Welcome to Inkbunny...
Allowed ratings
To view member-only content, create an account. ( Hide )
Blackraven2

Don't tell everyone which websites you are visiting.

Hi.

This is a journal about privacy.

Which webpages we visit, how often and frequently, which login names we have on them, what we search on the net tells an awful lot about each and everyone of us.

This information is very valuable, for a lot of people, which is why very powerful organizations make a lot of effort to find out and track absolutely everyone on the web.

A few examples:

- Large Advertising networks try to find out as much about everyone to optimize what advertisements they can show to optimize their clients (and their own) profits.
- Law enforcement is interested in this information to track criminal activity or profile potential criminals.
- National security wants to track the digital footprint of dissidents, radical opposition, terrorists, foreign  agents
- Cyber criminals and national entities try to identify potential targets (in important portion or with exploitable weaknesses) for further Cyber- and offline attacks as well as information gathering itself
- Commercial entities want to track the behavior of their existing as well as potential customers to optimize their profits. (As well as those of the competition)
- ...

Obviously this tracking has negative impact on the one being tracked. It can be

- A nuisance, such as suddenly being bombarded with advertisement for embarrassing products on sites such as facebook, youtube and amazon, after clicking on just one bad link
- getting worse deals than other people in online-shops because some scoring algorithm figured you wouldn't actually buy more, often, just because you got a discount today.
- become a victim of cybercrime, such a very well targeted fishing emails
- having one's credit rating or chances of getting employment affected because of 'scoring agencies' using this data
- end up on no-fly-lists and other discriminating suspect lists
- end up under criminal investigation or other governmental suppression and even jail or "disappear" (can be severe in some countries such as China or in the middle east) just for visiting the wrong webpage

A list of entities that collect these data:

1. ISPs and higher tier internet carriers track their customers data, for their own reasons and by demand of of law enforcement and government organisations
2. Government organisations such as NSA and others wire tap internet traffic directly. (Worldwide!)
3. Advertisement companies track the customers across all affiliated webpages
4. Search engines, social networks and popular sites (facebook, youtube, twitter, ..., ...) track the users of their services
5. Cloud and other centralised web service providers track the visitors of affiliated webpages.
( this includes fast-load library providers such as ajax.googleapis, anti DDOS prevention services such as cloudflare and Akamai, cloud hosting such as Amazon, Microsoft and Google Cloud, etc...)

And all of the above can also be "misused" by 3rd parties to collect the data for them. Cyber-criminals and foreign powers can infiltrate the databases, government organizations and law enforcement can enforce access through national security letters or court orders. Commercial actors can simply "sell" the datasets to anyone willing to pay, etc...
And of course some idiot can elect a wanna-be dictator in the next election that uses all this collected data to kill anyone with Latino or Jewish forefathers and send all Inkbunny-users to Guantanamo Bay.

But as a user you are not always completely powerless. It is possible to visit webpages and still stay off the radars of everyone else - or at least most entities who'd want to know about it.

Let's have a look at possible countermeasures:

1.
Tracking by the ISP is the hardest to prevent, since all your data will pass through your ISP's connection.
a) You can "delegate" the problem by using a VPN provider, but that only effectively switches the ISP for your VPN service provider. It can be used to get a certain bad player with a local monopoly out of the loop, but not prevent the issue as such.
b) Use an anatomizing dark net service such as TOR to access the web. It will cut your ISP out of the loop, but will also be very slow. It can be a bit tricky to set up, and might be illegal in some oppressive countries. be aware that some "exit nodes" are spying on you, and sometimes manipulate the traffic / insert malicious javascript code into unencrypted html traffic
c) Use your own a local DNS resolver instead of your ISPs (DON'T USE google's 8.8.8.8, you don't want to switch lucifer for beelzebub) and also use browser extensions such "HTTPS everywhere" to encrypt as much traffic as possible. That way your ISP still sees the IP addresses you are connecting to, but no longer individual URLs and data.  Using a) in combination with c) or at least c) is a must, but b) is needed if *they* are really after you. (If you're a blogger in Syria or Tibet or something like that. Or a climate activist under the Trump administration, who knows ;) )

2.
The same countermeasures as for 1. Use encryption wherever possible

3.
Do NOT, EVER surf without an Ad-blocker. Scripting Protection and Blacklists for the main tracking and advertising sites.

4.
- Block embedding of facebook and twitter scripts and buttons on 3rd party sites. (Browser extensions and blacklists)
- Use a separate private browsing instance for social media, so you are never logged in to facebook and google at the same time with the same browser profile.
- Use several distinct identities and accounts for different activities (work, recreational, pr0n,  club/non work related stuff, political stuff).
- Use different browsers for different accounts, or at least different browser profiles (or fresh new private windows) If you only once log in into two different accounts from the same browser, or still have the old session cookie lingering around, Google will forever remember that both were accesses from the same computer, so you need to be disciplined about that!
- remember google and bing "crawl" all webpages and run the information through state of the art artificial intelligence to correlate information, so keep your "identities" separated by not listing them together on any webpage that get's crawled. (Sites that require login to see the content should be mostly fine)
- Use different email accounts for different identities and account recovery, even if they all get forwarded to your main account in the end)
- Use different passwords for different sites as well as different identities (that's more a security thing than a privacy thing, but still very important)
- Lately Google and others demand the users to authorize their accounts by providing cellphone numbers. Always different (prepaid) sims for that, or google will still know that the accounts all belong to the same person.
- Use 3rd party search engines that track less wherever possible (duckduckgo for example) that also helps to prevent "information bubbles"

5.
For some content you can setup local mirrors. (There's a Firefox extension for local cashing of stuff like googleapis and googlefonts used by many webpages, see below) It also helps to use fresh private browsing sessions instead of opening multiple tabs simultaneously, so - although the accesses still come from the same IP - the cloud service provider can't be certain two accesses to 2 different webpages using their infrastructure are really from the same individual. IPs do get shared nowadays.


A few useful links:
TOR Browser
https://www.torproject.org/projects/torbrowser.html.en
A privacy enabled browser that routes traffic through the TOR anonymizing network as well as a few other privacy extensions. Read the docu for details. It's a pretty good "all around privacy shield", but TOR can be slow and some stuff might not work (google will ask you for a capcha answer for every search request if your access comes through TOR)
It includes some useful addons, but one should definitely install request policy, decentraleyes and canvas blocker on top of it to prevent identity leakage.
In the past there were cases where malicious government organizations managed to compromise the TOR browser repository and add deliberate tracking code. Since then additional safeguards have been put in place, but you should always check the updates to any of the listed extensions below to make sure no one changed them to suddenly do the opposite of what they are supposed to do. They are prime candidates for such attacks since tracking their users allows tracking of the target audience that doesn't want to be tracked.

Firefox Browser extensions:

Decentraleyes: https://addons.mozilla.org/en-US/firefox/addon/decentra...
Locally caches stuff like google apis and fonts used by many webpages, so your browser won't telltale to google every time you visit them
HTTPS everywhere: https://www.eff.org/Https-Everywhere
Enforces encrypted traffic for all webpages that support it, even if they normally use unencrypted channels
Canvas Blocker: https://addons.mozilla.org/de/firefox/addon/canvasblocker/
Prevents misuse of the Canvas browser extension to identify users
Request Policy (continued): https://addons.mozilla.org/de/firefox/addon/requestpoli...
Firefox extension that blocks any requests to 3rd party sites - such as trackers and advertisements, but also sometimes blocks necessary connections such as cloud storage and offsite stylesheets. Can be easily finetuned but needs some work to get used to
uBlock Origin: https://addons.mozilla.org/de/firefox/addon/ublock-origin/
Blacklist based tracking blocker that can also be setup to block all 3rd party requests like Request Policy does, but is more elaborate to configure. But unlike Request policy it's available for Firefox Android!
RefControl: https://addons.mozilla.org/en-US/firefox/addon/refcontrol/
By default, any time a web resource if loaded by clicking on a link or automatically as its embedded in a webpage (links, images) the browser includes the origin page in the HTTP request. This extensions allows to override this behavior to not disclose this information and as such make the surf behaviour less traceable.
NoScript https://addons.mozilla.org/de/firefox/addon/noscript
A standard Malicious Script blocker that also impairs tracking and advertising. Good to have.

(Also make sure to disable 3rd party cookies in the Browsers privacy settings!!!!)

DNS server
Under Linux it's relatively easy to setup a local DNS resolver which directly retrieves zones from the root servers instead of your ISP's DNS resolver. Just install "bind" https://de.wikipedia.org/wiki/BIND and install neither your ISPs forwarder nor any local zones. Make sure to replace your ISPs or Router's DNS server with your local one. (127.0.0.1 if it's on your local PC, or the IP of your Linux box if you have a separate computer for that)

Be aware that some ISP's in some countries block DNS requests in their network that don't go over their own DNS. If that is the case you might need to employ a VPN provider or switch ISP to be able to run your own resolver. Also write a letter to your local government representative in which you demand stricter network neutrality, so ISPs can't randomly restrict which part of the internet you can use or not.

Alternative Search Engine
DuckDuckGo https://duckduckgo.com/ allows anonymized access to the index of other search engines.



If you know of additional things to keep in mind, and additional tools (including suitable plugins for other browsers) please leave a comment below. (And please don't mention tin-foil hats. Aside from derailing any discussion, effectively putting a high-gain antenna on your head doesn't really make you any less susceptible to their mind control rays *scnr* ;) )
Viewed: 70 times
Added: 7 years, 2 months ago
 
CubSnuffer
7 years, 2 months ago
If you are using any mainstream browser in a configuration that lets you see a modern website in a form that isn't completely broken and unusable, you can be tracked. Period.

You have to block ALL scripts. You have to block ALL plugins. You have to block almost all HTML5 features. You have to spoof useragent. You have to stop the browser from requesting preferred languages. You have to give up fluid layouts, because your window size and resolution are highly fingerprintable (and doesn't require scripts to be identified, plain CSS can do it by retrieving different server resources conditionally.). And a million other things, almost all of which are NOT user configurable options. And if you manage to block everything, that also makes you unique and identifiable by your very lack of signature that everyone else leaves behind.

(See, for instance EFF's Panopticlick project.)

Blackraven2
7 years, 2 months ago
On theory you are right. There are techniques to fingerprint a system's signature even across different browsers. I think only last week there was a paper about fingerprinting the GPU through a HTML5+Canvas+CSS based timing attack. They measured tiny differences in how fast some features were drawn versus others, and could re-identify a unique system even if a different browser on a different operating system was being run within a VM - but with access to the same graphic card for rendering.

It was proof of concept, the Javascript code to identify the system had to run several minutes of tests (at full GPU load) to magnify the tiny discrepancies with enough significance - much longer than the average user would be staying on a webpage, but it's possible. To defend against this class of attacks, you'd have to run your browser on a software emulated system, emulating both CPU and GPU with a fixed, non variable speed. And even then, they could track you based on timing characteristics of your internet router that you have no control over.

However I was not talking primarily about the webpage one is visiting being able to track you. That is a futile battle. They know exactly what information you accessed, so all they need to track is who is accessing it. That is trivial on a much higher level since you can also fingerprint the browsing behaviour of the person using the browser - much like you can identify users by the key press frequency by which they are using their computer keyboard.

But, if we assume the direct and primary target of the HTTP request is not hostile, and does either not track, or we don't care if he tracks, then it becomes a question about preventing bystanders from trackinag you. Especially the same bystanders that try to track you on every single other request to every single other page too.

And there you have a fighting chance. Even a blacklist entry for just google analytics and doubleclick.net reduces your visibility to this driveby tracking by 50%. Enable HTTPS and a custom DNS resolver and you your ISP as well as NSA style, carrier level, wire taps loose the vast majority of information about you.

Use the various extensions mentioned above, and you limit your exposure to the operator of the webpage you are visiting as well as his most direct providers (hosting provider, DDOS mitigation, and/or cloud services if used)

Of course, if you visit a forum and disable 3rd party requests, all the embedded gravatar images and youtube videos will stop working. It's your choice if you enable them, then both services will know when you visit that forum and which threads. If you disable them, you only see placeholder images and gaps.

Some sites play nice. Inkbunny for example used to do no 3rd party requests at all. No google analytics, no google fonts or similar crap. Since 2-3 years ago, the bulk image data is loaded from metapix.net, but that domain is registered to the same entity (Metafur foundation, Laurence Parry)
The main domains exposed node, through which you login credentials and this journal's text flow is hosted via Dutch provider "Leaseweb" while metapix is hosted by Florida Provider NearlyFreeSpeech.NET
An interesting combination. But as privacy friendly as a site that comes under repeated DDOS threats can get.

Compare that with sofurry.com  Sofurry also uses 2 domains for page and content, both hidden behind cloudflares network for DDOS "protection". But the page also actively involves trackers: google analytics and newrelic. And worse, the latest incarnation of their webpage doesn't even work without loading external javascript code from ajax.googleapis. In short, they make it hard for you to avoid tracking, but if you install request policy and decentraleyes to locally cache the ajax library, the site works fully and the only 3rd party you can't avoid tracking you is US based cloudflare. (And whoever their hidden hosting provider is, I heard it's in Germany


Blackraven2
7 years, 2 months ago
Now if we look at the average US newspaper outlet domain, then it becomes horrific.

On washingtonpost.com I counted 13 different 3rd party trackers, a major cloud service provider for content hosting, and the page's code itself is actually full of javascript code that tries to squeeze as much information out of the unsuspecting visitor as possible.

If you don't want to be tracked, the solution is simple. Don't fucking go there. It's as if you'd try to enter the airports security area without wanting to show your ID, that simply doesn't work - not legally at least. A hacker might be able to do it using a backdoor in their system to access the database hosting the articles, but not through the front door with it's 1000 face recognizing cameras pointed at you.

But then again that's fine. Just keep an android phone around with the sole purpose of visiting totally legit major news outlets, who's admin could likely tell you both it's serial number and IMEI if they wanted, along with your home address and birth date. Which is fine since you don't use that phone for anything else.
StabbityDeath
7 years, 2 months ago
Ghostery and Noscript with adblock help a lot.
Blackraven2
7 years, 2 months ago
Good point, I added Ghostery to the list.
Blackraven2
7 years, 2 months ago
After doing some background checks and tests I had to remove Ghostery again.

It seems like it does not reliably work, even on pages with known trackers (and blocking disabled in my other plugins) they are neither blocked nor reported.
(This might be a compatibility issue, I didn't test ONLY ghostery with all other plugins uninstalled which would have been needed to rule that out, and I also didn't make an account on ghostery.com which is required for many advanced features)

Also Ghostery by default sends telemetry data to ghostery.com which is shared with commercial entities according to several news site reports. So overall, in some cases it seems this extension might do more damage than good to your privacy, by actually spying on you.

SilentHunter
7 years, 2 months ago
You might want to check out Qubes OS https://en.m.wikipedia.org/wiki/Qubes_OS

It runs each program in its own little virtual machine, so you can have separate instances of Firefox for different sites for example.
Blackraven2
7 years, 2 months ago
I think that's a very useful tool, especially to run multiple independent instances of browsers concurrently but separate

I would use it in a high security situation, where privacy becomes a life or death question, but only on top of the tools that are already presented here. Qubes OS for example would not be able to prevent firefox to leak information from one page to another through links and embeds, cross site scripting attacks, ajax equests, webbugs, ..., ... so you'd still need request policy or similar, and you'd still need a solution for the DNS resolution leakage issue.

SilentHunter
7 years, 1 month ago
Well yeah, it would be in addition to.
Blackraven2
7 years, 1 month ago
I'm definitely going to have a look into it, just out of curiosity.
SilentHunter
7 years, 1 month ago
Let me know what you think!
foxboyprower
7 years, 2 months ago
Huh. I guess this kind of thing doesn't concern me too much. Of all the political causes I think about, my own privacy doesn't even make the list.

I am aware of ad targeting, but I like to facilitate the support of content creators, even if that does mean seeing ads. My web activity is split between browsers and accounts within those browsers. So I mostly get ads for video games or bio-technology equipment. And I'm certainly not going to complain about being targeted by the later. I think it's pretty cool.

Maybe I just don't care about privacy because I really love science. I love the idea about tons of data being gathered and analyzed. I even run "WhatPulse" on my computers. It's a program that tracks my individual inputs and creates all kinds of statistics about my computer usage. I really enjoy it in a nerdy way.
Blackraven2
7 years, 2 months ago
It might be because where I live.

In the past, there were two regimes that collected as much data about anyone they could in Germany.
The first used the information to target anyone with the wrong relatives and killed them systematically.
The second (as well as the first) was mostly interested in peoples political believes. If you had the wrong friends, read the wrong magazine or listened the wrong music, then you would get in trouble.

Currently we live in a situation of freedom. Whatever one thinks, wherever one was born or believes, it isn't used against him, but historically this isn't the norm, it's an oddity. And the transition from a free and open minded society to a Nazi regime can be pretty quick. Just look at the USA, would you have thought that someone with a Iraqi passport would be detained at the airport and not allowed to meet his family, just a week ago?

The situation in Europe currently is as follows: Almost all big data companies are US companies. Any data they collect they forward to the computing centers in the United States. The US government has full access to this data, either through wire taps, "national security letters" ...  And as a non US-citizen I have absolutely zero rights or protection from this.

When you work for an IT company around here, they tell you: "Be careful what data trace you leave behind on-line, the competition in the US is listening."

When you want to go to a conference, they tell you: "Be careful what you say and do on-line, you need a visa to visit the convention, and the immigration guys ask about your social media accounts"

I have both friends and family in the middle east. Also, we have many Iranians in Germany, most of them became refugees in the 1970s when they fled the Islamic revolution. Any of them is now banned to travel into the US.

How long until it's enough to be friends, related or having talked to one of them to be arrested on the airport?

How long until you need to worry, just because you have been reading these lines here and this very journal written by me?

What's going down in the united states right now bears way too much resemblance to what happened in Germany in 1933. Those idiots also thought. "He's only the chancelor, how much damage can he do?"

The chancelor was Adolf Hitler. And in the Weimar Republic, he had effectively way less power than the POTUS.

But Trump is only one good example to grasp why "big data" is dangerous. The amount of detailed info you can extract from any large data set about any individuals life is frightening, and there are a lot more "wrong hands" this can end up in than just the wrong government.

Think about it. If you can see that nerdy statistics, they are kinda cool. But now imagine you are applying for a job, and the clerk in human resources sees the same and more?  Or your mother in law.  Or your Ex...
foxboyprower
7 years, 1 month ago
Alright. I think I'd rather focus on politics preemptively in that case. Because there's a slim possibility that I'm going to do all this stuff to protect my privacy. There's no way the average computer user would do this stuff. And those are more likely to be the people at risk for that kind of thing.

Doing all this stuff just protects me. Not other people. I'd rather focus on voter reform laws that facilitate people getting elected that have our best interests in mind. Trump won because our voting system is such a mess. Before that problem is solved, this is a mere bandage on one person among a whole world of bleeding people.
Blackraven2
7 years, 1 month ago
True enough, but before you can go around helping the injured, or even fight the guys responsible for the injury, you better stop your own bleeding, or you might not get very far.

What I'm doing here is not just bandaging myself, I'm telling everyone reading this journal, where they can find free bandages and how to wrap them. It's not a lot, I know, but its a start.

I was politically active when I was younger. But it can get frustrating. You fight so hard, years of campaigning and lobbying to get things moving a tiny bit in the right direction, get a compromise worked out. Then comes a hardliner and with one single decree and zero consultation of anyone affected swipes away everything that was worked for and makes it worse than it was ever before.

At some point you either resign, change field, or start killing people.
foxboyprower
7 years, 1 month ago
Alright. I think I'll be fine though. At worse, I just run into situations like these: https://twitter.com/screencuisine/status/78752445744310...

Currently I'm trying to get people interest in the alternate ballot system. I think it's something that can start being adopted on a small scale before slowly gaining popularity.
Blackraven2
7 years, 1 month ago
Yeah, that can be embarrassing, but with toilets it's yet mostly harmless.

But if you ever buy a Chemistry textbook on Amazon, you better check this "people who bought this, also bought..." list.
If you find random stuff there, like ceramic knifes, digital wristwatches, bottles of nail polish removal, cooking oil, and "the Qur'an" you're already in trouble, just for clicking on it. You might not get a visit from the FBI right away (they're just gonna tap your phone, and your friends, and your friends friends), but the next time you try to board an airplane you might learn, they already put you on the "no fly list" - nasty.

What kinda ballot system do you have in mind? In Germany we have one of the more complicated ones for federal elections, the more delicate details are hard to understand even for those involved. But we also don't elect presidents directly at all, The parliament elects the head of state. However, parties usually announce who's their candidate before federal elections, and whoever becomes strongest party (if they are part of the government coalition, there's more than 2 parties) will also have their guy become head of government.

So in a way the head of state is elected by giving votes to his/her party. A charismatic candidate can give a party a huge boost in the federal election. A side effect is, that the head of state is always backed by a majority in the parliament (although not necessarily in both chambers, as the second chamber is made from state representatives. there can still be some deadlocks)
foxboyprower
7 years, 1 month ago
Blackraven2
7 years, 1 month ago
It's clearly superior to the standard "winner takes it all" voting scheme, but I still like proportional voting systems more. But it depends.

For a direct Presidential election, where "there can be only one", I agree, instant runoff and closely comparably systems would certainly be the best possible choice.

For parliamentary elections, a proportional system - or a system that is in total effect proportional like https://en.wikipedia.org/wiki/Electoral_system_of_Germany is IMHO better.

If 20% of the population support the greens, but 45% support conservatives and 35% support liberal, but only candidates who win an electoral district make it to parliament, than either the conservative would win the election (in winner takes it all) or the liberal might under instant runoff voting (assuming the majority of green supporters put liberals as the lesser evil)
However only a proportional system would reflect the true preference of the population. (using these factions only as examples here) In a proportional system, there would be 3 possible government coalitions: conservatives with liberals, conservatives with greens and liberals with greens, all 3 options would have a majority but no party alone has.

proportional system make it possible for new political movements to get a foot into politics. Like the greens in Germany, which first popped up in the 1960's, made it in the first state parliaments in the 1970's (surpassing the 5% limit) were part of governments as minor coalition partner on the 90's and now took over a state from the conservatives and actually became largest faction and leader of an important state government (In 2011 then won a second term in 2016)

It's still a long process, but if you look at countries with predominantly winner takes it all systems like the UK. Although for example the neo-national-populist UKIP (the ones mainly responsible for that Brexit crap) steadily gained vote percentages in recent elections and are at over 12% of votes, they currenlty only have one of the 650 seats in parliament.
(didn't prevent these idiots from dooming that country, but that's another story - in the end its the Brits as a whole who voted - badly)

Germany has their share of loud yelling neo-populist, the AfD (alternative for Germany) - meanwhile it's clear that the "alternative" in their name obviously stands for "alternative news" or "alternative facts" respectively. It's like a whole party on Trump drugs. We have federal elections this year, gonna be fun.

Luckily Trump is setting a nice bad example, with a bit of luck that might prevent the "protest voters" here from giving the idiots too much power.

My guess, they likely won't make it into a government coalition (every other party hates them), but their presence in parliament might scramble majorities around enough that the usual coalitions no longer work. That might actually be a good thing.
New Comment:
Move reply box to top
Log in or create an account to comment.