How can a pc be UNIQUELY identified online?

Is it possible to uniquely identify a pc by running javascript, asp, cgi, perl, or any other scripts? I am looking for a means of identification other than cookies (these are usually deleted between sessions) or ActiveX (which most people do not trust and disable) or any other identification such as IP's (which are usually shared and therefore not unique).

If yes, what are some examples of scripts?

Might be useful for detecting clone accounts on this forum too.

 

Nope.
IP is as close to a unique identifier as you will get.

 

I reckon the solution definitely includes Appletalk and tinfoil hats.

 

i dont get how being able to detect clone accounts on a forum is good, what happens if its a shared family PC, or your logging in froma friends place etc to check whats happening in the ocau world?

Combination of IP and MAC is the only way, and without the ISP cooperation i dont think there is any way.

 

ive been reading about flash cookies recently... but cookies only identify a browser, not a pc.

an ip can corrospond to multiple ips

mac addresses dont really work over the net, its possible to find sometimes, but not always. Additionally, most pcs have multiple macs, ethernet, wifi, maybe a tethered bluetooth phone? so its not unique either.

Your only way to ensure uniquity to 1 pc probably is a java applet with some stored var.

 

MAC addresses should be globally unique. Doesn't matter if 3 map to 1 pc, that pc can just be uniquely identified 3 different ways. No idea how to grab the MAC address in a script though.

 

What are you trying to do?
There may be other ways of going about it.

The accepted way of confirming a computer is who it says it is is using certificates.

 

And even using certificates - the user can still have multiple certificates - or even move certificates between computers (eg with roaming profiles, Windows Easy Transfer, export and import of the certificate and private key ...)

The short answer is that you cannot guarantee to uniquely identify anything over the Internet

 

No browser will give you the privileges to run something that can grab something like a MAC or an SMBIOS GUID (neither of which can be relied on anyway) out of the box without the user being aware. If you really want to do something like this without the user being aware, you could look into passive OS fingerprinting but it's a lot of work and will likely give you little more than the most tenuous ability to track machines behind a NAT.

 

If several scripts in different languages are used to obtain as much information as possible, I wonder how close this is to a unique id. What are the chances of two pc's picked at random returning exactly the same information about

- browser version,
- extensions installed,
- plugins installed,
- operating system version,
- whatever else that can be collected that stays constant between sessions (the user won't know what information the id is constructed from)

 

It's for when people get banned from the forum, to prevent them creating another account.

 

well in that case you will want to block the whole ip, banning to a single browser, or pc or mac wont suffice ... blocking the ip can be a bit over the top, but that the only way to atleast partially guarantee that he wont sign up again

until his dynamic ip changes
its a hard one.

 

Do you know how to store data from a java applet onto the hard disk without telling anyone?

 

The only client-side scripting language you can rely on across browsers is JavaScript. Client-side is the important thing to keep in mind — you have to (at some level) trust the client and the data it sends back. The take away from this is that whilst you can use any number of techniques to try to track and identify the client, ultimately the client has the advantage when it comes to pretending to be a 'new client'.

In short: you can't do that silently.

 

It appears chase manhattan and the bank of america have found a way to uniquely identify computers:

"In a nutshell they gather 30 or so pieces of information to identify your machine and compare it to a known list of your 'trusted machines'. This includes things such as browser version, plugin versions, etc. If you've ever used bank of america for you know that the site knows who you are when you login from the same machine and performs additional challenge responses when you try logging in from another one.
(...)
You could grab those checkpoints in a similar fashion to the machineid technologies, and send them off to an ad server over ssl in a query string. If example.com hosts ads from adserver.com, then the code in example.com could fetch adserver.com code to first gather this info, dynamically generate a url and css history theft to see if that unique user has visited the specific adserver.com url. If they had visited it then the user had loaded an ad from adserver.com in the past. At that point additional JS could fire performing a request to adserver.com with the name of the URL being visited or obtain this information via a referer header. Next the user visits cnn.com it also has the same code/src include, generates the same url, css history theft compares then continues doing the same thing. The adserver company now can track without cookies which sites the specific user has visited regardless of browser or IP."

http://web.archive.org/web/20080127145309/http://www.cgisecurity.com/2007/04/10

Here's evidence of chase manhattan bank doing something similar:

http://www.tek-tips.com/viewthread.cfm?qid=1359398&page=4

Does anyone know of a good programming forum?

 

the method u mentioned is still really linking to a browser, not a computer.

 

This is not the same scenario as:

Let's say you ban me right now and you're checking navigator.plugins, navigator.userAgent, Java release and whatever else to fingerprint me. I can:

• turn JavaScript off
• turn Java off
• turn plugins off
• change to another one of 6 web browsers on this machine
• change to another CPU architecture (I'm on Intel OS X so I can run an App as though it were in a PPC or Intel environment)

That's a brief list of things I can do to mess with a fingerprinting technique by mouse alone. There's a number of other things I can do to the browser itself or even in place of using a browser to further mess with a finger printing technique.

How does what you're proposing improve existing ban techniques?

StackOverflow is good if you have a specific question.

 

I'd like to ask why you would bother. Unless it is an intellectual exercise you are far better served by just banning users by username, email address & IP, then using the same things to ban whatever subsequent fake accounts show up later (if any).

You may get some persistent idiots making pests of themselves, but the very first step will get rid of most people.

 

Even if you could grab the MAC address (doubtful...), it's possible to change them anyway if someone is determined to not be identified that way.

 

Anyone though of the privacy implications of this.

It'd be a big no no. Even if it were possible.

Remember how well Intel did with the Processor Number in P3's. They're not around any more, and BIOSes quickly implemented a switch to turn it off to.