 Noah VailSon made my AvatarPremium
join:2004-12-10
Lorton, VA
kudos:1
 ·Bright House
 ·Sprint Mobile Br..
3 edits | Worse than Reported - Undeleteable Cookie Survives Wipedisclaimer: I know the kissmetrics/evercookie story has been posted (and posted).
However, I've found something new and it might be important.
I've opened up a new thread so I can get fact-checked.
thanks for patience.
.
.
I allege that:
KissMetrics can track a user by just their hardware.
and
A user can't escape Kissmetrics tracking - even if they wipe their hard drive.
Below is my evidence for making that claim.
Part 1
• I have a workstation that used to belong to a client of mine, 2 years ago.
I'm calling that client - Defunct Company Inc. or DCI.
• The workstation has been used by me, at a new company, for over a year.
The workstation came with an IDE Drive w/ Server 2003 on it.
• Some months ago, I tossed the IDE drive and installed a SCSI 320U that I purchased locally.
The drive was empty and I installed Win7Pro.
I also installed a new NIC and Video card.
Part 2
Today I attempted to download the i.js file referred to in TheReg Article - that was listed in the Morning Links.
The article mentions: quote:
A piece of JavaScript hosted on kissmetrics.com
and gives it's url as
http://i.kissmetrics.com/i.js
.
In Firefox 5, I right clicked the link and chose Save Link as.
FFox defaulted to save as Firefox Document and I wound up with a file called i.js.htm
.
Here's the thing.
I got curious and opened i.js.htm in notepad and found the following.
<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word"
xmlns="http://www.w3.org/TR/REC-html40"><head>
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<meta name="ProgId" content="Word.Document">
<meta name="Generator" content="Microsoft Word 11">
<meta name="Originator" content="Microsoft Word 11">
<link rel="File-List" href="http://i.kissmetrics.com/Blank_files/filelist.xml">
<!--[if gte mso 9]><xml>
<o:DocumentProperties>
<o:Author>Administrator</o:Author>
<o:LastAuthor>Administrator</o:LastAuthor>
<o:Revision>1</o:Revision>
<o:TotalTime>1</o:TotalTime>
<o:Created>2008-04-29T21:02:00Z</o:Created>
<o:LastSaved>2008-04-29T21:03:00Z</o:LastSaved>
<o:Pages>1</o:Pages>
<o:Company> * * * Defunct Company Inc. * * * </o:Company>
<o:Lines>1</o:Lines>
<o:Paragraphs>1</o:Paragraphs>
<o:Version>11.9999</o:Version>
</o:DocumentProperties>
</xml><![endif]--><!--[if gte mso 9]><xml>
There's more, but I don't think it's relevant.
Just in case, I pastebin'd it here.
Looking at the line by itself above, I learn that:
• Kissmetrics tied this machine to Defunct Company Inc. - the company that operated it - 2+ Years Ago.
• They were able to do this, even after I changed the HDD and loaded a new OS.
.
Part 3 - Let me be clear.
There is no software on this workstation - that has any ties to the old Defunct Company Inc.
to recap: This is a different drive, a different OS, a different NIC, a different location.
It looks to me like kissmetrics can track wholly by a hardware ID
that is re-create-able after a system wipe
.
That's it. I'm looking for supporting information on the (alleged) method of tracking
or
where the flaws in my logic are. Either way.
Thanks for reading.
NV
--
Adopting other people's animosity is The New Stupid. |
|
 therube
join:2004-11-11
Randallstown, MD | Spoof the MAC.
Spoof the HDD volume ID.
Spoof the HDD serial number.
Help any? |
|
 Dude111An Awesome DudePremium
join:2003-08-04
USA
kudos:10
 ·Time Warner VOIP
| reply to Noah Vail
quote:
FFox defaulted to save as Firefox Document and I wound up with a file called i.js.htm
Hmmm when i save that file it saves as "i.js" and if i read that file with notepad this is all it says:
if(typeof(_kmil) == 'function')_kmil(); |
|
Noah VailSon made my AvatarPremium
join:2004-12-10
Lorton, VA
kudos:1 Reviews:
·Bright House
·Sprint Mobile Br..
| reply to therube
Re: Worse than Reported - Undeleteable Cookie Survives Wipe said by therube:Spoof the MAC.
Spoof the HDD volume ID.
Spoof the HDD serial number.
Help any? In this case no. I replaced all three and was still tagged.
Even if my conclusions are right, we still don't know what identifiers they're using. I'd peg the BIOS string first. That was a component w/ Vista's WGA activations.
The bigger point is that our systems are permanently trackable and there's nothing we can do about it - at the moment.
and
If government isn't applying this tech to us, it's a matter of time till they do.
NV
--
Adopting other people's animosity is The New Stupid. |
|
Noah VailSon made my AvatarPremium
join:2004-12-10
Lorton, VA
kudos:1 Reviews:
·Bright House
·Sprint Mobile Br..
1 edit | reply to Dude111
Re: said by Dude111: quote:
FFox defaulted to save as Firefox Document and I wound up with a file called i.js.htm
Hmmm when i save that file it saves as "i.js" and if i read that file with notepad this is all it says: if(typeof(_kmil) == 'function')_kmil(); I fired up a fresh Windows XP VM and got the same thing.
Back to the workstation; when I swap https for http, I get the 38 byte i.js - same as you do.
There's a lot I don't yet understand here. But what I do - I doubt it can be explained away.
I suspect we're at the edge of something unsavory.
We'll see.
NV
--
Adopting other people's animosity is The New Stupid. |
|
Mele20Premium
join:2001-06-05
Hilo, HI
kudos:4
1 edit | reply to Noah Vail
Re: Worse than Reported - Undeleteable Cookie Survives Wipe When I open that file in notepad, first Script Sentry checks the file and says it is safe to open, then I get the above.
Earlier before Kissmetrics changed things, I could see (in Proxo's log window) them trying to set an etag.
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson |
|
Noah VailSon made my AvatarPremium
join:2004-12-10
Lorton, VA
kudos:1 Reviews:
·Bright House
·Sprint Mobile Br..
| This blog has a really thorough step-by-step
on the mechanism and application of this menace.
He's first experimenting behind a transparent proxy. Once he sees how it skews ETag exploitations, he ditches the proxy so he can watch the KissMetrics intrusions form normally.
He is good enough to document both approaches;
which I'm going to appreciate tomorrow - after I've had some sleep.
said by Likai Liu :When I read Researchers Expose Cunning Online Tracking Service That Can’t Be Dodged on Slashdot, many commentators there thought disabling JavaScript could prevent tracking because the disclosure on how KISSmetrics works mentions serving two pieces of JavaScript file. However, JavaScript here is the red herring. The magic happens with ETag,
...(conclusion)
If you want to surf the web without being tracked, you (1) disconnect from the network, (2) reconnect, and (3) prime the transparent proxy's cache with a new identity request; then without clearing browser cache or cookies, you will be issued a new identity. However, it is possible that when the browser presents an old identity alongside the new identity, KISSmetrics can correlate and merge the two identities.
g'Night
NV
--
Adopting other people's animosity is The New Stupid. |
|
|
|
Noah VailSon made my AvatarPremium
join:2004-12-10
Lorton, VA
kudos:1 Reviews:
·Bright House
·Sprint Mobile Br..
| reply to Dude111
Re: said by Dude111: quote:
FFox defaulted to save as Firefox Document and I wound up with a file called i.js.htm
Hmmm when i save that file it saves as "i.js" and if i read that file with notepad this is all it says: if(typeof(_kmil) == 'function')_kmil(); BTW: Googling that line of script (you were kind enough to supply), yielded some valuable information.
Thanks.
NV
--
Adopting other people's animosity is The New Stupid. |
|
| reply to Noah Vail
Re: Worse than Reported - Undeleteable Cookie Survives Wipe '»online.wsj.com/article/SB1000142···546.html'
"Even if people modify their machines—adding or deleting fonts, or updating software—fingerprinters often can still recognize them. There's not yet a way for people to delete fingerprints that have been collected. In short, fingerprinting is largely invisible, tough to fend off and semi-permanent" |
|
Dude111An Awesome DudePremium
join:2003-08-04
USA
kudos:10 | reply to Noah Vail
Hehe what information??
 |
|
therube
join:2004-11-11
Randallstown, MD | reply to Noah Vail
Re: Worse than Reported - Undeleteable Cookie Survives Wipe (What KissMetrics is doing is decade old news (the concept at least). Maybe that is known here, but hadn't read about KM before. From KISSmetrics controllable using Fx/NS? to Bug 231852 - ETag: filtering to counter web tracking, to links to a report from 2000, which is essentially what likai has re-reported.) |
|
Noah VailSon made my AvatarPremium
join:2004-12-10
Lorton, VA
kudos:1 Reviews:
·Bright House
·Sprint Mobile Br..
| Agree that the concept of persistent user IDs has been in development for most of a decade.
However, if I'm right about this method for tracking, it changes the game for those of us who abhor being stalked by marketers.
NV
out of area on service call - will rejoin topic late today
--
Adopting other people's animosity is The New Stupid. |
|
| reply to Noah Vail
JJoe posted an ETag removal filter for Proxomitron users here. |
|
jp10558Premium
join:2005-06-24
Willseyville, NY | reply to Noah Vail
I'm really not understanding this then, if I clear my cache, it does or does not affect this? What the heck is an etag? |
|
 trparkyApple... YUMPremium,MVM
join:2000-05-24
Cleveland, OH
kudos:1
·Time Warner Cable
·Time Warner VOIP
 ·AT&T U-Verse
| Normally an e-tag is used to identify an image and the server sends this ID to the client. When the client requests an image it first requests the header and if the image header contains the same e-tag the client doesn't download the image. It's a way to save bandwidth to make it so that already downloaded content isn't downloaded again.
This is a blatent violation of the use of the e-tag.
--
Tom
Boycott AT&T uVerse! | Tom's Android Blog |
|
 AVDRespice, Adspice, ProspicePremium
join:2003-02-06
Onion, NJ | According to XXXXXX Policy
You tried to access a site that is blocked due to its content.
This site has been categorized as: Suspicious;Non-viewable.
The site that was accessed is: http://i.kissmetrics.com/i.js.
If you believe that this site is a business requirement
Please contact Network Security via e-mail InternetSecurity@XXXXXX.com: Click Here
For auditing purposes you are being logged as: XXXXXX / InternetGroups==FTP
For your reference please refer to our Internet Access and Usage Procedure XXXXXX located XXXXXX.
--
Standard disclaimers apply.
Atomic batteries to power. Turbines to speed. |
|
AVDRespice, Adspice, ProspicePremium
join:2003-02-06
Onion, NJ | reply to Noah Vail
said by Noah Vail:Agree that the concept of persistent user IDs has been in development for most of a decade. However, if I'm right about this method for tracking, it changes the game for those of us who abhor being stalked by marketers. NV out of area on service call - will rejoin topic late today but it looks like this has gone beyond "proof of concept" to verified in the wild.
--
Standard disclaimers apply.
Atomic batteries to power. Turbines to speed. |
|
| reply to jp10558
said by jp10558:What the heck is an etag? HTTP ETag |
|
OZOPremium
join:2003-01-17
kudos:2 | reply to trparky
said by trparky:When the client requests an image it first requests the header and if the image header contains the same e-tag the client doesn't download the image. It's a way to save bandwidth to make it so that already downloaded content isn't downloaded again.. The common (and secure) way to facilitate the local cache management is to to use two records in HTTP header:
Last-Modified: Wed, 17 Aug 2011 05:43:48 GMT
If-Modified-Since: Wed, 17 Aug 2011 05:43:48 GMT
First comes from server, when it downloads the file to web browser. The second one is in HTTP header of the request, that web browser sends to server, when it wants to download the same file. That's completely enough to make local cache very effective.
Normally an e-tag is used to identify an image and the server sends this ID to the client...
1. There is already a way to manage local cache effectively (see above)
2. There is no better way to track the user, than to send him an arbitrary generated unique ID created by web server and then get that ID back every time user uses the page. The ETag fits the goal perfectly...
Note: the method by which ETags are generated has never been specified at any time in the HTTP specification. [src]
This is a blatent violation of the use of the e-tag.
--
Keep it simple, it'll become complex by itself... |
|
| reply to FF4me
From HTTP ETag:
The use of ETags in the HTTP header is optional (not mandatory as with some other fields of the HTTP 1.1 header). The method by which ETags are generated has never been specified at any time in the HTTP specification.
Because ETags are cached by the browser, and returned with subsequent requests for the same resource, a tracking server can simply repeat any ETag received from the browser to ensure an assigned ETag persists indefinitely (in a similar way to persistent cookies).
In 2007, two Mozilla Firefox add-ons were made to prevent the usage of ETags for tracking [here and here]. |
|
