The Art of Cyber Defense I - Fingerprints
Hello again ATS!
Given that the world is now aware of the fact that the Orwellian cat it out of the proverbial bag - and that everything we do online is monitored,
tracked, recorded and can potentially be used against us in a myriad of nightmarish ways... I have decided to do a small series of threads to be
titled The Art of Cyberwar. These will be threads based upon digital security issues, offering techniques that will help instruct the ATS
community on simple things they can do to make the NSA, the FBI, and Cybercommand have to work that much harder to spy on us.
I will not be suggesting or instructing anything that is illegal or immoral in these threads and remind anyone participating that offering such advice
( hacking, cracking, exploiting, DDoS, virus, piracy, etc ) is against the rules of ATS and such posts will be removed promptly.
How often do we watch movies or television shows about cops or crime only to end up seeing some idiot get busted because he was too stupid to wear
gloves, thus leaving behind a fingerprint that is then used to seal the deal on his conviction. Crooks are stupid! We'd never make THOSE sorts of
mistakes if we were to find ourselves having to cross that line in the sand and go rogue! Right?
What if I told you that you are, this very second putting your highly compromising fingerprints on everything that you touch? What if I told you that
your fingerprints are being analyzed and compared right this very second - even as you read these words?
Because it is true and you are. We all are...
The States Case
Today we will be discussing one of the primary things that makes a spies life easy... The fingerprint that our browser leaves behind on every single
site that we visit. In the past this issue was mostly an annoyance. If you've ever noticed that certain ads seem to follow you from sight to sight -
that is a function of your browsers fingerprint. The truth is that many of the plugins and addons that we rely upon today for our convenience and web
based enjoyment are very much designed to fingerprint us online - to track and identify us. They were designed specifically for that purpose. Sadly
now the implications are far more reaching and profound than simply being hounded by a bad advertisement.
A bit about browser fingerprints:
A device fingerprint or machine fingerprint or browser fingerprint is information collected about a remote computing device for the purpose of
identification. Fingerprints can fully or partially identify individual users or devices even when cookies are turned off.
Basic web browser configuration information has long been collected by web analytics services in an effort to accurately measure real human web
traffic and discount various forms of click fraud. With the assistance of client-side scripting languages, collection of much more esoteric parameters
is possible. Assimilation of such information into a single string comprises a device fingerprint.
Recently such fingerprints have proven useful in the detection and prevention of online identity theft and credit card fraud.
This is an important fact to note. Some security minded people tend to think that only things like cookies and plugins are threats to our
Cybersecurity. But the truth is that this is just the tip of the iceberg. In fact every single setting that you toggle in your web browser also
adds to defining your more than likely unique browser fingerprint - things like your chosen browser theme, your privacy settings, your default search
engine choices... everything.
Even innocuous settings to your computer itself are mixed in and used to identify us - things like your monitors
resolution and refresh rates. In fact one of the major identifying factors detected is the set of fonts installed upon my PC.
It's not just about cookies, Flash, and Java. It's not about toggling your FB privacy settings. Not by a long shot. In fact in my own summary my
cookies came up with a 1 in 1.35 ratio... meaning that the settings I am currently using for cookies, and the cookies on this machine - are nearly
universal. By way of comparison - my small collection of addons and plugins hit me with a 1 in 1,594,085. Easily enough to argue that my
machine would be the machine in question should that fingerprint be compared for any reason.
The frightening truth of the matter is that even if you are somewhat knowledgeable about Internet security - you are still, very likely, leaving
behind an easy to follow trail of everything you do.
Would you like to see just how secure your browser currently is? There is a way. Panopticlick
can give you
some very, very specific information. In fact it will show you your exact
browser fingerprint and even tell you how common it is. Just click
the "test me" button. This is a service offered by the Electronic Frontier
and, while each of us has our own personal levels of trust vs paranoia - I have no qualms about letting this app run on my system.
Re: My results: I have to admit... I consider myself a person who is both aware and skilled in the area of computer security. So I was somewhat
shocked when my review and summary came back headed by the following:
Your browser fingerprint appears to be unique among the 3,188,170 tested so far.
Currently, we estimate that your browser has a fingerprint that conveys at least 21.6 bits of identifying information.
My browser is unique among a set of over three million queries. I feel the need to point out that I tested this under my Windows partition, using
Firefox 22 with what I would think are really, really common addons and plugins. I am running a theme - but it is an exceptionally common one. In my
Windows partition I don't have anything running that I would even remotely think of as exotic or uncommon.
And still... unique out of over three million. My fingerprint. A fingerprint I leave behind, on average, hundreds of times per day... all over the
I imagine that anyone else taking the test will likely have similar results. Even those running bareback TOR will still show unique, or semi-unique
fingerprints based upon basic personal computer or device settings.
The Defendants Case
The Electronic Frontier Foundation offers a fairly decent .pdf file here that helps address
the issue in some depth
. Additionally eHow
has an article, as does
. But as a reader will soon discover, the answers are honestly not very helpful or
conducive to actually enjoying the web.
In short, the end results are something like deciding to enter a foam filled army tank in a road race. Sure... you're probably not going to get hurt
in a crash, but your precautions have totally removed all of the reason you wanted to be in a race in the first place.
edit on 8/1/13 by Hefficide because: (no reason given)