New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fingerprintjs2 helps to spy of users #430
Comments
@proninyaroslav this has nothing to do with the library. This information is leaked by browsers, and if sensitive information is leaked, it will surely be misused sooner or later by the "Bad Guys". Using your logic, we should ban nmap, cause hackers can scan networks with it, netcat, the whole bunch of software in Kali and Tails linux and the like. People can use tools for bad and for good, but when you use a hammer to kill a person it does not mean a hammer is immoral, it means you are. p.s. I'm in no way related to this project, just wanted to voice my opinion. |
Sorry, but I don't see how this library can be used for different purposes other than spying of users. At least, this is the main purpose (and goal) of this project. |
This library can be used to detect how much sensitive info your browser with your current settings is leaking, to actually warn users, not to spy on them. In fact, https://panopticlick.eff.org/ and similar projects do just that. |
@Yodzorah I'm saying that this is a tool for gathering leaked info, you can use it the way you like, you can misuse it, right, but you can't really say that this is a tool for "misusing" information. Jeez, man, get a grip -- any public information source can be misused, a public phone directory can be used to find an address of a person and do something bad. |
@Yodzorah, so, I'd focus on fixing vulnerabilities in browsers instead of fighting the library that gathers the info browsers leak. You think if you somehow "ban" this library there won't be any other tools like that? At least this one is public, which really helps raise the awareness of different surveillance techniques. |
@Yodzorah according to the official website, fingerprintjs is the most advanced open-source fraud prevention JS library. :-) |
@Yodzorah The world does not need the web the way it is nowadays, if you ask me. But I'm not the one who can speak for the whole world, neither are you, I believe. I'm saying that you can't ban something just because you think the world does not need it. Banning/censoring something in order to fight for our privacy is a very weird way, again, if you ask me. I don't have much else to say on this matter, and I think I got your opinion. Respectfully, I disagree with it. |
@Yodzorah Define 'pure' in your concept of web |
@Yodzorah ok, you made your concerns more clear. Well, I guess I can say that I support this library -- because it is open source, hence it will be much easier to develop a plugin to block this library, cause you know exactly how it gets all the info. Be it a proprietary closed source tool we would have much harder time trying to block this. And another thought about "evil by design" tools -- I also support guns, cause they can help me to protect myself, although you can say that the primary reason they are made is to kill people. So, that's the answer to your question "what's going through the minds of people supporting it". As for making the web more pure -- well, this train has long been gone, Elvis has left the building, and RMS was right. Come on, the web is full of proprietary javascripts that every second site is running without your consent, we now have DRM as a web standard, for crying out loud, we have adblockers built into browsers and blocking other independent adblockers, we have overbloated web pages weighing more than a hundred megabytes just to convey a simple text message worth 1 kilobyte of plain text at max, and what not. What purity exactly are you talking about? |
Wasn’t the library created so that the site owner could identify their visitors? Yes, you will argue that it's created for the safety of people, security guys are fighting hackers and criminals. But at the same time allowing corporations in white hats to fully own you, using the tools of security guys. Does this mean that the real criminals are hiding behind a white hat? Maybe it's time for security guys to change their profession and stop creating your crappy brainchild (hello, reCAPTCHA)? |
@Yodzorah I think you keep missing my point. If you care about a technical user, then, first of all, a technical user knows how to protect their data. Secondly, for a technical user, as I've mentioned a couple of times already, this tool is a tremendous help, not a threat, this ought to be pretty much obvious. |
@Yodzorah
It's said on the website, actually, how you can use it for good. What fingerprinting does is allowing you with a big degree of certainty to determine if a user is unique. Using tons of factors. If you are an online banking solution or something like that -- you can use that info to warn your users when you see that in their current session their web fingerprint differs significantly from the previously recorded ones. And I can come up with a couple of more "normal" use cases. But I'm getting tired of being an advocate of a project I don't really care about, so I leave it to the actual authors if they care to participate. |
My main use case : fingerprint browsers driven by robots (with more js routines this lib already embed). Robots are used for webscraping, to steal data (UIPath can be used to drive browsers, make OCR, random delay between keys for keyboard ... ). Look at PSD2. I don't care about browsers with a human behind. But this lib help a lot to fingerprint the same browser massively deployed in the cloud, changing their IP every day. Nothing to see with spying users or whatever in this use case. I want to spy bad bots. |
F5, RSCS WAF, Datadome, Distill network, all theses security products/companies got kind of clients fingerprint since many years. Wake up ! If you don't want to be fingerprinted, stop walking in cities having cameras every where, stop using internet and go sleep :D How do you think Google Recaptcha v3 works ? |
The market is already doomed for much more serious reasons than the existence of fingerprintjs2. This discussion is sterile. |
What about identifying non-registered users? In online shops, ad networks, for example? Normal users (non-paranoid ones) just want comfort and functionality, they don't care much about privacy, snooping and all that stuff. That's why technological giants like Google and Facebook actually thrive, not because they are zombifying, misleading or something. A typical user is barely computer-literate, especially those from late newcomers (2nd billion, 3rd billion, and so). Even the concept of account registration is way hard, and potentially dangerous, especially if you use your spouse's birthday as a password on every site ;-) But even if users are lazy and incompetent, you still should provide them as most comfortable service as possible: watch history, personal suggestions, and so on. That's how capitalism works. Giants are less affected with this problem. They already have their probes on many 3rd-party sites, like social buttons, analytics, ads and so on. They provide OAuth, so a user can intentionally make them identified in a single tap. But what if you're not a giant, but still want to identify your users, and many of them are lazy or afraid even to tap an OAuth button? It becomes much harder with years. Even though IPv6 is coming, there are still a lot of providers hiding their users behind NAT, so you can't tell it by IP. In plugins era, you could put Flash cookies and identify the system regardless of the used browser and even if usual cookies have expired, but now this era is nearing to the end. User Agents become too common too: you can't reliably distinguish your user among of millions of Chrome on Windows 10, Chrome on Galaxy, or Safari on iPhone users. Now also a surprise from EU lawyers that require you to annoy users with stupid banners if you want to store something in their browser, otherwise they will make you a bankrupt (millions of euros are a needle in a haystack for a giant, but an iceberg for a small business). Fingerprinting is a musthave in such a situation. You just take one library that does it's best to tell about the user's browser everything it can, and get a reliable identifier, so your user can always feel at home even if they do nothing for it. Stop defending those who didn't ask you for it. Those who don't care. Those who care already have a lot of addons for defending their privacy. |
probably just good demo that it is possible... |
Fingerprint is easy to be spoiled intentionally.
Or because they restored the system from backup and new cookies are lost. Or because they cleared cookies according to some "computer speed-up" guide; Firefox suggests creating a whole new profile when it becomes too slow. Or just changed the browser. You remind me my granny's village, where they had a tradition: putting a broom at the door to indicate that nobody is at home. All the village knew it, you now know it, but how does it correlate with actually not being at home? Intuitively you may deduct: if the broom stands at the door, then someone put it from outside, and did not come in yet. But really it does not mean anything. They can still be in the yard. Someone can still be at home. Maybe it's just convenient for house owners to keep the broom at the door. Clearing the cookies is a sign of not wanting to be identified only for those who do it for the same reason. Not as a rule of thumb, common for everyone. There is another sign that indicates exactly this wish: DNT flag.
But such initiatives work quite the opposite way: monopolists almost don't care, while small players become afraid. The more such laws appear, the more people would prefer to create a Facebook page instead of an own site, because owning a site becomes more and more dangerous. And difficult: take into account HTTPS-enforcement stuff, even for read-only sites, SPF/DKIM/DMARC, false abusing, SEO...
If done technically right, this thing should be a browser-level permission to save cookies. Just like a permission is now asked to use geolocation, camera, notifications and so. But this was done by law, and now we have a lot of similar popups, just like those ubiquitous "Up" buttons that should be a browser functionality too.
No extensions — no freedom. What is the point of talking about the freedom to be not tracked then? :D Ask your browser vendor to add a fingerprint resisting functionality then. It should be a part of any good Incognito mode.
That's an egg-head stuff. Why should they care? When a user has a goal, every excessful detail becomes an obstacle on the way to achieve it. That's why users tend to close annoying popups with errors and license agreements without reading, and even buy telescreens because they make life comfortable. You still could pretend that users are just not well informed when they bought pocket telescreens, which are not intended to translate anything when not calling or recording. But now appeared voice assistants initiated by a voice command, and smart speakers, the whole point of which is listening to everything that is going at home! And these thing are quite popular! You miss an important thing, the thing that society is built upon: trust. When users delegate something to big, legally working companies, they expect fair play from them. Because, without fair play, they're expected to be punished: by the law or by the market. |
Which is widely used for fingerprinting! It means, that if you don't want to be tracked, you shouldn't probably enable this flag. :-)
If users trust you, and you spy of them, aren't you a bad guy in this case? |
If you're afraid of bad guys using your power against you, you should better not mess with them, right? The same applies to ads, by the way. If you're frustrated by ads, you are free to not visit sites showing it. |
This should be (properly) used in fingerprintjs2 (e.g. if a user has DNT flag enabled, the library should refuse to provide any fingerprinting data or so). |
That's not so simple too. Some browsers (IE, for example) set DNT by default, thus it's not completely representative. |
Its completely pointless to post here opinions about how this project is bad. As end users all we can i to fight off stuff like that on our end. I dunno about Chrome, but Firefox users can use bunch of addons specially made for that threat, for example : |
This sound like "We like to threat our users as mindless idiots, so please, dont spoil the fun".
Like it ever was intended to be used this way. To tell frankly UAs is useless for years, they not help you to identify nor telling anything about browser capabilities. |
Being not a specialist in computers does not make person a mindless idiot. |
But being one of "2nd billion, 3rd billion, and so" sure do, right? Its funny how you suggest that majority of uses will nor notice nor care about fingerprinted by literally everyone around so its fine to do that, but still respect them. |
IMHO you have to be pretty much crazy or just extremely naive to put something publicly on Web and then hope it to not be "webscraped and stolen" by bots. |
The less experience users have, the less is the probability that they're computer literate.
Not everyone, but only those who they get contacted with. That's why many of users are afraid of visiting Internet beyond the social media: it's a relatively wild barely controlled area with malware and scammers.
Then some other identification technique will appear. Authwall, for example. It's an eternal cat'n'mouse game. Moreover, fingerprinting is not easy to block without harming the functionality. For example, if you spoil the viewport width, the site may overflow. If you spoil WebGL parameters, the graphics may render badly or break at all. |
@Vednier these addons you suggest are mainly focused on canvas fingerprinting, while this library uses many different technics, that's why it's so "good". |
Ёпта, пущай пилит, ты просто приложи инструкцию что это за хрень и как её выпилить. P.S. Вертел я на указке Мариванны эти ваши этикеты балаболить на инглише :D |
it is not the libraries fault for the tracking issue its just an inevitable tool which exist either way. this can be helpful if hacker bots or scripts are using the same cookies but different ips to try and break or scrape your system this may help in preventing or tracking those bots to prevent attacks by adding an extra layer of authentication in some way, i'm sure there are different use cases combined with the server side headers. i think best solution is to have a separate iphone with default setup for your pornhub so google doesn't know. also apple has a very elegant solution to this called DeviceCheck where unique ids are not only unique to each device but also unique to each app, which basically eliminates logging in while maintaining anonymity (relative to the app). |
Like many tools, fingerprintjs can be used for good or evil to put it bluntly. All fpjs does is make it easier to view information about a browser, nothing more and nothing less.
Stop dog whistling, What do you even hope to gain from this? Attention? Halt development? Sperging out by opening a political issue on a bug reporting forum only hurts your cause. Like @epicfilemcnulty said, this library only collects information already exposed by browsers, you're complaining about a Safari problem to some random website.
Your User Agent's metadata is not personal information, false equivalence. This isn't a functional issue related to how the library performs or a bug report, this is an ideological issue. |
Power comes with responsibility, if you choose to use this tool to protect your users account, that's fine, other than that, I cannot think of any other scenario that you will get that much uniqueness (entropy bits) with this tool. |
Good argument, I'm sure you'll turn heads. Per the site
Wow, I bet you must absolutely hate Google since they do the exact same thing internally. God forbid a company offer a useful service. |
closing, since not related to technical issues. |
The arguments based around the idea of this library being open source ring somewhat false, now that there's a proprietary "pro" version that advertises being "more accurate". Having this out in the open is better than it being hidden away, but you can't simultaneously claim
and then also offer a proprietary version. |
@makeworld-the-better-one proprietary version is OSS front-end + the backend. Backend only processes what the front-end provides. Higher accuracy is achieved by the server-side data analysis, not by having a more accurate browser fingerprinting in the browser. |
Wise approach, taking in account that JS is open-source by its definition. What is not very wise is contributing into making the world a worse place, i.e. by commercialising surveillance. |
How? Open-source is about the license, not about the ability to dig into sources. You may dig into any binary build with disassembling tools, even patch it! — and those binaries may be obfuscated, as well as JS code may. Even if sources of something proprietary leak, they are still considered warez, and those unlucky souls who are brave enough to assign an open-source license for that sources on their whim, or to reuse that sources in other projects, are going to run into legal problems. And besides of that, JS is widely used for the server-side code too :P |
No, open-source is about ability. It is Free Software - about the license. There are plenty of Open-Source software on GH which is not free software - the ones holding copyrights have published the code to be looked at by any visitor of GH, but don't allow to use it and/or derive own software from it and/or allow use and derive, but only for noncommercial projects and/or allow anyone except certain persons and orgs to use and derive, or just uploaded without specifying a license (though GH ToS say, that everyone who uploads the source to GH in public repos automatically grants its users a license to view the code, to clone the repo and to fork the repo using
The only working method of JS obfuscation I have ever encountered in the wild was creating a virtual machine above JS and compile the code into language of this virtual machine.
|
Publishing a leaked code does not give a legal opportunity to read it, surprise? All the code is proprietary by default, unless other is explicitly specified.
That's a kind of an explicit license too. It just doesn't give a right to reuse the code, like other open-source licenses do.
Yeah, yeah, until another DMCA takedown. You miss an important part:
Just uploading an arbitrary code to GitHub does not magically clean it from proprietary restrictions, this can only be done by the code authors. And aren't we talking about any JS included to web pages and downloaded by web browsers, rather than only that uploaded to GitHub?
So what? Aren't you trying to assure that JS obfuscation is nearly impossible? |
Yes, but the source is technically open, even though only some persons have license to read it legally.
Yes. These are open-source licenses that are not free software.
Yeah, and any project can get a takedown. Just if
any takedown against such projects with the probability very close to 1 will never be repelled, it is cheaper to throw away the project than to sue a big corp. So most of the projects on GH can be taken down by DMCA. It is just that noone really needs to troll random projects. But if a project is controversal and someone would profit from nonexistance of such project, the risk is sufficiently higher.
No, I don't.
Certainly. But it is the uploader gets liable for the violation, not the lookers and cloners. Kind of bona fide purchase.
They were just examples of Open Source that is not Free Software.
Most of VM-less obfuscation is removed by just replacing |
How do you imagine it? If a code is leaked, no one except of those who had a right to read it before the leak, get it, even the platform where it was published. Don't you try to mark any code that its author has granted a permission to view to some closed circle of persons, open?
As well as there is free software which is not open-source, because not anyone can join the development and send their patches (which is pretty about the case you described above, trying to name it open-source). So what? Both free software and open-source are about legality, they don't include warez.
Only those who violate something. Even if those are stupid cases like reproducing a sample of white noise, they still all lie in the legal plane.
That's because it's currently too hard to prove that someone had read the code. Though ReactOS developers are so paranoid about that so they don't admit to the development those who have even possibly read the leaked sources of Windows.
Really? I still remember pretty well what happened to not even clones, but as well to re-uploads of WhatsApp primary client implementations, Opera 12.15, and youtube-dl. At least, until copyrasts settled down.
They're neither if not specified explicitly. Haven't you really seen similar items in ToS of lots of websites?
This applies pretty well even to the front-end code. Even if it is in no way obfuscated.
This is enough to name something obfuscation. Even simple minification can be considered obfuscation. What are you trying to assure, again? To distinguish different sorts of obfuscation and free the easiest ones from being an obfuscation? |
Everyone the holder allows to read gets a license to read it. Not very different from "we give a license to read and use the code to everyone except " non-free license.
Sounds very naïve. Everyone is "violating" as much, as they cannot defend. ("Виноват лишь тем, что хочется мне кушать" in Krylov's "translation").
So do I, but in these cases it took an active action of copyrusts. They basically have came and claimed that they will sue GH unless it blocked the repos. They can do it about any repo and GH is liable to block any content hosted by it after required via a DMCA takedown process and unblock after a DMCA counter-notice, disrespect to what really happens and to what GH really considers to be happening, or it can be sued itself. Cloning such repos is legal in the sense that it is likely that if the cloners are sued for damages and if they take a top lawer with no worse ties to the judges than corporate lawers have, then they will likely win and the expenses would be placed on the corporation that sued them.
The law of multiple jurisdictions explicitly allows reverse engineering in some circumstances.
Of course enough. But the code obfuscated by variable renaming is still source code, but obfuscated by compilation into VM and then shipping the VM is not source, it is more like a prebuilt binary. |
But that's what makes the actual difference. Otherwise, there are almost no closed-source software in the world, except of that created strongly by one author.
They can. One lamb can make too much of a noise nowadays. Even if that won't lead to success, it's still a precedent that remains in the history and that antitrusts fight for (some even make successful business on antitrust).
Because there has to be a reason for suing, at least formal or fabricated one. There are much easier crimes to fabricate if needed, why mess with barely provable things?
Now what? The same happens with any illegal content. First you download, then you receive a legal notice. Feel free to prove that CP in your browser cache was invisibly sideloaded by some visited website :P
Why don't they do then? You're going way too theoretical.
As well as the law of some jurisdictions make impossible putting software in the public domain just on the author's whim.
What is the source code then? This is going too much into the philosophy. If that's something that can be technically inspected and modified, then we don't need a concept of some text-n-resource intermediates at all. Binary patches for Windows and for proprietary software made for Windows, for Nucleus-based Siemens phones, or for OSE-based Sony Ericsson phones, exist pretty well. Illegally, of course, but don't you care? ;) |
The actual difference is that closed-source software source code is available to a very limited set of persons and open-source software source code is available to almlst everyone.
Noise doesn't matter. Also for very noisy animals there exist gags ;)
Just theatre.
The reason for suing is simple: expectation of gain ≥ expectation of cost.
Yes. But for the case of clones of a repo published without copyrust's permission only takedown notices against them make sense in with high probability, suing usually won't.
I don't have CP anywhere.
game-theoretical
Germany, and unfortunately, Russia (1282 of the Civil Code seems to disallow any way to go to PD other than expiration), at least.
According to the definition in GPL source code is the preferred form for modification. Let's call it
And various chip firmwares too! |
You're inventing your own definition of open-source. Don't do that.
Gags cause the Streisand effect. Ignorance is much more effective. But even it can't save any situation.
I meant a transgression to be sued for.
Yeah, but you never know if you won't become a scapegoat.
Are you sure about that? ;) It can even be steganographically embedded into other images; there are whole imageboards working this way over other imageboards.
Isn't that a preference of the modifying person? There surely are perverts who prefer to dig into binaries over all :P
How enough? If the comments are lost, it's already a lot. |
You're inventing your own definition of open-source. Don't do that.>
It turnes out, that yes, there exists an official one, that is recognized by both FSF and OSI. But it doesn't mean that their definitions are the only correct ones. There are some licenses applied to source code published in the Net that call themselves open, but are essentially proprietary.
Gags cause the Streisand effect. Ignorance is much more effective. But even it can't save any situation.
Gags are very effective, GitHub and other corporations obey gag orders well, as do other entities that are threatened to be persecuted if they disclosure info they were forbidden to disclosure.
Isn't that a preference of the modifying person?
Yes and no. For purposes of GPL enforcement - yes. For purposes of reverse engineering - the parsed AST is almost as good as the original one.
How enough? If the comments are lost, it's already a lot.
Comments are unneeded, good programmers write self-documenting code, and this self-documentation in large part (names of variables used as funcs' args and classes' members) is preserved by compilers of high level bytecode-based languages.
|
This is still way too subjective. Dual-licensed software (GPL+proprietary) is often considered not truly open too, for example, though it's not actually true if third-party patches are accepted well.
If talking about licenses, that's enough. If about ideology, that's not valuable anyhow. I've seen a forum that claims itself a social network, now what? :P
A noisy individual still may spread the word via those who are not. And if they finally succeed, the collaborators of the wolf will experience reputational costs in a long-term perspective. Still they are tiny for just a single lamb, they get accumulated, and may eventually explode.
Not any implementation details (especially the causes) can be put into token names :P Still the documentation and the VCS history are better places for broad explanations, they can't be retrieved from binaries as well. |
since this seems to have become a discussion board for opinions nobody asked for, i might as well give mine. and what better way to do it then to explain my philosophy and beliefs in a way that makes me look like the "bad guy". i myself do not use this library only because i myself am not satisifed with the accuracy and level of "tracking" it provides. thats right, i want to track my users more. i have 0 regard for user privacy. if you have something to hide do not place it in arms reach to begin with. by opening a website and having javascript enabled you consent to me executing and doing absolutely whatever i damn please. this library is not the sole reason the web is a dangerous tracking infested shithole. big corpo has been successfully doing that for ages. by removing this library or having it never be written/open sourced to begin with it will accomplish 0. the author didnt invent the exploits used here. they merely only made them easy to access in one spot. dont be mad at them. be mad at your browser vender. write your own browser and dont use chrome. this library is loaded within client side javascript. to do that your browser sent an http request to the webserver to load the document. you do that for every website. theres a reason its called a "request". you are requesting of a free service to willingly provide a document with code and markup for your browser to render. you asked for this. if you are afraid it is executing "bad javascript" maybe dont visit the website to begin with and put your tinfoil hat back on. if you are unaware if a site you want to visit is going to execute "bad js" and "track you" theres a way to do it. just load the website on a vpn incognito tab with javascript disabled, open dev tools, and read all script tags in document, then download those js scripts manually and pick them apart and determine if you do not like the js its executing. will this take days? on most sites, probably. is this an absolute waste of your time? without a doubt. do large codebases and obfuscation make this the reverse engineering process 10x more difficult? yes. and if you do not like it, you can cry some more and not visit the site. remember, your browser is sending the http request to the webserver for all these. you requested this. you knew the browser will automatically execute javascript, therefor you also consent to whatever that js is doing. this is how the web works and you always knew that. if you do not like any of this just remember you are mad about what the person on the other end who hosts the webserver is doing entirely within their rights and you can go ahead and cancel your ISP subscription because the entire internet works on the premises of requesting service from a server. but you made the choice of blindly trusting the javascript that server asked you to execute. lastly what about "tracking" is to bad to begin with? does it interfere with what you do? the main and frankly only thing you can do with "tracking" such as this is to identify visitors on your site. this was my original motive to use this library. if i can identify users without putting them through the inconvenience of a registration/login system i can potentially mitigate abuse by identifying on the server if certain actions where performed by the same person. in this case as the website owner i am the victim of abuse by users and am "tracking" them to identify bad actors and improve my services design accordingly. the best way to not be tracked by a website is to not visit it to begin with. i litteraly cannot fathom any scenario where a user is the victim in any of this. how could tracking ever harm someone? the only victim i can see is one who is a bad actor who disrupts a service (lets say for example, by uploading CSAM) and is identified, reported to authority's, and blocked from further future disruption. if you want to be absolutly 100% sure you are never tracked, put on your tinfoil hat, hoodie, sunglasses, and mask, buy a burner laptop from a pawn shop, take it apart to verify it is genuine hardware, install linux from a usb drive, use it at a coffee shop with the free complimentary wifi, and once your done you can format the drive and throw it out. the world has too many FOSS hippys crying about their non existent rights on the internet that they sighned up to use. |
The same logic as in
This library is marketed as a solution for actors doing things we consider evil. The authors of this library provide a yet another enhanced solution marketed as the one for doing the things we consider evil. We consider authors of thjs library as accomplices in doing these evil things.
Keeping this lib free software is beneficial because it kind of monopolizes this area. So it is easier to detect, block and reverse-engineer the solutions based on this library. But serving a superior proprietary solution alongside is a completely evil thing.
There is only one Browser Vendor - Googlag. Other ones have no choice other than implement what Googlag choses to be implemented.
I never asked for fingerprint.js being executed in my browser. It is websites ask browser to ask themselves to serve this script. |
actually yes, i believe in this statement 100% and further reinforces my philosophy. you should not only be paranoid of the software, you shouldnt even trust the hardware. that is why in my example of buying a burner laptop and using at at a coffee shop, i said "open it up and verify the hardware is genuine". you dont know if the person who sold it to the pawn shop put a keylogger circuit that is wired in parallel to the keyboard and has a sim and micro transmitter sending your raw key inputs somewhere. you cant even verify the microcode deployed by amd or intel so if you really want to be safe you must manufacture your own silicon. stacksmashing made a very interesting video demonstrating how easy it is to backdoor hardware with malicious preinstalled firmware and how a malicous user could return it in the hopes it gets resold to an ignorant user who did not reflash the firmware. it is not illigal to sell backdoored hardware if the hardware is sold under the terms of "as is". you should do an inspection of the circuitry traces, and if you dont want to do that, well, too bad, dont own hardware. if you think only the most paranoid people will go to such extremes just remember that the amazon echo and google home stuff exists and ill bet most of us in the field dont own one of those for "reasons.". so yes, by opening the website, you consent to the javascript being executed same as when you buy hardware, you consent to whatever that hardware is doing and should open it up and verify for yourself if you are ok with that or not.
same thing. you knew the risks. you accepted them blindly by opening the site without inspecting it first. just because you didnt know if the site will execute a specific piece of js doesnt mean you didnt consent to it. you consented to it clicking enter in the url box or link. you knew that if there was js it would get ran. the browser is also a piece of code you blindly trust. you can disable js if you dont trust getting fingerprinted. you knew the site would ask the browser to execute the script. |
We are already paranoid in hardware. But do you know what the word "trusted" and "trustworthy" means? The word "trusted" means "that stuff will be able to compromise you, and probably will compromise you, and you will have to tolerate it (if you are not forced to tolerate it, the stuff is no longer trusted)". We should not trust the stuff called "trusted", by such a definition, but we have to, because forced to do so by external powerful entities to fullfill their interests. The word "trustworthy" means "that stuff cannot compromise you, even if you had to trust that stuff (but you not necessarily have to trust that stuff)".
Yeah, hire your own slave-workers and ensure there is no spies within them, build your own equipment to make equipment, build your own semiconductor factory with this equipment, build your chips, build your own OS and software for these chips, build your own devices using your chips, build your own army to defend your right to manufactur your own devices racket-protected by various patents, build your own internet, persuade providers of valuable services (including, surprise!, other ordinary users) to use it even when are faced prosecution for doing that ... Sounds like an extremily realistic plan.
It is illegal to spread malware. But it is judges (agents of powerful entities) who decide what is legal (matches the best interests of these powerful entities) and what is not on case-by-case basis.
No, I don't. Opening a website I consent only JS serving my best interests be executed.
I have inspected some websites first. I know some websites are malware. I am forced by powerful eltities (governments (yes, some govt websites almost every citizen of certain kind must use contain the stuff I consider as malware), employers ("register and use a certain website or you will be fired"), other users sharing unique content via these websites) to use these websites. No, I have never consented to execute the malware. The malware was placed to websites without my consent, and was made requred for website operation without my consent. The real life analogy of you suggestion: "don't go to outdoors. If you go outdoors, you aggree to be stabbed, shot, hit with a heavy object, pickpocketed and robbed, and your appartment to be burglared in your absence." It is completely bullshit. |
I can comment on a lot of things but in favor of breaking this threads nit picking reply chain i simply want to state 2 things. Firstly i disagree with your last analogy. By walking outside you don't agree to be involved in tragedy's and accidents. If someone decided to stab you they outwardly decided to hurt you. You didn't prepare, expect, or had a chance to defend yourself from it. You where the victim all for going outside which is your right. The stabber took the effort out of themselves to inflict apon you. They so called "provided a service". But the internet works on the bases of servers providing service apon request. Although an unrealistic analogy for real life, a more accurate statement would be you walked outside, and went to a store that provides some kind of service. Apon walking in that store to receive service you are given a rundown by employees at the register how it works (the html document). The employees explain that you must stab yourself with a provided knife (executing js) to receive further service, or you may leave. You could rightfully not do that and leave, or you can decide you really want the service, stab yourself, and complain about it afterwards. Secondly, yes if you want to be completely anonymous you need multi billion dollar resources to make your own silicone factories with 3rd world child labor and internet all so you can watch a cat video on a reinvented wheel of a crappy pc just so you can say for sure "at least im not being tracked on the internet!" |
If someone installed malware on a website in order to hurt visitors, he already decided to hurt them. Including me, if I am a visitor of such a website.
Of course I can. I can buy a bullet-proof west and vear it all the time. Additionally I can buy a chainmail and wear it behind the vest.
I am not going to comment on that. Ech part of that sentence deserves a separate big discussion.
No, on websites tracking is done automatically without asking my consent. The mere fact my browser has downloaded their malware (because their HTML code has instructed it to do so, without the warning that that code is malware) is often pretended to be consent. No, it is not. And visiting a website is not getting a security clearance. When one gets security clearance of certain level (for lowest levels it is not required) he (besides other stuff) signs a document where he explicitly aggrees to be deprived of the right of privacy and of all his communications being monitored. Visiting a shop doesn't mean I sign a contract with that shop. Also certain ki ds of co tracts are illegal and are void. And if all the shops require me to sign a certain harmful contract, it is just a kind of an anticompetitive aggreement, not necessarily a written one. |
Hello. How do you feel about the fact that this library has become an instrument of unjust power over users?
The Canvas-based identification method has been extended due to the emergence of the
fingerprintjs2
library, which can also take into account for generating an identifier such parameters as screen resolution, specific HTTP headers, lists of installed plug-ins and fonts, the activity of certain Web API, and WebGL.You can read the detailed study done by Antoine Vastel https://antoinevastel.com/browser%20fingerprinting/2019/02/19/canvas-fingerprint-on-the-web.html
The text was updated successfully, but these errors were encountered: