How can a pc be UNIQUELY identified online?

Discussion in 'Programming & Software Development' started by Mihalis, Aug 16, 2009.

  1. OP
    OP
    Mihalis

    Mihalis Member

    Joined:
    May 22, 2009
    Messages:
    107
    That's a valid point. But with computers never say "not possible". Say "I don't know how to do that". We already have someone here who says he can run dll's off the browser without telling the user, it remains to be seen how this can be done legally. Perhaps with a very long license agreement. [​IMG]
     
  2. bugayev

    bugayev Whammy!

    Joined:
    May 15, 2003
    Messages:
    4,093
    Location:
    Melbourne
    Still doesn't solve the "not using windows = lose" argument. You've said you will only support certain browsers, but that doesn't fix the Firefox on Linux or Mac issue, does it?
     
  3. OP
    OP
    Mihalis

    Mihalis Member

    Joined:
    May 22, 2009
    Messages:
    107
    I think the exploit (?) given above (for launching a native executable off the browser) works in linux too. Mac users will have to use a linux liveCD (in a virtual machine or whatever else is available on the mac).
     
  4. bugayev

    bugayev Whammy!

    Joined:
    May 15, 2003
    Messages:
    4,093
    Location:
    Melbourne
    And then do you know how quickly your website will get classified as malware for running native executables on user computers?
     
  5. oupimiquo

    oupimiquo Member

    Joined:
    Sep 20, 2007
    Messages:
    520
    Yup, goodbye to anyone reaching your site through Google. Also, any remote code execution exploit in Firefox will last all of about one day until someone patches it. You might have up to a month for IE users. The only viable way to have your code execute on their computers is to install a plugin or similar (as as explained previously, unless you're also going to install a fairly intrusive driver and require them to run as Administrator/root, it's unlikely to stop trolls for any longer than it takes them to search for and download an generic ID faking program).
     
  6. figrin

    figrin Member

    Joined:
    Jun 26, 2001
    Messages:
    2,966
    Location:
    Sydney
    Are you trying to identify a PC, or identify a user? These are two different things, and would require different approaches.

    To identify PC, easiest way would be IP and cookies.

    To identify a user, it would be behaviour pattern matching.
     
  7. Osiris

    Osiris Member

    Joined:
    Aug 22, 2001
    Messages:
    3,724
    Lots of bright people have thought about your and none have accomplished what you want to do. I don't think you're going to achieve it but by all means keep trying.

    If you are looking for a workable solution, then copy the way it's implemented else where: there are plenty of open source forum packages that you can access and examine. They probably use a combination of solutions, not just one, that will reduce the impact of spammers and trolls. Plus you could use tricks advertisers use, like Flash based cookies that aren't removed by clearing the browsers cookies.

    You could use the crowd to reduce the impact by down voting bad posts and not displaying any posts by people with lots of downvoted posts.
     
  8. Foliage

    Foliage Member

    Joined:
    Jan 22, 2002
    Messages:
    32,088
    Location:
    Sleepwithyourdadelaide
  9. platinum

    platinum Member

    Joined:
    Mar 5, 2003
    Messages:
    2,038
    Location:
    Adelaide
    You would have to install 3rd party software to do any of the things you are considering. Huge efforts are in all browsers to prevent this for this exact reason.

    With the odd chance that you are a brilliant hacker, and happen to find an exploit in every major browser, on every major OS, then they will simply get patched/fixed by the vendors, your site will be added to every blacklist on the internet, and anti-virus and spamware will be aware of it's malicious attacks (the last two things would happen anyway).

    People care about privacy - it isn't an accident that the task you want to do is near impossible, and it's getting better all the time, so really I wouldn't bother even trying as it's a morale issue rather than a technical one.
     
  10. OP
    OP
    Mihalis

    Mihalis Member

    Joined:
    May 22, 2009
    Messages:
    107
    Not so fast, google does not open an account or post. Only posting requires device identification.

    The developers of Firefox are not magicians, they can't possibly know of all zero-day exploits that exist to patch against them the following day. But the point is valid, eventually any exploit that is used will be patched one day, so I'd need a constant supply of zero-day exploits to go that way.

    But maybe what was suggested was a little-known intended functionality, and not an exploit.
     
  11. OP
    OP
    Mihalis

    Mihalis Member

    Joined:
    May 22, 2009
    Messages:
    107
    I applaud your original thinking. I had a related idea a while ago, based on voting too. But that would be off-topic here, if you are interested, let's start another thread.
     
  12. platinum

    platinum Member

    Joined:
    Mar 5, 2003
    Messages:
    2,038
    Location:
    Adelaide
    Google now blocks sites (in conjunction with http://www.stopbadware.org/). If you manage to avert privacy settings in browsers, you will be listed there and people warned away. I don't think you understand, that these privacy settings are a deliberate and important thing, and escpecially in browsers like firefox, if such a security hole was found it would be fixed -very- quickly.

    The last major security bug in FF3.5 that was found which allowed malicious websites to do what you are suggesting was fixed and an automatic update to every FF browser sent out within 2 days of it being found.
    https://isc.sans.org/diary.html?storyid=6796
     
  13. OP
    OP
    Mihalis

    Mihalis Member

    Joined:
    May 22, 2009
    Messages:
    107
    Security bugs that are found are a subset of security bugs that are known by hackers at any time. So the time it takes from firefox devs becoming aware of a bug to fixing it, is irrelevant. Hackers are always a few steps ahead.

    Someone has to demonstrate that my dll exists, and second that it is harmful. Otherwise "stopbadware" and google would be doing what google is doing already to some sites that criticize the government or the powers that be, and that is censoring free speech. Can't count on google for attracting people to discussions on the things that matter.

    But I have to agree that the trick that was suggested above by a member can be used by the bad guys too, so it can't have been an intended feature, it was definitely an exploit. Case closed.
     
    Last edited: Sep 1, 2009
  14. PabloEscobar

    PabloEscobar Member

    Joined:
    Jan 28, 2008
    Messages:
    14,361
    I hope this was sarcastic..

    this "Idea" has been around for ages, Pretty sure the original 'slashcode' for slashdot had user moderation is it.
     
  15. OP
    OP
    Mihalis

    Mihalis Member

    Joined:
    May 22, 2009
    Messages:
    107
    It's well known that inventions occur simultaneously in different parts of the world at about the same time, this does not reduce the value and originality of each inventor's thinking, they all deserve congratulations. And I've noticed you're a bit of an original thinker too, I hope you check out my future threads cause I need guys with an inventive mindset.
     
  16. MorbosuS

    MorbosuS Member

    Joined:
    Feb 26, 2004
    Messages:
    582
    Location:
    Co. Cork
    It cant be done. Internet is pretty good at obscurity.

    Best way of designing your solution is to qualify identity with another external parameter.
    Eg: with one of the solutions I developed we used an SMS text message system to send a password which the user will then type in to gain forum/website membership.

    Advantages of this are: You are tying identity to a mobile phone number 1:1 correspondence, if you get kicked from the web site for whatever reason then you have to come up with another mobile phone you have access to and verify with that.

    Its pretty cheap to do: Exetel seem to have the cheapest prices thus far in Australia
    the gateway for sending sending SMS messages is HTTP + POST method and you can just server side this functionality.

    eg:
    https://smsgw.exetel.com.au/sendsms/api_sms.php?
    username=xxxxxxxx&password=xxxxxxxx&mobilenumber=xxxxxxxx&message=x
    xxxxxxx&sender=xxxxxxxxx&messagetype=Text&referencenumber=xxxxxx

    *I don't know why people are talking about MAC address as this does not proliferate beyond NAT in any form not to mention its not guaranteed unique and its a LAN protocol.

    *banning IP addr is hit and miss and as already mentioned it is what some people use in conjunction with other things to narrow down identity, though i have seen this become a sledge hammer used to kill a mosquito in some cases.

    I cant see anything in HTTP request information that will guarantee the person you have banned will not just move to another computer/browser etc.

    'keep-alive', 'HTTP_COOKIE': 'sessionid=f9f4f9c06ff5f687873ad51142bdd82c', 'HTTP_HOST': '127.0.0.10:9100', 'HTTP_KEEP_ALIVE': '300', 'HTTP_USER_AGENT': 'Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1pre) Gecko/20090602 Firefox/3.5', 'QUERY_STRING': '', 'REMOTE_ADDR': '127.0.0.1', 'REMOTE_HOST': '',
    'SSH_AUTH_SOCK': '/tmp/keyring-zDbTvH/ssh', 'TERM': 'xterm', 'TZ': 'Australia/Sydney',
    'XDG_SESSION_COOKIE': '7f8624ae804d9ec62392d844490c44ef-1253061581.645189-1141522488',

    You couldn't do any fancy digital hardware fingerprint stuff with first without putting it in terms of use, would probably cost of a lot of money to do on the legal side, then there would be problems with antivirus picking up the software as malware and people dont like it and still does not guarantee identity.
     
  17. drplugnplay

    drplugnplay New Member

    Joined:
    Oct 25, 2013
    Messages:
    4
    Location:
    Adelaide
    It cant be done is a VERY bold statement. Everything can be done. Given the right amount of time a smart enough brain and a few programs under your belt.

    Anything can be done on the internet!!!

    One way that this could be done, over time, is by gathering data, from the 'suspect' computer on a daily hourly basis, then after you have sufficient data (several thousand inputs, most commonly) analyze the data cross out the in-consistent entry's and use the good data to triangulate. (This is not proven, this is just one way that 'I' could see being a very accurate locator.)
     
  18. RyoSaeba

    RyoSaeba Member

    Joined:
    Sep 11, 2001
    Messages:
    13,039
    Location:
    Perth
    Did you just revived a 4 years old thread just to say that?
     
  19. drplugnplay

    drplugnplay New Member

    Joined:
    Oct 25, 2013
    Messages:
    4
    Location:
    Adelaide
    I think i did. My apologies, the statement needed attention.
     
  20. ThankDog

    ThankDog (Banned or Deleted)

    Joined:
    May 22, 2013
    Messages:
    3,875
    Location:
    Ballarat aka Boganville
    I'm positive I read a tech article just a few weeks ago that said that this could be done. Of course when I need to be able to reference it, I can't find it again.
     

Share This Page

Advertisement: