It looks like you're using an Ad Blocker.

Please white-list or disable AboveTopSecret.com in your ad-blocking tool.

Thank you.

 

Some features of ATS will be disabled while you continue to use an ad-blocker.

 

The Art of Cyber Defense I - Fingerprints

page: 1
11

log in

join
share:

posted on Aug, 1 2013 @ 01:16 PM
link   


The Art of Cyber Defense I - Fingerprints



Hello again ATS!

Given that the world is now aware of the fact that the Orwellian cat it out of the proverbial bag - and that everything we do online is monitored, tracked, recorded and can potentially be used against us in a myriad of nightmarish ways... I have decided to do a small series of threads to be titled The Art of Cyberwar. These will be threads based upon digital security issues, offering techniques that will help instruct the ATS community on simple things they can do to make the NSA, the FBI, and Cybercommand have to work that much harder to spy on us.

I will not be suggesting or instructing anything that is illegal or immoral in these threads and remind anyone participating that offering such advice ( hacking, cracking, exploiting, DDoS, virus, piracy, etc ) is against the rules of ATS and such posts will be removed promptly.


Opening Arguments



How often do we watch movies or television shows about cops or crime only to end up seeing some idiot get busted because he was too stupid to wear gloves, thus leaving behind a fingerprint that is then used to seal the deal on his conviction. Crooks are stupid! We'd never make THOSE sorts of mistakes if we were to find ourselves having to cross that line in the sand and go rogue! Right?

Wrong!

What if I told you that you are, this very second putting your highly compromising fingerprints on everything that you touch? What if I told you that your fingerprints are being analyzed and compared right this very second - even as you read these words?

Because it is true and you are. We all are...

The States Case



Today we will be discussing one of the primary things that makes a spies life easy... The fingerprint that our browser leaves behind on every single site that we visit. In the past this issue was mostly an annoyance. If you've ever noticed that certain ads seem to follow you from sight to sight - that is a function of your browsers fingerprint. The truth is that many of the plugins and addons that we rely upon today for our convenience and web based enjoyment are very much designed to fingerprint us online - to track and identify us. They were designed specifically for that purpose. Sadly now the implications are far more reaching and profound than simply being hounded by a bad advertisement.

A bit about browser fingerprints:


A device fingerprint or machine fingerprint or browser fingerprint is information collected about a remote computing device for the purpose of identification. Fingerprints can fully or partially identify individual users or devices even when cookies are turned off.

Basic web browser configuration information has long been collected by web analytics services in an effort to accurately measure real human web traffic and discount various forms of click fraud. With the assistance of client-side scripting languages, collection of much more esoteric parameters is possible. Assimilation of such information into a single string comprises a device fingerprint.

Recently such fingerprints have proven useful in the detection and prevention of online identity theft and credit card fraud.


Source

This is an important fact to note. Some security minded people tend to think that only things like cookies and plugins are threats to our Cybersecurity. But the truth is that this is just the tip of the iceberg. In fact every single setting that you toggle in your web browser also adds to defining your more than likely unique browser fingerprint - things like your chosen browser theme, your privacy settings, your default search engine choices... everything. Even innocuous settings to your computer itself are mixed in and used to identify us - things like your monitors resolution and refresh rates. In fact one of the major identifying factors detected is the set of fonts installed upon my PC.

It's not just about cookies, Flash, and Java. It's not about toggling your FB privacy settings. Not by a long shot. In fact in my own summary my cookies came up with a 1 in 1.35 ratio... meaning that the settings I am currently using for cookies, and the cookies on this machine - are nearly universal. By way of comparison - my small collection of addons and plugins hit me with a 1 in 1,594,085. Easily enough to argue that my machine would be the machine in question should that fingerprint be compared for any reason.

The frightening truth of the matter is that even if you are somewhat knowledgeable about Internet security - you are still, very likely, leaving behind an easy to follow trail of everything you do.

Would you like to see just how secure your browser currently is? There is a way. Panopticlick can give you some very, very specific information. In fact it will show you your exact browser fingerprint and even tell you how common it is. Just click the "test me" button. This is a service offered by the Electronic Frontier Foundation and, while each of us has our own personal levels of trust vs paranoia - I have no qualms about letting this app run on my system.

Re: My results: I have to admit... I consider myself a person who is both aware and skilled in the area of computer security. So I was somewhat shocked when my review and summary came back headed by the following:


Your browser fingerprint appears to be unique among the 3,188,170 tested so far.

Currently, we estimate that your browser has a fingerprint that conveys at least 21.6 bits of identifying information.


My browser is unique among a set of over three million queries. I feel the need to point out that I tested this under my Windows partition, using Firefox 22 with what I would think are really, really common addons and plugins. I am running a theme - but it is an exceptionally common one. In my Windows partition I don't have anything running that I would even remotely think of as exotic or uncommon.

And still... unique out of over three million. My fingerprint. A fingerprint I leave behind, on average, hundreds of times per day... all over the world.

I imagine that anyone else taking the test will likely have similar results. Even those running bareback TOR will still show unique, or semi-unique fingerprints based upon basic personal computer or device settings.

The Defendants Case



The Electronic Frontier Foundation offers a fairly decent .pdf file here that helps address the issue in some depth. Additionally eHow has an article, as does geeknizer. But as a reader will soon discover, the answers are honestly not very helpful or conducive to actually enjoying the web.

In short, the end results are something like deciding to enter a foam filled army tank in a road race. Sure... you're probably not going to get hurt in a crash, but your precautions have totally removed all of the reason you wanted to be in a race in the first place.




edit on 8/1/13 by Hefficide because: (no reason given)




posted on Aug, 1 2013 @ 01:17 PM
link   
Still there are some steps suggested that can help remove some of the uniqueness of your fingerprint. Which steps would be right to take are largely a matter of personal preference. How much accessibility to you wish to lose in exchange for a bit more anonymity? I leave it up to the individual reader to research these methods ( a few of which the T&C forbid me from tabling - which is why I've opted to table none of them here ) and decide which, if any, are appropriate and acceptable.

The only real escape would be to disconnect entirely, throw away your electronic devices, stop talking on the phone and lose all of the convenience and recreation that the digital world offers.

Closing Arguments



As eluded to a moment ago, I think that the vast majority of us engage the Internet for pleasure and convenience. We want to be able to chat with our friends. We want to be able to shop, socialize, watch videos, listen to music, search information and engage in intellectual recreation when we are online. The idea of reducing ourselves to a Terminal based, text only experience here is simply unpalatable to the extreme.

We like the trendy and flashy things and we are not going to give them up for anonymity and security. Being able to Skype with distant relatives is a powerful and magical thing. Having the worlds knowledge at our fingerprints, there but for a few keystrokes - is something not even most science fiction authors would have dreamed of even 50 years ago. The Internet is a miracle and it is a great blessing that we it at our disposal... cheaply, conveniently, portably and nearly universal. It is a shame that a few jerks in power are obsessed with messing it up for all of us.

Are we willing to give up all of these amazing things now that we know they are being used against us? Now that we know that simply owning a computer and having Internet access tags us in the same way an RFID chip might? I do not think so. The allure of watching cats do funny things on Youtube is far more compelling than fears of digital tyranny and abuses of privacy.

For my own part, I do not overly stress about these issues. As troubling as they are and as disturbing as the implications may be... for the time being my nearly unique digital fingerprint is but one of hundreds of millions or even billions of other similarly nearly unique fingerprints. The hydra headed monster of Cyberterroristic spying by Corporations and Governments is a dangerous beast... but one that they still seem rather clueless as to how to utilize or tame. While this is rapidly changing thanks to supercomputers and cutting edge heuristics engines... I still feel relatively anonymous and safe here.

I do not yet feel as though I stand out in the crowd too much.

Having said that, I do feel very strongly that digital privacy and how it will effect our freedoms - worldwide, from nation to nation - is the singular most profound and important issue that we face today. Even experts currently are stymied by the potential for international abuses. Pandoras box has opened here and we are still trying to put together what it all means... we've barely even started trying to react or figure out a defense strategy. So far we've seen companies use Internet posts to justify firings... We've seen people arrested for hyperbolic Internet posts... And we've seen that our jaded leaders, globally, smirk and condescend as we have discovered just how invasive and pervasive their Cyber operations are. They are smug and assured in their arguments that the Digital world is not like the real world... protections we have in day to day life do not apply here.

I offer, humbly... Not only should these protections from tyranny and violation of privacy apply online - they must and they must do so soon. This is the frontier - this is the future... and what we do with this, or allow to be done with this, will impact our children and their children for generations to come.

Thanks ATS!



posted on Aug, 1 2013 @ 01:34 PM
link   
Thanks for the thread. S+F.

I think this goes along with it and sould be something to be very aware of...

Fingerprint Biometrics on New iDevices? The NSA will love this...
www.abovetopsecret.com...

edit on 1-8-2013 by Heliophant because: (no reason given)



posted on Aug, 1 2013 @ 02:01 PM
link   
That panopticlick thing had me down to 15.6 bits of info but it wouldn't take much for me to be well below that by altering a few strings and compiling my own browser so it told everyone i was using IE version 69, based in some weird country running windows 9.76 on a 1024bit operating system

Doing stuff like that isn't illegal but could cause a few webservers to go WTF and serve up the wrong content and it was funny when i changed a companies FTP server logon message to an MS one from the actual system it was (VMS) how the types of attacks changed and that was in the mid 1990's

The main way of not getting spotted would be to maintain two separate identities and do the normal stuff such as shopping/chatting with friends about crap that'll put the NSA bod listening to sleep such as the correct method of indexing thimbles via their weight and then having a second profile that is for anything you don't want traced such as using Tor proxies with a live boot CD so no trace is left on your machine



posted on Aug, 1 2013 @ 02:57 PM
link   
I really enjoyed your posts. Thanks for taking the time to write them. I took the test you linked to and was surprised to see my finger print was identical to yours as far as bits of identifiable information. I would say I am more aware of internet security than the average user, but that isn't saying much.

I think the most important part of your post is your closing statements. We can't expect the average user to have the technical ability or even the motivation to lock down their systems for security's sake. More importantly, we shouldn't have to.

Your comments about the future of internet freedom are very poignant and I agree 100%. People try to minimise the implications of NSA spying and other such government attempts to limit freedom on the internet but the reality is that it's a very grave situation. The internet has changed the world. It's impact on history wont even be fully understood for at least another 100 years since it is such a relatively new invention, but we can see it's potential with populist uprisings such as egypt and how it was instrumental in helping people to organize. People need to cherish an open and free internet just as much as the liberties afforded to them in their day to day lives. We shouldn't be expected to have to look over our shoulders for big brother with every click we make on the web.



posted on Aug, 1 2013 @ 06:23 PM
link   
Very Interesting Information ! This stuff really gets my mind going... Thx

But I have a question... as I know nothing about how this stuff works.

What if you lock down your system so that these "fingerprint" programs don't recognize the
unique factors for your individual setup. & lets say the program comes back with a hit
of "we couldn't sniff out any identifiers, we got zilch on our return"... & they know your
setup isn't for some fancy smanchy company that would likely have strong securities in place....

Would that not make your "fingerprint" stand out like a sore thumb, waving its arms saying here I am here I am... over here ? Causing them to try and dig deeper ?

To me it appears this would be a method of finding the needles in the haystack that they are
truly looking for.

I don't know ?
Just a thought
leolady



posted on Aug, 1 2013 @ 06:26 PM
link   
reply to post by leolady
 


The fingerprint is comprised of the base information that web pages need to exchange data with your local computer. Effectively you can block most of these things... but, as I said... you'll end up losing almost all functionality and access to many sights - until all you have left is a text only terminal window - no graphics or anything substantial or entertaining.



posted on Aug, 1 2013 @ 08:42 PM
link   
Not really worried about my internet activirty all they are gonna see is porn,guns,movies, and my bank account, and my ravings on ATS.

Yep this 'terrorist' is sooo interesting.

edit on 1-8-2013 by neo96 because: (no reason given)



new topics

top topics



 
11

log in

join