How can a pc be UNIQUELY identified online?

Discussion in 'Programming & Software Development' started by Mihalis, Aug 16, 2009.

  1. Mihalis

    Mihalis Member

    Joined:
    May 22, 2009
    Messages:
    107
    Is it possible to uniquely identify a pc by running javascript, asp, cgi, perl, or any other scripts? I am looking for a means of identification other than cookies (these are usually deleted between sessions) or ActiveX (which most people do not trust and disable) or any other identification such as IP's (which are usually shared and therefore not unique).

    If yes, what are some examples of scripts?

    Might be useful for detecting clone accounts on this forum too.
     
  2. prezident doom

    prezident doom Member

    Joined:
    Nov 24, 2004
    Messages:
    5,284
    Location:
    Brisbane
    Nope.
    IP is as close to a unique identifier as you will get.
     
  3. Crinos

    Crinos Member

    Joined:
    Jul 1, 2002
    Messages:
    4,027
    Location:
    Tasmania
    I reckon the solution definitely includes Appletalk and tinfoil hats.
     
  4. thebranded

    thebranded Member

    Joined:
    Nov 30, 2006
    Messages:
    2,232
    Location:
    Sydney
    i dont get how being able to detect clone accounts on a forum is good, what happens if its a shared family PC, or your logging in froma friends place etc to check whats happening in the ocau world?

    Combination of IP and MAC is the only way, and without the ISP cooperation i dont think there is any way.
     
  5. mordy

    mordy Member

    Joined:
    Aug 30, 2001
    Messages:
    5,100
    Location:
    melb
    ive been reading about flash cookies recently... but cookies only identify a browser, not a pc.

    an ip can corrospond to multiple ips

    mac addresses dont really work over the net, its possible to find sometimes, but not always. Additionally, most pcs have multiple macs, ethernet, wifi, maybe a tethered bluetooth phone? so its not unique either.

    Your only way to ensure uniquity to 1 pc probably is a java applet with some stored var.
     
  6. Mikos

    Mikos Member

    Joined:
    Mar 12, 2004
    Messages:
    2,870
    Location:
    Cydonia
    MAC addresses should be globally unique. Doesn't matter if 3 map to 1 pc, that pc can just be uniquely identified 3 different ways. No idea how to grab the MAC address in a script though.
     
  7. PabloEscobar

    PabloEscobar Member

    Joined:
    Jan 28, 2008
    Messages:
    14,361
    What are you trying to do?
    There may be other ways of going about it.

    The accepted way of confirming a computer is who it says it is is using certificates.
     
  8. DavidRa

    DavidRa Member

    Joined:
    Jun 8, 2002
    Messages:
    3,077
    Location:
    NSW Central Coast
    And even using certificates - the user can still have multiple certificates - or even move certificates between computers (eg with roaming profiles, Windows Easy Transfer, export and import of the certificate and private key ...)

    The short answer is that you cannot guarantee to uniquely identify anything over the Internet :)
     
  9. swipe

    swipe (Banned or Deleted)

    Joined:
    Jun 27, 2001
    Messages:
    355
    No browser will give you the privileges to run something that can grab something like a MAC or an SMBIOS GUID (neither of which can be relied on anyway) out of the box without the user being aware. If you really want to do something like this without the user being aware, you could look into passive OS fingerprinting but it's a lot of work and will likely give you little more than the most tenuous ability to track machines behind a NAT.
     
  10. OP
    OP
    Mihalis

    Mihalis Member

    Joined:
    May 22, 2009
    Messages:
    107
    If several scripts in different languages are used to obtain as much information as possible, I wonder how close this is to a unique id. What are the chances of two pc's picked at random returning exactly the same information about

    - browser version,
    - extensions installed,
    - plugins installed,
    - operating system version,
    - whatever else that can be collected that stays constant between sessions (the user won't know what information the id is constructed from)
     
  11. OP
    OP
    Mihalis

    Mihalis Member

    Joined:
    May 22, 2009
    Messages:
    107
    It's for when people get banned from the forum, to prevent them creating another account.
     
  12. mordy

    mordy Member

    Joined:
    Aug 30, 2001
    Messages:
    5,100
    Location:
    melb
    well in that case you will want to block the whole ip, banning to a single browser, or pc or mac wont suffice ... blocking the ip can be a bit over the top, but that the only way to atleast partially guarantee that he wont sign up again

    until his dynamic ip changes :(
    its a hard one.
     
  13. OP
    OP
    Mihalis

    Mihalis Member

    Joined:
    May 22, 2009
    Messages:
    107
    Do you know how to store data from a java applet onto the hard disk without telling anyone?
     
  14. swipe

    swipe (Banned or Deleted)

    Joined:
    Jun 27, 2001
    Messages:
    355
    The only client-side scripting language you can rely on across browsers is JavaScript. Client-side is the important thing to keep in mind — you have to (at some level) trust the client and the data it sends back. The take away from this is that whilst you can use any number of techniques to try to track and identify the client, ultimately the client has the advantage when it comes to pretending to be a 'new client'.
    In short: you can't do that silently.
     
  15. OP
    OP
    Mihalis

    Mihalis Member

    Joined:
    May 22, 2009
    Messages:
    107
    It appears chase manhattan and the bank of america have found a way to uniquely identify computers:

    "In a nutshell they gather 30 or so pieces of information to identify your machine and compare it to a known list of your 'trusted machines'. This includes things such as browser version, plugin versions, etc. If you've ever used bank of america for you know that the site knows who you are when you login from the same machine and performs additional challenge responses when you try logging in from another one.
    (...)
    You could grab those checkpoints in a similar fashion to the machineid technologies, and send them off to an ad server over ssl in a query string. If example.com hosts ads from adserver.com, then the code in example.com could fetch adserver.com code to first gather this info, dynamically generate a url and css history theft to see if that unique user has visited the specific adserver.com url. If they had visited it then the user had loaded an ad from adserver.com in the past. At that point additional JS could fire performing a request to adserver.com with the name of the URL being visited or obtain this information via a referer header. Next the user visits cnn.com it also has the same code/src include, generates the same url, css history theft compares then continues doing the same thing. The adserver company now can track without cookies which sites the specific user has visited regardless of browser or IP."

    http://web.archive.org/web/20080127145309/http://www.cgisecurity.com/2007/04/10

    Here's evidence of chase manhattan bank doing something similar:

    http://www.tek-tips.com/viewthread.cfm?qid=1359398&page=4

    Does anyone know of a good programming forum?
     
  16. mordy

    mordy Member

    Joined:
    Aug 30, 2001
    Messages:
    5,100
    Location:
    melb
    the method u mentioned is still really linking to a browser, not a computer.
     
  17. swipe

    swipe (Banned or Deleted)

    Joined:
    Jun 27, 2001
    Messages:
    355
    This is not the same scenario as:
    Let's say you ban me right now and you're checking navigator.plugins, navigator.userAgent, Java release and whatever else to fingerprint me. I can:
    • turn JavaScript off
    • turn Java off
    • turn plugins off
    • change to another one of 6 web browsers on this machine
    • change to another CPU architecture (I'm on Intel OS X so I can run an App as though it were in a PPC or Intel environment)
    That's a brief list of things I can do to mess with a fingerprinting technique by mouse alone. There's a number of other things I can do to the browser itself or even in place of using a browser to further mess with a finger printing technique.

    How does what you're proposing improve existing ban techniques?

    StackOverflow is good if you have a specific question.
     
    Last edited: Aug 18, 2009
  18. est

    est Member

    Joined:
    Jan 20, 2003
    Messages:
    29
    Location:
    syd.au
    I'd like to ask why you would bother. Unless it is an intellectual exercise you are far better served by just banning users by username, email address & IP, then using the same things to ban whatever subsequent fake accounts show up later (if any).

    You may get some persistent idiots making pests of themselves, but the very first step will get rid of most people.
     
  19. mezla

    mezla Member

    Joined:
    Jul 1, 2004
    Messages:
    490
    Location:
    Melbourne
    Even if you could grab the MAC address (doubtful...), it's possible to change them anyway if someone is determined to not be identified that way.
     
  20. cvidler

    cvidler Member

    Joined:
    Jun 29, 2001
    Messages:
    14,394
    Location:
    Canberra
    Anyone though of the privacy implications of this.

    It'd be a big no no. Even if it were possible.

    Remember how well Intel did with the Processor Number in P3's. They're not around any more, and BIOSes quickly implemented a switch to turn it off to.
     

Share This Page

Advertisement: