Are you trusting Google with all of your online life?

[unitrunker]

Browsers can pull your hardware MAC address - even when you've set a different one (thanks Google).

 

[Alain De Vos]

In rc.conf I use,
### IPv6 options: ###
ipv6_privacy="YES" # Use privacy address on RA-receiving IFs

 

[Mjölnir]

Browsers can pull your hardware MAC address - even when you've set a different one

It should be possible to send a faked one? I could patch the browser to generate a new one hourly/daily/weekly, according to the appropriate rules how a MAC address is made?

(thanks Google).

Why's that?

 

[Mjölnir]

In rc.conf I use,
### IPv6 options: ###
ipv6_privacy="YES" # Use privacy address on RA-receiving IFs

What is RA-receiving? I'm fetching that RFC 4941, but maybe you can explain quicker than I can read the RFC...

 

[unitrunker]

I'll explain. On a different OS, I hop on to wifi at the local Starbucks. Google is the provider. I see my physical MAC address in the location bar URL of the sign-in page.

I clear cache and cookies, change MAC to a fake one, and try to login again.

Physical MAC re-appears in the location bar. The browser extracts it somehow.

Yes my traffic over WiFi uses the fake MAC but doesn't prevent Google from tracking me.

I should do some experiments with different browsers but you get my point.

 

[Mjölnir]

I'll explain. On a different OS, I hop on to wifi at the local Starbucks. Google is the provider. I see my physical MAC address in the location bar URL of the sign-in page.

You mean the sign-in page of that WLAN access point? You have to sign-in in that Stubbucks café to get internet access via their WLAN? Ok, then it's not your browser that's extracting your MAC address, but the WLAN router you're connecting to, tells that the web interface where you sign in. No matter who's their ISP. If OTOH you mean the sign-in page of any Giggle service like YouTube, then that's probably another story.

I clear cache and cookies, change MAC to a fake one, and try to login again. Physical MAC re-appears in the location bar. The browser extracts it somehow.

Only very few carrier-grade commercial network hw allows the user/admin to fake the MAC address. I strongly doubt you have such. The driver may allow you to set the MAC address; but the average consumer hw will not take that, it uses the burned in MAC address, and rightly so. There's just too many things an non-expert user could misconfigure. I had a 4-port Sun QFE in a UltraSPARC box that allowed me to set the MAC adress. The manpage read s/th like this: hme(4) (FreeBSD)

     On sparc64 the hme driver respects the local-mac-address? system
     configuration variable which can be set in the Open Firmware boot monitor
     using the setenv command or by eeprom(8).  If set to “false” (the
     default), the hme driver will use the system's default MAC address for
     all of its devices.  If set to “true”, the unique MAC address of each
     interface is used if present rather than the system's default MAC
     address.

IIRC that feature could be used for HA failover scenarios or such? Dark fuzzy memories...

Yes my traffic over WiFi uses the fake MAC

How do you know that? Are you sure? See above: I strongly doubt you can set the MAC address that goes out to the wire or antenna. The driver's: yes. The HW doesn't give a sh(1)t.

but doesn't prevent Google from tracking me.

IMHO that's not so clear. They track you, yes, but probably not by your MAC address.

 

[Deleted member 30996]

I'll explain. On a different OS, I hop on to wifi at the local Starbucks. Google is the provider. I see my physical MAC address in the location bar URL of the sign-in page.

I have a box dedicated to the Goddess for use with our wi-fi hotspot and spoof my MAC.

Here's how to spoof the ether MAC on FreeBSD showing before and after the command:

root@jigoku:/ # ifconfig -a
bge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=c019b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,TSO4,VLAN_HWTSO,LINKSTATE>
    ether b0:0b:de:ad:b0:0b
    inet 192.168.1.7 netmask 0xffffff00 broadcast 192.168.1.255
    media: Ethernet autoselect (100baseTX <full-duplex>)
    status: active
    nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
    inet6 ::1 prefixlen 128
    inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2
    inet 127.0.0.1 netmask 0xff000000
    groups: lo
    nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
pflog0: flags=141<UP,RUNNING,PROMISC> metric 0 mtu 33160
groups: pflog

root@jigoku:/ # ifconfig bge0 ether DE:AD:B0:0B:DE:AD
root@jigoku:/ # ifconfig -a
bge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=c019b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,TSO4,VLAN_HWTSO,LINKSTATE>
    ether de:ad:b0:0b:de:ad
    hwaddr 1c:75:08:22:06:65
    inet 192.168.1.7 netmask 0xffffff00 broadcast 192.168.1.255
    media: Ethernet autoselect (100baseTX <full-duplex>)
    status: active
    nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
    inet6 ::1 prefixlen 128
    inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2
    inet 127.0.0.1 netmask 0xff000000
    groups: lo
    nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
pflog0: flags=141<UP,RUNNING,PROMISC> metric 0 mtu 33160
groups: pflog

And since my router will not allow it to have Internet access by my instructions, changed it back to what it was originally before being able to post this:

root@jigoku:/ # ifconfig bge0 ether b0:0b:de:ad:b0:0b
root@jigoku:/ # ifconfig -a
bge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=c019b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,TSO4,VLAN_HWTSO,LINKSTATE>
    ether b0:0b:de:ad:b0:0b
    inet 192.168.1.7 netmask 0xffffff00 broadcast 192.168.1.255
    media: Ethernet autoselect (100baseTX <full-duplex>)
    status: active
    nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
    inet6 ::1 prefixlen 128
    inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2
    inet 127.0.0.1 netmask 0xff000000
    groups: lo
    nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
pflog0: flags=141<UP,RUNNING,PROMISC> metric 0 mtu 33160
groups: pflog

 

[Mjölnir]

And you connect to your WiFi with that bge(4)? I knew you're magic!

 

[Deleted member 30996]

And you connect to your WiFi with that bge(4)? I knew you're magic!

Sheer Black Sheep Sorcery to you.

I've never looked at the MAN page you cited until now or done one thing listed on it before.

Not compiling the driver into the kernel as suggested. Not with any tweaking to tunables or sysctl variables. Yet here I am.

View attachment 9347

Nothing but choose bge0 from the wi-fi and ethernet network interfaces presented during installation of the base system.

I've passed on my Black Sheep Sorcery Skills in the obscure guise of a Beginners Tutorial for those Birthday Party Level Magicians who wish to become FreeBSD Daemon Level Sorcerers.

If it's not in there I don't do it to get online, or to the x11=wm/fluxbox desktop. Maybe you'd like to critique it. I'm always open to suggestions and constructive criticism.

Don't count on me making any changes due to it unless it's needed to make it do something it doesn't already or better it somehow. Or from using ports, just so you know.

 

[Snurg]

Delete their cookies often, IIUC that's their main method to identify the user, plus CPUID? Can a browser access the cpuid? Can they identify me by reading (from a .js running in my browser) a SSL seed or such that's pinned by my SSL/TLS library? I.e. today it's the same like last week? I'm a total noob when it comes to this crypto stuff...
EDIT I cited none, but just do some wild guessing. See above: I'm a noob...

Just look at what data they actually use and see how unique you are

I figure a custom-compiled Firefox on Freebsd is pretty darn unique.

You don't need to custom build the browser to become uniquely identifiable.

Browsers can pull your hardware MAC address - even when you've set a different one (thanks Google).

Another reason why using only IP4+NAT might have some (small) advantages.

I wish there were a browser which allows you choose what data is been shown to the javascript etc.
If all share an identical (or a small set of) "John Doe" profile, this would imply some loss of functionality while becoming less recognizable.

 

[Mjölnir]

Sheer Black Sheep Sorcery to you.

Thank you, you're very generous.

View attachment 9347

Oops! We ran into some problems.
You do not have permission to view this page or perform this action.

I've passed on my Black Sheep Sorcery Skills in the obscure guise of a Beginners Tutorial for those Birthday Party Level Magicians who wish to become FreeBSD Daemon Level Sorcerers.

I do like that Tutorial. It's is very contemplative.

Don't count on me making any changes due to it unless it's needed to make it do something it doesn't already or better it somehow.

No, but how about Devilene?

 

[Deleted member 30996]

Just look at what data they actually use and see how unique you are

I just blend in with the crowd as long as JS isn't enabled for a site. It's denied globally and enabled on a site by site basis. Not that one:

User agent 
Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.9 Safari/537.36

 

[Snurg]

I just blend in with the crowd as long as JS isn't enabled for a site. It's denied globally and enabled on a site by site basis. Not that one:

User agent
Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.9 Safari/537.36

Yes, there remain some data that can be extracted from what remains.
Sadly, the statistics of the site I mentioned doesn't go into much detail there.
How unique does it say you are?

 

[Deleted member 30996]

It needed JS enabled for the Am I Unique page to work at all, and once enabled that blew my cover:

 

[Snurg]

Yes, I wish there were a link to the details on every percentage shown on the main page.
At least you can see the most common John Doe values for each entry if you click the "Similiarity ratio" button at the top of the "Javascript attributes" section.
With a specially hacked/patched browser, one could compose a "John Doe" profile that is as non-unique as possible.
I wonder whether such a plugin exists or even can be made at all.

 

[Deleted member 30996]

Snurg, I use the Firefox Toggle Referrer extension and it has an additional Referrer Spoofing feature for "problematic websites" you can enable that allows you to do custom editing of the Profile sent outlined in detail here if that meets your needs. You can make out the other extensions I use from the image provided.

I'm not all that worried about it beyond the things I already have covered. Google can tell exactly where I'm located on the Search page even when I don't have JS enabled and geo location disabled in about:config.

What bogus personal/unique information they collect from me now should be of any real privacy or security concern to me? And what accurate information they collect now should be of concern to me personally?

I don't allow JS to run globally through the use of NoScript and that's by far the most important security measure for Internet browsing that can be taken IMO.

It shuts down Meltdown and Spectre and pops a cap in malicious drive-by downloads before they get a shot off. Having NoScript to handle scripting and the fact very little malware targets FreeBSD, which I spoof to Windows, does it's fair share of what I think needs done to make browsing a thing with very little consideration given to being exploited no matter where I go.

I wouldn't get that Oh So Delightful Out-Of-The_Box Windows Experience feeling I hear spoken of on my Win10Pro box at_all and it never does online.


In the interest of transparency and full disclosure, when I was a Win98 user and full-time Agent of Chaos at large MultiProxy was standard issue equipment for all of us. With the click of a button you could switch from one to any proxy world-wide that was in my pre-loaded list and change my location to another Country and IP# instantly.

In the interest of Privacy, if at all possible, IMO it should be ported to FreeBSD by someone with smarts beyond mine to do it with my overwhelming everlasting gratitude if they would. It's freeware and the guy who ran the site was active in communication with users, very friendly and might be happy to see it done.

However, in the interest of Privacy and Security I would never enter a password to an account while using it. Those lists came from scanning the net and might unknowingly include a trap MITM open port in the list compiled and any of them could be sniffing.

 

[Deleted member 30996]

Thank you, you're very generous.

I called it Black Sheep Sorcery because not long after joining the PC-BSD forums as beta tester I found x11-wm/fluxbox and abandoned KDE3. Then dumped their .pbi Push Button Installer that reminded me of a Windows .exe in favor of learning ports.

One of the Moore Bros. asked me what I wasn't following the direction of the rest of the flock,
instead of bleating "baa" I said "bah" and the Black Sheep was born.

I never looked at the Handbook thinking because I was using PC-BSD it did not apply (that's how green my grass was at the time) and figured out how to use it on my own. Nobody would tell me portsnap was a command when I asked where it could be found in ports, lest lamb chops be listed on the menu.

Then the Shepard devotion towards the safety of their flock that followed them faithfully changed to love of money with Xsystems in the picture and they knowingly and purposely failed to protect the little lambs that followed them.

On April 4th 2012 I found a bug in the Firewall Manager GUI that broke pf, report it to the Shepard in charge, provided demonstrations of it along with a simple user level fix with example of how it was done. They became aware of the situation April 6th 2012 but ignored the black sheep of the flock, who did the black sheep thing and spoke out loudly in the PC-BSD forums to make the Shepard aware.

After being totally ignored for 2 months I shed my wool disguise in disgust, did a cougar catflip over the fence and bounded to Wilders Security Forums where I knew I would not be ignored and made their failure to the flock Public Knowledge. I knew the flock were being screwed and said get away from that little lamb when you've got those rubber boots on!

Then donned the disguise of a normal noob geek and headed for Freedom and FreeBSD. Only recently after returning letting my true form be known to drhowarddfine (for shock value), ILLUXA and Sir Dice to share with mods. I was telling the truth when I said I wasn't what you'd expect your average geek to look like. When I feel the time is right I'll post it here myself for the benefit of all.

You weren't here then back then or around to hear if before so I don't want you to misunderstand the meaning of Black Sheep Sorcery. I've told it many times before but being able to repeat the story as a means of contiuned negative reinforcement was part of my Lesson Plan.

Oops! We ran into some problems.
You do not have permission to view this page or perform this action.

Forum related problem to correctly display uploaded images.

I do like that Tutorial. It's is very contemplative.

Thank you. It's what's known in my circles as a Task Analysis. Not everyone can do it.

It began as notes to myself so I wouldn't forget how to do it when I terminated my Internet and cable service for a year. I should have written my login passwords down because I forgot that and lost all my account passwords but one.

After going back online I posted it to the only forum I belonged to I had written the password down for on paper under the name of my bot Siseneg.

That was picked in an article by freebsd.news and their article featured on the English and Arabic Facebook pages of bsdmag.com. After posting it here in the forums it was picked up again in another article by freebsdnews.com featuring a screenshot of the desktop of ILUXA.

No, but how about Devilene?

Abandon all hope of Devilene undergoing Graphic Image Breast Reduction done by me. She said so.

 

[Mjölnir]

Abandon all hope of Devilene undergoing Graphic Image Breast Reduction done by me. She said so.

Ok. But I have to make sure about copyrights before I can copy & paste her to a shirtprinter.company
Can you provide me with serious input on that issue? I didn't try yet, but I could imagine they'll ask me for a real name & address & all that. EU legal stuff, copyrights violations are punished harder than if I started a hooligan-like fight with real blood & broken bones... seriously, not kidding.

 

[Deleted member 30996]

Yes, that image already appears on a T-shirt somewhere. I had the file named t-shit.png and the artists name still appears on the image. If you can make it out contact him.

I took Law of the Sea liberty to alter in into a full-sized image from original format because I didn't think they would mind. If they ask me I'll take it down but once in my files it's mine.

 

[Jose]

Just look at what data they actually use and see how unique you are

Unfortunately I am quite unique. One of the things that was really annoying is that my list of fonts is one of the most unique things about me. That led me to find this Firefox addon

Font Fingerprint Defender – Get this Extension for 🦊 Firefox (en-US)

Download Font Fingerprint Defender for Firefox. Defending against Font fingerprinting by reporting a fake value.

addons.mozilla.org

Now I'm unique every time I load the page, which is exactly what I want.

 

[Snurg]

Now I'm unique every time I load the page, which is exactly what I want.

Good to see there exist "fingerprint defender" plugins already.

But, can mere reshuffling of the font list really work?
If I were a bad guy, I'd just try to null the plugins' effect by first sorting and stripping the font list, and then checksumming it.
I guess it would be worth to take a look at the plugin source to make sure it works in a way that rules out such workarounds.

Maybe it is best to provide a set of indiscernible, partly fake information?
Maybe having a set of essential fonts that are always there, and another set of fonts that are randomized, at the cost of sometimes slightly varying page display?

 

[unitrunker]

You know that? Are you sure? See above: I strongly doubt you can set the MAC address that goes out to the wire or antenna.

Yes I'm sure. Wireshark confirms it.

As an aside, Android has the option to randomize its mac address. Ironically Google thinks this has some benefit to privacy.

 

[Mjölnir]

I have to refresh my knowledge of the topics networking basics & privacy... You're sniffing the WLAN traffic with another box, and your FreeBSD box sends out a fake MAC address out in the air? BTW you didn't tell on my 1st question: did you mean the sign-in of the WiFi AP or the sign-in of a public Giggle service? IMHO that makes an important difference concerning the issue.

 

[wolffnx]

sorry for change the talk, but even if you change your email provider @gmail.com to another
they can read your emails?
whow? is you use chrome, today I read this,an had sense

Si usas ProtonMail, Google está leyendo igualmente tus correos a través de Chrome

use google translator

 

[Deleted member 30996]

I have to refresh my knowledge of the topics networking basics & privacy... You're sniffing the WLAN traffic with another box, and your FreeBSD box sends out a fake MAC address out in the air?

I have an Ethernet LAN hooked into a router that goes into the cable box out the cable into the Internet.

Mine sends the spoofed MAC down the Ethernet cable and my router blocked it from Internet access as per my instructions. I had to set it back to the MAC it recognized before I could post that command, even though I still had the browser window open.

What would be the difference in wi-fi?