De-Anonymizing Social Network Users 88
An anonymous reader writes "The H has an article about some researchers who found a new way to de-anonymize people. Compared to the EFF's Panopticlick, the goal of this experiment is not to identify a user's browser uniquely, but to identify individual users. The test essentially exploits the fact that many social network users are identifiable by their membership of various groups. According to the researchers, it's very unlikelly that two people on any social network will belong to exactly the same groups. A 'group fingerprint' can thus allow websites to identify previously anonymous visitors. They describe the setup and all details and the results look very interesting. They also have a live demo for the social network Xing that was able to de-anonymize me."
First Post (Score:1, Insightful)
Re: (Score:1)
Fuck social networks.
This is why slashdot needs to close their facebook account.
An anonymous reader? (Score:5, Funny)
Nothing new (Score:4, Insightful)
Re:Nothing new (Score:5, Insightful)
But if your the user with a Mac, version 2.0.1b of a browser posting to a small interest section, this would be great to find you again and your new set of friends.
Thats why you never go back to the same sites if people are interested in you.
Re: (Score:1)
Re: (Score:1)
Thats why you never go back to the same sites if people are interested in you.
Then how do I get any dates from eHarmony?
Re: (Score:2)
Thats why you never go back to the same sites if people are interested in you.
Only on Slashdot is this not modded as “Funny”...
Misleading description of what they're doing (Score:1, Informative)
A more accurate one, if I am RTFA right, is "by trawling through the browser history of visitors to a site it is possible to distinguish one from another so long as the user uses and regularly visits the group pages of select social networking sites and never clears their history". At most it seems to allow them to compare the "groups" pages you have visited on, say, Facebook and possibly identify which FB user you are using that information.
I see nothing to suggest that this helps them to identify who you
Solution: Never join any groups (Score:1, Insightful)
Just try to de-anonymize the antisocial network!
Re: (Score:3, Funny)
Billy No-Mates, is that you ?
Can I get a big who cares? (Score:3, Interesting)
So basically if
then an attacker might be able to work out the name you use on that social networking site?
Why would anyone bother. Indexing facebook would take quite a bit of time and resources and at the end of it you'd have something which might or might not be someones real name. Even if it is their real name, what exactly are you going to do with it? So you've unmasked(maybe) the name(maybe) of someone who visited your site. It's not going to give you anything else useful unless you combine it with some other attack vector which could quite easily pick up their real name for free anyway.
I suppose you could use it to set up a honey pot site for people with certain beliefs or interests and use it to accumulate a list of people with those beliefs or interests, but to be honest, you'd probably do better social engineering their ISP to get their account details.
Re: (Score:3, Informative)
With this you get the friends of friends and their interests.
The ability to play an eco nut, poker fan, open source gamer or other 'lifestyle' undercover is very tempting.
Over time they build a relationship and might get invited in.
Re: (Score:3, Insightful)
I suppose you could use it to set up a honey pot site for people with certain beliefs or interests and use it to accumulate a list of people with those beliefs or interests
You mean, like, a social networking site?
Re: (Score:2)
This was sort of my point. What on earth can they do with this?
Uh, no thanks... (Score:5, Funny)
Re: (Score:2)
I prefer not to de-anatomized all the Anonymous Cowards.
I think it's time anonymous users were de-anathemized.
Summary is wrong; idea is worthless (Score:5, Insightful)
But worse than that, the paper itself is horribly written, especially the abstract. The threat presented is not de-anonymization within the social network (since usually most profiles are real people anyway) but rather de-anonymization of visitors to arbitrary websites if those visitors also have social networking URLs in their browser history.
Now, the big privacy hole here is browser history stealing [blogspot.com], which is four years old. All this paper does is refine this mountain of privacy-invading information using social networking URLs that might be found there.
Re: (Score:1, Informative)
History stealing is even older than Jeremiah Grossman's blog posting, he also simply copied the idea: this design flaw was reported in bug tracking system of Mozilla (Netscape) back in 2000, the longest discussion in the system is from 2002 (http://bugzilla.mozilla.org/show_bug.cgi?id=147777 [mozilla.org]).
If you read the article, they clearly state that history stealing is a well-known technique, they just use it in a different setting to be able to find out the "group fingerprint".
Re: (Score:2)
the longest discussion in the system is from 2002 (http://bugzilla.mozilla.org/show_bug.cgi?id=147777 [mozilla.org]).
Actually, an even earlier discussion can be found here: https://bugzilla.mozilla.org/show_bug.cgi?id=57351 [mozilla.org]. And that one is probably not the oldest one either...
Re: (Score:3, Insightful)
Which is why browsing with NoScript should be mandatory and why we should try to stop webmasters from using unnecessary javascript on their websites.
(Oh, and please stop mocking those of us that takes basic security precautions.)
Re: (Score:2)
(Oh, and please stop mocking those of us that takes basic security precautions.)
[Nelson Muntz] Ha ha ! [/Nelson Muntz]
Re: (Score:1)
CSS can be used to execute the same sort of attack.
Re: (Score:3, Insightful)
The whole site and paper looks like an attempt at marketing Xing. I never heard of this site before, now it's on the news.
Re: (Score:2)
The whole site and paper looks like an attempt at marketing Xing.
It's a clever trick to profile the Slashdot crowd, known for penguin worship, frequently known to follow radical publications (Periodic Table, Bill of Rights, Wikipedia...), secretly behind tech controversies (Do triodes or tetrodes sound better??)...
Re: (Score:2)
Xing has over 8 million members and is the #1 B2B social network in Europe. It isn't irrelevant or exotic just because you haven't heard of it. Duh. Yes, I'm a member. Yes, I made quite a nice amount of business (=money) because of Xing.
http://corporate.xing.com/english/company/ [xing.com]
Before they rebranded it, it was called OpenBC (Open Business Club). Maybe you've heard of that. ;)
Re: (Score:1)
Re: (Score:2)
Re: (Score:2)
How about all the other things that can be found in one's browser history, such as Google searches, or, say, one's own name on some websites, such as Facebook when viewing one's own profile?
I think you don't get it. The same-origin principle [wikipedia.org], enforced by all contemporary browsers, prevents sites from just querying the history. Thus, an arbitrary site is by no means able to just view the user's Google searches or Facebook profile from the browser's history, contrary to what you seem to suggest.
The problem is that it's very, very hard to truly enforce 100% of the same-origin principle. Some limited information might leak due to side channels. For example, an attacker can try to find out if th
Fonts, Plugins, History... why? (Score:5, Interesting)
similarly, the plugins list... another thing that doesn't need to be sent out by the browser...
Firefox devs, you listening here? these do not need to be transmitted so block them...
anyone know of a plugin that blocks them?
and why on earth is it possible to sniff the history list???
Re:Fonts, Plugins, History... why? (Score:4, Interesting)
You're barking up the wrong tree: you should be screaming at the JavaScript wizards, I think.
Re:Fonts, Plugins, History... why? (Score:5, Informative)
Your font list is reported by flash and java. Your browser is innocent of this. Disabling flash & java goes long way to make your system information less accessible.
Sniffing history is basic feature of xhtml/css, price you pay for selectors. a:visited (background-image:"slashdotorg.png") && boo! [shasldot.org] - if you go to my site, you will request specific image and i can see it in logs, boom, i know you were to slashdot.
Re: (Score:2)
That should be easy to fix, shouldn't it? Just fetch all images from the CSS instead of doing it on demand.
Re: (Score:2)
Annoying design trade-off, fetching all images specified in CSS will waste a lot of bandwidth, sure for a lot of desktop people bandwidth is fast and cheap, but mobile and modem users might not like the idea that much. (In Australia they still have x GB monthly limits on broadband!).
Also, I can foresee another trick: ok, the browser fetches all images, rendering my log examination useless. So now I can write a Javascript function that checks whether a particular element has this particular background image,
In similar ways you can detect font w/o Flash/Java (Score:2)
Your selectors example can be used similarly for font detection. Set up CSS with a particular font - fall back to a standard font with known metrics. Once the page is rendered, use javascript to get the metrics of e.g. the block element you stuck the text in, and you can determine with fair certainty that the user either has that font, or doesn't. Obviously user CSS overriding things, scripting getting blocked, etc. thwart this - but that's not going to be the vast majority of users.
Re: (Score:2)
I saw the Java plugin fire up when I visited the Panopticlick site. It contains an applet.
Re: (Score:2)
Sniffing history is basic feature of xhtml/css, price you pay for selectors. a:visited (background-image:"slashdotorg.png")
Why not load a:visited images unconditionally (even when they aren't displayed)? And why allow getComputedStyle on elements whose rendering depends on :visited?
Re: (Score:1)
Re: (Score:2, Informative)
"anyone know of a plugin that blocks them?"
NoScript blocks Javascript which in turn blocks most of these queries.
Still says I'm 1 in 200.000. Probably due to running Ubuntu. I'd have to manipulate my HTTP headers to something very common to counter that. No idea if there's an add-on that does that ... or what value to use.
Add Flashblock if you want to control the execution of Flash independently (e.g. allow JavaScript but only run one of the flash applets, like the video but not all those add/tracker applet
Re: (Score:3, Informative)
Re: (Score:2)
"anyone know of a plugin that blocks them?"
NoScript blocks Javascript which in turn blocks most of these queries.
Still says I'm 1 in 200.000. Probably due to running Ubuntu. I'd have to manipulate my HTTP headers to something very common to counter that. No idea if there's an add-on that does that ... or what value to use.
Add Flashblock if you want to control the execution of Flash independently (e.g. allow JavaScript but only run one of the flash applets, like the video but not all those add/tracker applets).
Not many people disable javascript, that's just one more thing to make you more unique.
And there is a big drawback from changing your headers: You're no longer advertising a free operating system. I was thinking of changing my signatures, but I figured that I would rather like webmasters to know that they have linux users as well.
.. And last, if I'm not mistaken, NoScript lets me enable individual flash applets on a page, at least I can do that and I don't have Flashblock.
Re: (Score:2)
Yes, but you replace many bits of data (plugin list, fonts, etc) with a single information, so it's probably better either way.
Re:Fonts, Plugins, History... why? (Score:5, Insightful)
Even more horrifying: in my case, my local username was part of the information that panopticlick found... the reason was that one of the plugin binaries was in a subdirectory of my homedir, and its path contained my username, and apparently the path of that binary was sent out by firefox. However, I'm not sure if the fault lies with firefox or with the particular plugin (citrix receiver for linux). Probably the latter, because in the plugin-box, it identifies itself with its full path.
Re: (Score:2, Interesting)
Re: (Score:1, Informative)
Easy remedy:
about:config
plugin.expose_full_path Standard boolean false.
I bet yours is set to true.
Re: (Score:2)
It tells you were the blame is on that site.
For example my IE at work reads ..., Kanafont, Eurofont (via Flash)
Marlett,
My opera on my USB device with flash and javiscript disabled give almost no information other than the useragent (and that user-agent is not as detailed rich as my IE one.)
What about loners? (Score:5, Interesting)
Brilliant plan, guys... except you still left one variable unknown: the aloof guy who doesn't belong to any groups. How do you pick him out of the crowd when he's not in it to begin with? Those aloof loners are always the ones we should be worrying about, right? That's what the movies always say.
Re: (Score:3, Interesting)
Or buy 10X the normal amount of a substance and the local supplier pulls the FBI card as they are a upstanding citizen or are owned by the feds.
The smart ones make their own, but then it is always the essay to trip them up.
Re: (Score:1)
That already happens now. Been that way for years. People without a traceable history, for example a credit history, or a small stack of credit cards, a job, etc., receive all sorts of "special" treatment at the border, made even worse in today's hysterical times. Yes, not having a file makes you very suspicious indeed. Upon its discovery, one will be created automatically for you. Those without facebook accounts clearly have something to hide. It will be mandatory real soon now. - Papers please -
Xing? (Score:3, Interesting)
They (the authors) keep mentioning it in the same breath as Facebook, Twitter, and LinkedIn - but I've never heard of it (I realize that may not necessarily mean anything). It also seems a bit odd to see the BSD demon in one of the article graphics. I can't help but wonder if this was posted to actually discuss an attack vector against social networking sites, or if it was really some weird attempt to promote some GNU/Free social networking club.
Anyway, it seems to me that demoing a practical de-anonymization of a Facebook user or a LinkedIn profile would be more interesting.
Re:Xing? (Score:4, Insightful)
Xing membership is a fraction of facebook, linkedin, et al. I would have to assume that it's going to be easier to "fingerprint" users of Xing when they have such a relatively small userbase. TFA doesn't say that their method works anywhere else either (though they imply that it could...); further they specify it only works for people in groups. This reduces the population of 8 million down to 1.7 million by itself. How many of those belong to just 1 or 2 groups, in which you might expect to find a high degree of overlap?
Re: (Score:1)
I have always been of the impression that Xing was a chat site for adolescent girls.
Re: (Score:3, Informative)
False belief work both ways. (Score:1, Interesting)
Just as people who don't take privacy seriously aren't really anonymous, people who think that these revelations actually make people not anonymous online helps cater to said false belief, and keeping true Anonymous Cowards (who has the smarts to either not register on networking sites, or register with different false data on separate sites) safer, for the moment.
Posted as Anonymous Coward for obvious reasons.
Re: (Score:3, Insightful)
...register with different false data on separate sites
This attack allows for a bit of quasi-de-anonymizing in this case. It doesn't tell you that user "vikingsfan" is real life Eric J. Andersen of Frostbite Falls, MN, but it does tell you that "vikingsfan" on the site is none other than "hockeypuck" on site B, who is also the same person as "moosehead" on site C, etc.
This sounds trivial, but it's of interest to some of us who may not want people on site A to know who we are on site B, when site A is an important social locale for us, even if no one on site A
I'd be more interested if... (Score:1)
uhh, why? (Score:5, Insightful)
All you have to do is post a stupid little survey to Facebook and millions of idiots will fill the silly thing out giving you their mother's maiden name, street they grew up on, and last 4 digits of their social security in return for generating a few sentences of nonsense.
Use multiple pseudo-identities (Score:1)
Next Slashdot poll:
I have N Facebook accounts, where N is:
*1-4
*5-9
*10-19
*20-29
*30-39
*41 or more
*I just "borrow" one of CowboyNeal's
*My probation officer won't let me use Facebook, you insensitive clod!
Lame Theory (Score:1)
Misleading summary (Score:2)
I don't think this is what the tool is designed for. If you read the paper, you'll see that all they'd get would be a list of groups that either of your identities were members of.
What this is for is to match identities at different sites. To tell what Facebook account Candidate@LinkedIn is using... you get Candidate@LinkedIn to visit a site (hey, send your resume to http://example.com/5jh332 [example.com] and it'll go right past HR) and hit him with a Facebook tracer while he's filling out the resume. Now you know that
Took 'em long enough. (Score:1)
I feared this day will come. (Score:2)
There's a reason why I joined a Young Communists group on Facebook and friended the GOP on MySpace...
opting out of social networking (Score:2)
Privacy Law (Score:1)