Fingerprinting is the newest way of tracking you across websites. It's being done right now by companies like Google. Because unlike cookie based tracking you can't defeat it just by disabling cookies. There is currently NO FOOLPROOF DEFENCE against fingerprinting (except quitting the Internet).
ReCAPTCHA probably contains fingerprinting code: archive.is/9K5gs This means that the majority of Sup Forums users could be being fingerprinted, and Google might know about your shitposting habits even if cookies are disabled.
Daily reminder to do all your Amazon / eBay / LinkedIn / botnet shit in a completely separate browser to your Googling or buying shit. It's currently the ONLY way to truly defend against fingerprint tracking. Double points if you have each browser running in a different VM with a different OS. Triple points if you have each browser's VM configured with a different VPN connection.
I'm sure arguing over which video card manufacturer is worse is more important than talking about tracking that puts the NSA to shame
Isaiah Hughes
Bump cuz interesting
Bentley Butler
They could use the Sup Forums JSON interface, or even just their passive indexing sweeps on slow boards, along with the recaptcha data your browser sends them (IP, timestamp, Sup Forums) to do a timing attack for the thread and post number pretty easily, even on Sup Forums now that it's slowed down. The point is that google is a very smart tech company that makes most of their money by tracking you. Their regular recaptcha does go to great lengths to track you. If you care about being tracked, or online privacy in general, it would be foolish to trust them if they promise simply not to (which they have not), or really at all, and especially not that one of their fallback mechanisms will continue to be mildly more private out of neglect. Something that might be done by Sup Forums devs to really alleviate the problem is take on 2+ more captcha services, and use one of the three at random for every post without a pass (Sup Forums Pass uses recaptcha's rebranding mechanism). Then at least no one company would have a complete record of even the most naive user's posts. Unfortunately, recaptcha is currently the most effective in the world, and Sup Forums has a high need for effective spam prevention. The market has failed us in many ways as of late.
Jose Campbell
There's a related thread here. Kind of a different way to frame the thread, a horrific scenario that would actually effect your average Sup Forums dirtbag.
Brandon Russell
Neat. So using the NoJS CAPTCHA really does help
Daniel Campbell
Because they won Average pat doesn't care enough to install fingerprint blocker extension A developer wanting to make such an extension faces the impossible task of not breaking websites outright, and the escalation as found in the adblock-blocking scripts and scripts to block the adblock-blocking scripts For now, from what I can see google seems to rely heavily on the webGL/canvas fingerprinting falling back to ip and user agent. Just a hunch based on the ads I see, using both firefox and chromium interchangeably
fingerpinrt blocking extention? you mean adding another extention to fingerprint you off of?
k...
Hunter Myers
>android connection type: returns N/A, UNKNOWN, ETHERNET, WIFI, CELL_2G, CELL_3G, CELL_4G or NONE. Not sure if useful. My phone switches between wifi and 4G depending on where I am
Elijah Watson
>Oh, they're just remembering what YouTube videos I watched, nothing creepy about that, I already knew they were doing it this unironically
Eli Bennett
yep, not using that in the global fingerprint function, but i can call that and shit that back seperately from your browser hash. makes corrilation attacks easier...
for instance, if you use your cell on ip x, and its wifi, i can see other machines with different ip's also on wifi and based on content i can assume you are the same person...
fingerprints are scary. its worse when there a "profile" assigned to you with multiple fingerprints underneath it. like some content on one device? now i can show it to you anywhere
Cameron Diaz
It's a limited hangout. They're showing you that they're monitoring what videos you watch because that's already common knowledge and not shocking. The fact is they're tracking you across 80% of the Alexa top 1,000,000 sites. They know your browsing history
Luis Murphy
I guess he means a fingerprint spoofing extension. An extension that will present a new fingerprint to each site / browsing tab you have open
Joshua Harris
businessinsider.com/google-no-captcha-adtruth-privacy-research-2015-2 >After taking a close look at the embedded code for the No CAPTCHA product, he found that the system used a re-purposed version of Google’s Botguard technology, which was originally intended for anti-spam and bot detection within Gmail. >It then takes a pixel-by-pixel fingerprint of the user’s browser window at that time, pulling information such as: >>Screen size and resolution, date, language, browser plug-ins, and all Javascript objects >>IP address >>CSS information from the page you are on >>A count of mouse and touch events
>In terms of the way that the No CAPTCHA detector works, I think the reason it collects so much information is likely because the detection algorithm is machine-learning based rather than written by hand. Such systems are generally designed by collecting all information which might be of use then letting the machine learning system come up with an optimal decision. wired.com/2014/12/google-one-click-recaptcha/ >And Shet says even the tiny movements a user’s mouse makes as it hovers and approaches a checkbox can help reveal an automated bot. They don't even have to be clever. Their system will adapt like a damned terminator. It's live AI with a JS component running in your browser, and has been for years.
Elijah Hernandez
yeah, and how do you do that? browser fingrprinting isnt something baked into the browser... you calculate it.
how do you calculate it? well... one thing is you get what plugins they have installed... if i know you are running a fingerprint hiding plugin, i can just identify you off that.
Levi Collins
Google can identify which posts on Sup Forums belong to you, and they know your real name and everywhere you've lived for the past 4 years or so at least.
Leo Campbell
You disable all plugins, rig every single JS object or function that reports a basic type to lie intelligently or be absent (especiially the animation stuff and WebRTC), make CSS support fail in unpredictable ways, carefully alter your HTTP implementation to give garbage replies (spoofing hides nothing) in every case that doesn't totally break things and to not do blatantly destructive things like use e-tags, and implement a more intelligent caching mechanism that supports user supplied replacement files for scripts and stuff, so that people can continually write and distribute stuff that unbreaks sites that break when tracking fails. A lot of work.
Ethan Garcia
1) im working on making a fork of chromium that cant be fingerprinted. 2) what you said would break everything. its a terrible idea
Cooper Hughes
Really scary stuff
Nicholas Roberts
It's the only effective way given the current environment. It would break things less than simply disabling JS and CSS completely. Also, Microsoft already has a working implementation of it called PriVaricator, so it totally can work. >chromium Why even bother?
Caleb Scott
What's it called?
Bentley Howard
What I have in mind is that it would in some cases, such as UA, provide a different value per site. And for other things, such as canvases it would salt outputs so they're slightly but not greatly different.
Wyatt Fisher
i dont think you know what salting is...
David Allen
>per site Meta-refresh to a new domain, detect new fingerprint from the same IP, refuse to function with a "turn off your Ad-Blocker or other extensions" message. Also, how do you handle iframes?
Connor Hernandez
There are extensions to guard against canvas fingerprinting already. If you're gonna do work, why not implement or refit a JS profiler that detects what information a script tries to gain from your system, and spots dangerous trends for potential rule based blocking or even limited value spoofing via code injection. Logs from such a mechanism could even be collected somewhere and used to train a learning AI to do it faster and more flexibly at some point.
Carson Martin
no
Adam Perez
...
Nolan Barnes
A timing attack would likely be extremely difficult as they don't even know what board you're on to narrow down the possible posts. The only way they could realistically be tracking you with the noscript captcha is if Hiroyuki was in on it and actively taking measures to do so server side such as sending your post with the captcha validation.
One problem with all that, with your IP address they can get your city and ISP. If you go all out and start messing up everything like CSS there's a possibility you might be the only person in your area doing that. Make sure to continue just plain blocking javascript in general though.
Carson Cruz
Not sure exactly what you mean but I'm pretty sure there are a lot of guys who look for tracking on the internet and they've got tools already. Case in point, this paper yro.slashdot.org/story/16/05/19/232216/google-is-a-serial-tracker They must have some kind of browser extension or something to detect stuff like canvas fingerprinting on all those sites
Nolan King
>there's a possibility you might be the only person in your area doing that Not if you do it from a phone. Also, what's the geographic spread on TOR these days?
It's more advanced than Privacy Badger? But it appears to be older, which is weird.
Leo Roberts
They claim it analyses JS, HTTTP and CSS behavior. That's more than PB does.
Jonathan Jenkins
Does the text based captcha have as many fingerprinting capabilities?
Landon Perry
>ReCAPTCHA
Camden Allen
Sup Forums Pass still sends a validation request to google's servers because it uses recaptcha's rebranding mechanism. Check it on the network tab of your devtools menu.
William Walker
oh fuck, nobody's safe then
Brandon Bailey
It's still javascript based, so probably. Go with the noscript captcha.
Dominic Hill
One user confirmed that there's nothing in the referrer header for the NoJS CAPTCHA but Sup Forums.org, they don't know what board or post you're making. And since it's JSless it means they can only detect HTTP headers, fonts, and screen size.
Bentley Taylor
>tfw shitpost, watch porn and buy shit on the same browser
IT'S NOT TOO LATE IS IT?
Samuel Gomez
It's fine. It's just Google and everybody they sell your data to knows you're into traps. Might even help you in a job interview; everybody wants to hire LGBT people these days
Adam Cruz
>Google can identify which posts on Sup Forums belong to you, and they know your real name and everywhere you've lived for the past 4 years or so at least.
Is this legit?
David Gutierrez
>>Google can identify which posts on Sup Forums belong to you Not if you use a script like Sup Forums X and use the noscript captcha.
> and they know your real name and everywhere you've lived for the past 4 years or so at least. If you have an Android phone not running a custom ROM without Gapps, yes.
Angel Hernandez
Is this also valid for "legacy" mode?
Anyway, I tend to use a bunch of different browsers, some that don't have JS at all. This one's basically just for shitposting on some chans.
Ethan Garcia
See
Joseph Parker
Read the fucking thread.
Michael Taylor
sorry, I'll do that.
Alexander Miller
56 installed fonts have been found on your computer.
Nice.I like getting font son linux. I never fuck with them on windows though
Austin Bell
If you use firefox, set browser.display.use_document_fonts to 0.
Leo Diaz
Can someone using Windows put values for >Screen Size and Colour Depth [DEPRECATED] and >Screen Size (CSS) [DEPRECATED] so I know what size to use for my panel on Linux in order not to stand out?
Ian Nelson
>Sup Forums X i dont get this Sup Forums X meme.
what does have 4chanX do that vanilla Sup Forums doesn't have?
i have a Sup Forums pass, so i dont fill out captchas.
Tyler Miller
It allows you to access the noscript captcha while still being able to use the quick reply window and catalog. Normally the only way to access the noscript captcha is to block all scripts from Google and Sup Forums.
Joshua Miller
>noscript captcha >superior filtering >random file name upload >combined with oneechan for cool Sup Forums ricing. Those are 4 off the top of my head.
Brayden Wright
is the chrome 4chanX extension any good? i see that it has bad reviews
Thomas Morris
>random file name upload And this is good why...?
James Williams
Never tried it. I just install grease monkey for firefox and get Sup Forums-x and oneechan from github.
Christopher Clark
It randomizes the file name with a timestamp from last year. Good for privacy so you won't end up using the same file over and over creating a pattern.
Christopher White
What if I look at all my porn through tor browser bundle, but have to solve a captcha to access the porn sites?
Does google know?
Jaxon Morales
Yeah but sometimes the filename is part of the joke
Hunter Cox
I can always disable and then re-enable it. I get my images from the archives and usually leave the file name alone so its fine.
Jaxon Lewis
Are you solving the captcha before enabling javacript? If so then most likely not as Tor is somewhat hardened against fingerprinting, for example it blocks CSS font detection by default and opens the browser at a common size.
It comes turned off by default.
Wyatt Foster
No, I just enabled java script.
I'm screwed aren't I. Google knows all about how I'm a straight male who enjoys scenes of mutual romantic love and hand holding.
Hunter Morales
That's disgusting dude, this is a SFW board.
Dominic Carter
>If so then most likely not as Tor is somewhat hardened against fingerprinting Mozilla is copying over some things from Tor to regular Firefox. wiki.mozilla.org/Security/Tor_Uplift/Tracking
Dominic Bennett
You forget the best part: you can solve the captcha using numpad.
Christian Martin
>NO FOOLPROOF DEFENCE
Use a freshly installed browser with no addons, or a private window with addons disabled.
Duh.
Jack Perez
...
Zachary Price
>There is currently NO FOOLPROOF DEFENCE against fingerprinting (except quitting the Internet). Wouldn't booting a standardized live CD with Tor as the browser completely eliminate eliminate almost every way they could fingerprint you though minus detecting your screen size (which Tor makes an effort to standardize) or trying to run benchmarks on your hardware (would only work with JS enabled).
Leo Price
can you just use wget or something like that
Ian Gomez
Sure, so long as using wget for browsing is common for people who use your ISP in your city. Otherwise you'll stick out.
