection, you can see a future when this could happen.
http://www.bbc.com/news/technology-35639549
Either way, it doesn't sound like that's what the article describes: they're talking about collecting and sending all audio wholesale. Sending that much audio data over 3g or LTE would be expensive (transcoding it to decrease payload would be expensive, too), and would surely be noticeable looking at data usage charts.
> using wi-fi, there was no data plan spike
Uh, yeah. Because it's using wifi. Phones are on wifi far less often than you'd imagine.
It's certainly possible, but it's just not plausible.
Having said that, quite a few people have their phones connected to wifi at home, which could mitigate these issues due to both less conspicuous data and power usage.
Even if it was the case, I can't imagine such apps would give granular enough information to be enormously useful. You'd get one, maybe two people to actually get their computers to play the audio and have it picked up by a device that's actually listening for it. What then? How many advertising companies with legitimate marketing businesses actually sell the user identities? You'd get what, a UUID, maybe some aggregate demographic information, and a rough location. It seems unlikely that such a platform would actually give out specific PII for individuals.
It would not need to be constantly listening for it to be useful. If the point is identification, why would you leave it on after you have reasonably identified the person?
If we assume it's a third-party ad network, which is the only plausible explanation for why there's an app listening for ultrasonic cues on a user's device, it would need to be listening all the time. That is what the article describes.
Surely the user would have had to approve microphone access for the app first, and it'd better have a good excuse.
Even then, does e.g. iOS allow backgrounded apps to listen in on the microphone ? Pretty sure only Siri has that level of privilege.
Has this whole ultrasound beacon thing taken off in the ad world ? Seems to (thankfully) require quite active user involvement to be able to work.
Does it? Aren't people generally in the habit of signing off on any access if they want what an app offers?
There has GOT TO BE a better way. Such as a filter made by independent manufacturers that opens the sound channel only when you say a specific phrase such as "OK Google" and closes it when you press a button or stop speaking. And an indicator would be visible when it's actually listening.
The question is, how to prevent collusion with the independent filter companies? There has to be SOME WAY to open source hardware and prevent companies from essentially performing their own interdiction on it:
https://www.google.com/amp/www.theverge.com/platform/amp/201...
If outbound traffic levels are the same when you're using it as when you're not, it's probably bugging you? Of course a smarter arrangement would reschedule traffic to coincide with use...
This generally doesn't work in mobile, though, or at least reception doean't. Also, neither desktop nor mobile Safari can do mic access, and firefox's mic won't pick up ultrasonic. So try desktop Chrome :)
https://addons.mozilla.org/en-us/firefox/addon/mute-tab/
All tabs default to muted, and you can selectively un-mute tabs or whitelist sites as needed.
I've certainly appreciated the default state of pages being muted.
In what world is that ever a sane thing to do?
I've got scuba-diving computers that need special cables to sync with my PC: if they could sync with nothing more than a webpage and speakers, that would be pretty neat.
On the other hand there might be legitimate uses for such tech so maybe better to have it as a security option to send and receive ultrasound per individual, i.e. if I can't hear above 10khz maybe I can set my audio to not send or receive above that without app specific permission
https://github.com/MAVProxyUser/SilverPushUnmasked/commit/bc...
[1]: https://en.wikipedia.org/wiki/Shock_site
Been using it for a few months now and have found it invaluable.
I don't believe so but my change in the Linux resolver daemon does honor the hosts file for all .onion entries.
If there's any monkey business going on with my audio, I want it in the range where I can hear it!
Theoretically, there's no reason to trust a physical switch more than a software switch, unless you've opened the computer and verified that the physical switch breaks all circuits to all wifi radios. The physical switch could merely control software, or it might control one connection to one radio but not others.
It's IE-specific, though, so won't work in a Tor browser.
[1]: https://developer.mozilla.org/en-US/docs/Web/HTML/Element/bg...
The first thing one should do after installing the Tor Browser Bundle is open up about:config, search for javascript.enabled, and set it to false.
If an onion site doesn't work without JS, you probably don't want to be on it anyway.
from: https://tails.boum.org/doc/anonymous_internet/Tor_Browser/#i...
To allow more control over JavaScript, for example to disable JavaScript completely on some websites, Tor Browser includes the NoScript extension.
By default, NoScript is disabled and some JavaScript is allowed by the Torbutton extension as explained above.
So, "Yes", this is reckless and would compromise Tor Browser from the outset.
Maybe so, but I think the GP is correct. At least, it was true a year or so ago.
