Hacker News new | past | comments | ask | show | jobs | submit login

I remember back in the 90's, when Intel was going to introduce a unique identifier in their processors that could be used for authentication purposes, it caused a huge uproar and Intel backed down. [0]

Having a hardware embedded unique ID that can be (is) used for tracking a known persons location at all times is probably the most intrusive privacy violation we've ever had. That we willingly carry these things around and naively throw the repercussions out the window is the result of the death by a thousand cuts.

We've long lost the war on privacy.

[0] https://www.wired.com/1999/01/intel-on-privacy-whoops/




Looking back, it was unbelievable to see how huge the storm caused by Intel's "processor serial number" in Pentium 3 was, that even forced Intel to withdrew it.

Meanwhile, nobody has ever said anything about the serial numbers of hard drives, GPUs, motherboards, RAM modules, Ethernet MAC address, etc, etc, etc. Nowadays, basically everything comes with one UUID.

Pretty illogical, isn't it?

> We've long lost the war on privacy.

Agree. I understand UUID is important in engineering for many purposes, but the fact that nobody is talking about it anymore (because they are nothing when compared to more severe issues like fingerprinting) indicates we've long lost the war on privacy.


Would love to see a YouTube channel or blog where somebody systemically takes apart their computer and starts reflashing every serial number in flash/EEPROM with 0x00.

It’s not like any of these are phoning home (I hope), or married together, so there’s nothing to kill clones.


> reflashing every serial number in flash/EEPROM with 0x00.

It will be an amazing video, but good luck if the device in question has (very likely):

* a mask-ROM / OTP-ROM for a serial number - almost all microcontrollers and EEPROMs sold nowadays has at least one permanent and unchangable UUID for hardware tracking and DRM implementation (security-through-obscurity tricks to prevent rogue competitors from copying your firmware).

* "firmware read-protection" - which means the only way to dump the EEPROM is performing a full-chip erase and destroy the entire firmware, commonly used in embedded systems to stop rogue competitors from copying your firmware.


I just knew that RAM DIMMs usually have a 24 or 93 series chip on them, and figured that could be re-programmed (or replaced with a reprogrammable version if the existing chip is non-compliant).


In many cases, a) the unique id's are in read-only parts of the flash and b) the system firmware won't work if it can't read a unique id that matches a (signed) stored ID somewhere in its system.

In many cases, this isn't for anything user-facing. Unique ID chips can be very useful for detecting factory-overrun counterfeits ("oh, your $widget does this notable, nonfunctional behavior? Where did you purchase it, perchance?").


> It’s not like any of these are phoning home (I hope)

Firmware is largely closed-source, so all you can do is hope.


Changing the IMEI number of a phone is illegal in many countries.


My phone required it.

When purchased, it had an IMEI of all zeroes, and came with a step by step guide to setting the IMEI from my old phone into it.

Apparently that works around phone providers who blacklist or whitelist certain manufacturers.


Can you please expand on your phone? What model is it? It sounds very unusual for the user to be able to change the imei.


A knock-off Umidigi A3 Pro.

It's an awesome Chinese $50 android phone.

Because it hasn't passed all the network tests, most mobile networks would block an entirely random IMEI, so they suggest you type in the IMEI from your old phone (as long as it's 4g - if it isn't, they have a support email address you can contact and they'll give you an IMEI that works in your country)

Even the legit Umidigi A3 Pro's (which cost $80, and have proper certifications) have an 'imei change' tool.


Not for long I'll wager...


I'll wager the opposite. Of course it's not legal anywhere, but I don't expect any customs people to be able to tell that a phone comes with an changeable/unapproved IMEI.


Meanwhile, nobody has ever said anything about the serial numbers of hard drives, GPUs, motherboards, RAM modules, Ethernet MAC address

Let's not forget every single page printed by a color printer.[1]

[1] https://en.wikipedia.org/wiki/Machine_Identification_Code


Furthermore, in many OS those unique numbers are not protected from applications. For example, in Linux any application can read any hardware identifiers without any specific permissions. For comparison, in Android an application needs to have a permission to read phone or IMEI number.


Yes.

BTW, how does Windows hash your hardware serial numbers for DRM nowadays? I haven't used and checked it for a long time. Is it still the harddrive and the motherboard?


Barring an extremely risky, one-off backdoor in the management engine or your board or device firmware; there should be no reason why your hard disk, GPU, board, memory, and NIC UUIDs (MACs are configurable, and random by default in NetworkManager and some other network configuration systems) are available to third parties on a regular basis, unless you put software on your computer to make that happen.

Don't run spyware on purpose.


> unless you put software on your computer to make that happen

Couldn't that be ... any software?


Well, you could start by not installing software that you know exfiltrates these data, like Microsoft Windows, or Adobe Flash...


Even in free software, do you audit everything you install? Information security is only as strong as the weakest link.


Why not start with software which isn't known to deliberately disseminate information about your computer. Sure, if you move the goalposts all day, you'll never score.


The opposition to that, Clipper chip, and V-chip are three of the specific examples that come to mind when I think of cultural changes among CS techies.

My impression is that there used to be more awareness, concern, and forward-looking/vision about such things.

(I even recall techies being shunned for doing the tiniest fraction of invasiveness/recklessness that some major companies do today, yet those companies are now regarded as prestigious places for techies to work.)


> I even recall techies being shunned for doing the tiniest fraction of invasiveness/recklessness that some major companies do today

I remember uninstalling software and dismissing it as spyware for just phoning home. The very idea of a program regularly pinging some remote host to indicate the your machine was turned on and connected to the internet was offensive. Now basically every program does this, usually excused as checking for updates.

I think a lot of the problem was as it got easier for people to get online more and more people were using the internet who didn't understand the technology or how it could be used against them. They didn't care about anything but checking sports scores and online shopping and it let companies get away with taking advantage of them in ways the old nerds would never have accepted and once those nerds were vastly outnumbered by people who didn't know or care about privacy abuses the nerds no longer mattered.


I agree, but even the younger generation of nerds seem to not care as much about privacy issues, Free software, and other social/societal implications of computing, the same way that we used to in the Slashdot era. Seems like a cultural shift.

But how have I formed this perspective, about a social trend? It's my own extrapolation based on... anecdotes and social media, I guess. So it's hard to know if that picture (the before, after, or how things may have changed) is accurate.


I think this assessment is very apt, I've long wanted to get the chops to visualize all the action taking place on my network access. It's all so hidden and under the hood, it would be very revealing for a YouTuber to do a walkthrough to show how leaky apps and websites are and what sort of payloads are coming off their devices to remote targets.


> I've long wanted to get the chops to visualize all the action taking place on my network access. It's all so hidden and under the hood

You should look for tutorials on Wireshark or better yet get a Pi-hole and block ads over your entire network while you get trustworthy stats on where your traffic is going. That's probably the easier and more useful option. Casual packet inspection used to be much easier. Common traffic like HTTP, DNS, or SMTP are increasingly encrypted, but it used to be that you'd see everything pass over the wire plainly. A lot of the data companies send home is encrypted too so you might be able to identify which apps or programs are generating the most traffic or sending it to same shady destinations, but don't expect to see what data they are collecting from watching the network.


The culture was different in 90s. I remember that Windows used to ask a permission to connect to Internet to search for drivers. Today they just collect whatever telemetry they want without giving an option to disable it. I guess the reason for change is that their customers were mostly power corporate users then and now it is mostly ordinary people.


I think that permission was because Internet access used to be quite slow and expensive.


It still can be, but the new breed of hot tech companies doesn't give a damn.

Windows at least lets me mark a Wi-Fi network as metered today, which is a kind of global suggestion that "unnecessary downloads literally cost me money" - but I don't even know how much software except the OS itself cares.


Intel ME already can spit out the UUID of the chip and has been able to do it for over a decade.


Yes. Hence the 'death by a thousand cuts'. We couldn't fight every battle. We lost.


Hence the 'death by a thousand cuts'. We couldn't fight every battle. We lost.

So does the future belong to those who can administer the "thousand cuts?" In 2019, that means those who own the Cloud server farms and control the organizations that hire hordes of programmers. Does that mean that privacy is dead by an inexorable process? Doesn't that imply that individual liberty is also, eventually, dead?

How can we, the people, administer the thousand cuts?


>Does that mean that privacy is dead by an inexorable process?

Yes.

>Doesn't that imply that individual liberty is also, eventually, dead?

Yes.

>How can we, the people, administer the thousand cuts?

Stop carrying a cell phone.

There was a brief period of time, from 1990 to 8:40 AM, September 11th, 2001, when you could do all sorts of stuff online, and the powers that be either didn't, or couldn't, monitor it. That's changed, and that freedom will never come back.

However, no matter how bad the modern surveillance state gets, contrast it to the ancestral environment: a village of 50 to 200 people, most of whom are related to you, watch your every move, and can determine if you live or die. Hunter gatherers don't even have a word for "privacy". It would take real creativity for things to get that bad today.


> There was a brief period of time, from 1990 to 8:40 AM, September 11th, 2001, when you could do all sorts of stuff online, and the powers that be either didn't, or couldn't, monitor it.

The belief that September 11 brought in the dark times overlooks the actual history of things. The European Parliament’s ECHELON report, which detailed American massive interception and storage of internet and other electronics communications, was released in 2000. John Young’s website Cryptome was discussing the same stuff pre-9/11 that you found from people like Bruce Schneier afterwards. The revelations may not have been as big in the news like Snowden later, but it was well known that the NSA had rolled out extensive surveillance already by the turn of the millennium.


Agreed. Duncan Campbell's article "Somebody's Listening" about this is from 1988!

http://new.duncan.gn.apc.org/menu/journalism/newstatesman/So...


> It would take real creativity for things to get that bad today.

It is easily as bad or worse. Those 50-200 people knew and cared for each-other, and depended on each-other, and the surveillance was bidirectional. Whereas now you are monitored by actors almost entirely beyond your reach, that will feel no remorse in crushing you, should the command be given by whoever is in control.


> by whoever is in control.

Which may ultimately be a poorly tested, bias-ridden bit of AI code.


That is why 1984 is such a positive, optimistic work - all the nightmarish oppression worked so well and without bias!


Yes. Miserable as oppression is, it's handy if it only hurts you in circumstances that you could predict. Incompetent oppression can get you no matter what measures you think you've taken to live a quiet life.

Rather than 1984, the future we need to worry about will probably be more like something from Kafka.


Miserable as oppression is, it's handy if it only hurts you in circumstances that you could predict. Incompetent oppression can get you no matter what measures you think you've taken to live a quiet life.

Rather than 1984, the future we need to worry about will probably be more like something from Kafka.

This morning, I learned of a YouTuber with zero strikes, who followed all of the stated rules, who proactively deleted all of his demonetized videos, and yet still had his channel deleted. (1) If you talk to YouTubers, many of them, even mainstream ones, especially successful ones, will tell you that being governed on that platform is indeed Kafkaesque.

(1) - Black Pigeon Speaks. All of his opinions that I listened to were trash, but I still think he had the right to express them.


Also, and similarly to where conspiracy theories usually get the world wrong - someone was actually in control. In real life, no one is.


> Which may ultimately be a poorly tested, bias-ridden bit of AI code.

It already is controlled by a poorly tested, bias-ridden, strange AI system, called the market.


Stop carrying a cell phone.

How about stop using the Internet, driving a car, and participating in the economy? I don't think that helps.


So can SGX (under certain circumstances). So can your hard disk, your NIC, and probably your firmware via DMI.


Right, but those components typically don't have unchecked access to the rest of the system via back doors.


Your NIC is at least as dangerous as ME if you don’t have the ME connected to the network.


I also still cannot believe that people question the need for privacy so much. There is always the assumption that only people up for something evil are supposed to have something to hide. But data can always be abused and obviously privacy advocates have been repeating over and over again what bad things could happen.

And then people go to extremes with Tor, Noscript, Bitcoin and the like which would be completely unnecessary if the basic privacy requirements were fulfilled.


Bitcoin isn't extreme - it's very public and trackable. Monero on the otherhand isn't.


>We've long lost the war on privacy.

A bit of unnecessary FUD alarmism here. Seems like today's answer is no, probably not. It's just very difficult, requiring (i.e.) policy changes and mass adoption and transparent phone companies willing to not do dirty things with cellphones. I still think humanity can figure something out, people just have to step up.


If you're fighting against identification technology, of course you're going to lose. Identifiers have real benefits and as we've seen with American SSNs, identification, uh, finds a way. We should be fighting to exercise jurisprudence to prevent and limit abuses of identification, not dismissing unique IDs.


Just wait for ipv6 then, where Nat is no longer providing casual anonymity.


The IMEI identifies a device. It is, or should be, useful to lock stolen phones, though it can obviously be used to track someone who keeps the same phone even if they change SIM card.

The IMSI identifies the subscriber (and/or the SIM card) even if you change phone.

As long as people are able to call and be called and as long as people need to be billed there has to be a reliable form of identification.

This is not an "intrusive privacy violation", it is, as you point out, a technical requirement of our willingness to be reachable and most people think that the benefits far outweigh the very limited drawbacks.


> As long as people are able to call and be called and as long as people need to be billed there has to be a reliable form of identification.

Secrecy of user nyms is trivially solved by existing mix networks (eg TOR onion services). Network access/billing could be solved by blinded signature tokens or some other untraceable bearer instrument. Implementing latter would take cooperation from the network provider, or at least an MVNO and SIM manufacturer, but it is indeed possible.


Username checks out. Unfortunately, truth is spoken.

This is the danger inherent to full enumeration of the technologically enabled envelope. This is also the danger of the "market"; as it incentivized the ability to clearly specify the "who" of the customer.

It's why I've been getting increasingly uncomfortable with the economic push away from cash as the primary medium of economic exchange.

The death of the payphone marked the beginning of the end for infrastructure that wasn't in some way dependent or useful as a means of user surveillance.




Registration is open for Startup School 2019. Classes start July 22nd.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: