|
BrianRx posted:Why would they do this? Fingerprinting? yes, and trying to detect rdp/vnc sessions remoting into another machine
|
# ? Sep 20, 2021 06:12 |
|
|
# ? May 17, 2024 07:46 |
|
Biowarfare posted:yes, and trying to detect rdp/vnc sessions remoting into another machine Thanks! Why??
|
# ? Sep 20, 2021 08:33 |
|
BrianRx posted:Thanks! Why?? so they can identify everyone regardless of whether or not they have cookies? they all do that. canvas fingerprinting, webaudio, webrtc to detect your local lan IPs and any subnets and sweep them, webgl fingerprinting, logging which gpu you are using if you use chrome, etc.
|
# ? Sep 20, 2021 08:54 |
|
BrianRx posted:Why would they do this? Fingerprinting? I love this thread but I'm not a computer security person so maybe I'm talking out my rear end, could they be looking for specific ports that might indicate the machine has been taken over by malware or has TeamViewer running or something, as a sign the purchase might be fraudulent? Edit: whoops already answered, should have read the next page before replying
|
# ? Sep 20, 2021 11:26 |
|
Biowarfare posted:lovely, walmart has joined the trend in retailers port scanning your device and local network and abusing webrtc they're trying (crudely) to see if you're part of an inelegantly-controlled fraud botnet
|
# ? Sep 20, 2021 13:57 |
|
Biowarfare posted:so they can identify everyone regardless of whether or not they have cookies? they all do that. canvas fingerprinting, webaudio, webrtc to detect your local lan IPs and any subnets and sweep them, webgl fingerprinting, logging which gpu you are using if you use chrome, etc. Got it, it's essentially all fingerprinting/profiling. I was aware that webRTC leaks IPs, I didn't know about the others. Thanks.
|
# ? Sep 20, 2021 17:33 |
If you're curious about browser fingerprinting, and all the kinds of ways that it gets accomplished, which haven't been mentioned yet - I would recommend fingerprinting the fingerprinters: Learning to detect browser fingerprinting behaviors by U. Iqbal et al, published in IEEE but available in its pre-print form on arXiv along with its references.
|
|
# ? Sep 20, 2021 18:50 |
|
Biowarfare posted:lovely, walmart has joined the trend in retailers port scanning your device and local network and abusing webrtc
|
# ? Sep 20, 2021 19:42 |
|
Biowarfare posted:so they can identify everyone regardless of whether or not they have cookies? they all do that. canvas fingerprinting, webaudio, webrtc to detect your local lan IPs and any subnets and sweep them, webgl fingerprinting, logging which gpu you are using if you use chrome, etc. I have webrtc disabled in Firefox - is there anything else I can do to prevent all this poo poo? Are there any FF extensions available that would help?
|
# ? Sep 20, 2021 19:44 |
|
Harik posted:Are they sticking to 127.0.0.1 as in the screenshot or going further and checking private address spaces to figure out what your internal network looks like? This one in particular (Threatmetrix) does localhost. Some other SaaS for this space extracts the CIDR from WebRTC and then sweeps the /24. TMX will also repeatedly make hundreds of http requests for timing purposes. Forter (another SaaS) will try tons of cloudfront.net random hostnames all hosting the same script when their scripts are blocked by adblock on the primary domain. isaboo posted:I have webrtc disabled in Firefox - is there anything else I can do to prevent all this poo poo? Are there any FF extensions available that would help? about :config -> resistFingerprinting Not really, because the companies you buy from will send all your data to those companies too, and if you block their script you get banned or blacklisted.
|
# ? Sep 20, 2021 19:53 |
|
isaboo posted:I have webrtc disabled in Firefox - is there anything else I can do to prevent all this poo poo? Are there any FF extensions available that would help? Brave does a bunch of this stuff by default, but I think as I've demonstrated already, I'm not super knowledgeable in this area. BlankSystemDaemon posted:If you're curious about browser fingerprinting, and all the kinds of ways that it gets accomplished, which haven't been mentioned yet - I would recommend fingerprinting the fingerprinters: Learning to detect browser fingerprinting behaviors by U. Iqbal et al, published in IEEE but available in its pre-print form on arXiv along with its references. Awesome, thanks! I am curious. I've read through the EFF materials on fingerprinting, but they're not particularly detailed, though they may be a good overview.
|
# ? Sep 20, 2021 19:53 |
|
Brave isn’t really a good browser choice.
|
# ? Sep 20, 2021 20:02 |
|
The Fool posted:Brave isn’t really a good browser choice. Do you mind elaborating? I mainly like its compatibility with Chrome extensions and apparent commitment to privacy, though the crypto stuff is weird and bound to fail as a revenue source.
|
# ? Sep 20, 2021 20:28 |
|
BrianRx posted:Do you mind elaborating? I mainly like its compatibility with Chrome extensions and apparent commitment to privacy, though the crypto stuff is weird and bound to fail as a revenue source. If used for work, its like a self reporting beacon that you are up to shady poo poo IMO.
|
# ? Sep 20, 2021 20:38 |
|
Biowarfare posted:Not really, because the companies you buy from will send all your data to those companies too, and if you block their script you get banned or blacklisted. I keep a chrome profile that's completely stock and set to bypass my VPN. That one gets used for anything that I don't want to raise any of those flags, which boils down to anything to do with money: online purchases, banking and bill payments, that sort of thing. Keep it simple and obvious, without the server on the other end seeing any browser poo poo that they might decide looks potentially shady. If I need to poke around on the website to figure out what I'm going to buy, I'll generally do that on my normal Firefox profile that's on a VPN and full of anti-tracking poo poo, and then I copy/paste the links to my final choices over to the chrome instance where I log in and make the actual purchase. I'm sure they could correlate all of this activity and figure out what I'm doing, but I really doubt they'd care enough to do so. And even if they do, it's not the end of the world, I'm just being a curmudgeon and trying to minimize the tracking and profiling data they casually slurp up.
|
# ? Sep 20, 2021 20:40 |
|
BrianRx posted:Do you mind elaborating? I mainly like its compatibility with Chrome extensions and apparent commitment to privacy, though the crypto stuff is weird and bound to fail as a revenue source. It’s mostly around their shady attempts at generating revenue. The crypto thing, the not passing on donations things, the “safe” ad insertion thing. Iirc, there’s something about the founder pre-brave but I don’t remember what it was E: oh yeah, he was forced out of Mozilla for being a homophobic chud The Fool fucked around with this message at 21:13 on Sep 20, 2021 |
# ? Sep 20, 2021 21:09 |
|
Powered Descent posted:I keep a chrome profile that's completely stock and set to bypass my VPN. That one gets used for anything that I don't want to raise any of those flags, which boils down to anything to do with money: online purchases, banking and bill payments, that sort of thing. Keep it simple and obvious, without the server on the other end seeing any browser poo poo that they might decide looks potentially shady. Think about how horrifically hosed up the whole thing is that you need to do all this.
|
# ? Sep 20, 2021 21:25 |
|
Sickening posted:If used for work, its like a self reporting beacon that you are up to shady poo poo IMO. Hmm, I think that may be a conclusion that can be drawn, but the same could be said about using a VPN. It's kind of the "you have nothing to fear from surveillance if you have nothing to hide" train of thought. Brave also obscures the user agent, as some other browsers/extensions do, so it would be difficult to definitively prove it was being used without admin access to your machine (which I realize your employer may have). The Fool posted:It’s mostly around their shady attempts at generating revenue. Yeah, I was aware of the monetization issues but hadn't heard anything damning yet, but that last bit is concerning. Every time I find something I like, sex perverts or racists are involved . Are there other browsers that are privacy-friendly out of the box? Really, all I need is my password manager to integrate in some way.
|
# ? Sep 20, 2021 21:32 |
|
BrianRx posted:Hmm, I think that may be a conclusion that can be drawn, but the same could be said about using a VPN. It's kind of the "you have nothing to fear from surveillance if you have nothing to hide" train of thought. Brave also obscures the user agent, as some other browsers/extensions do, so it would be difficult to definitively prove it was being used without admin access to your machine (which I realize your employer may have). I'll be the first one to defend VPNs and browser privacy add-ons and such, but the fact remains that a lot of places DO see them as shady. I started keeping that completely stock chrome profile a few years ago after I did a Paypal transfer via my normal Mullvad VPN connection, and it immediately lit up Paypal's fraud-seeking algorithms and I had to reassure them on a phone call that yes, that transaction was actually me.
|
# ? Sep 20, 2021 21:47 |
|
So my company is looking at ForgeRock for IAM solution combined with CyberArk, anybody have any experience with ForgeRock?
|
# ? Sep 20, 2021 22:05 |
I use Mullvad and will usually sign on to all of my accounts through it and a hardened browser but haven't had my account locked or anything more than needing to verify my email or 2fa. Otherwise I pretty much run the same thing with hardened Firefox and a clean slate Librewolf or Chromium.
|
|
# ? Sep 20, 2021 22:15 |
|
BrianRx posted:Are there other browsers that are privacy-friendly out of the box? Really, all I need is my password manager to integrate in some way. Vivaldi is similar to Brave in being a chromium fork with all the google tracking stripped and a anti-data-collection stance. But that's just like, they don't collect data themselves. It's not heavily hardened against tracking and fingerprinting, any more than firefox. But Brave doesn't disable WebRTC out of the box either. Brave is not really anything super special for privacy, in terms of anti-tracking on the websites you visit. Features like WebRTC are actually useful -- if you disable it, you can't make voice & video calls on Discord. They're not gonna disable a thing that millions of people use. It you want full privacy hardening you probably need to have 2 browsers.
|
# ? Sep 20, 2021 22:42 |
|
From a privacy point of view I can recommend Ungoogled Chromium. https://github.com/Eloston/ungoogled-chromium#downloads It does not support the Chrome Webstore, but add-ons can be installed and updated via the CRX downloader or the Chromium web-store. Due to the slightly delayed integration of security updates, its use as a standard browser can be debatable, tho.
|
# ? Sep 20, 2021 23:01 |
|
I used to use Iridium for a while but now I just use Firefox.
|
# ? Sep 21, 2021 00:43 |
|
BrianRx posted:Hmm, I think that may be a conclusion that can be drawn, but the same could be said about using a VPN. It's kind of the "you have nothing to fear from surveillance if you have nothing to hide" train of thought. Sickening was specifically talked about for work. And in that sort of environment, any sort of oddity is hopefully going to be looked into.
|
# ? Sep 21, 2021 00:53 |
|
BrianRx posted:Hmm, I think that may be a conclusion that can be drawn, but the same could be said about using a VPN. It's kind of the "you have nothing to fear from surveillance if you have nothing to hide" train of thought. Brave also obscures the user agent, as some other browsers/extensions do, so it would be difficult to definitively prove it was being used without admin access to your machine (which I realize your employer may have). I wish we had stronger laws to protect us from the bullshit. I totally understand people wanting to be private when its reasonable to. Saying all that, I haven't met a brave browser user in any org that wasn't up to some nonsense after just a little digging. Quite a few apps just shoot a flare into the air, like having the tor browser, etc. I would maybe care less if it wasn't shooting 100%.
|
# ? Sep 21, 2021 00:54 |
|
Sickening posted:I wish we had stronger laws to protect us from the bullshit. I totally understand people wanting to be private when its reasonable to. Saying all that, I haven't met a brave browser user in any org that wasn't up to some nonsense after just a little digging. Quite a few apps just shoot a flare into the air, like having the tor browser, etc. Yea, if you really care about your privacy and want to install a bunch of anonymizing poo poo on your computer, please keep it on your own computer and network. Because I'd rather not have to be the one doing a forensic analysis and threat hunting on the company computer/network to make sure a cryptominer isn't installed somewhere or company secrets didn't get exfiltrated.
|
# ? Sep 21, 2021 01:22 |
|
Defenestrategy posted:Yea, if you really care about your privacy and want to install a bunch of anonymizing poo poo on your computer, please keep it on your own computer and network. Because I'd rather not have to be the one doing a forensic analysis and threat hunting on the company computer/network to make sure a cryptominer isn't installed somewhere or company secrets didn't get exfiltrated. I don't trust Brave the biggest reason being that it doesn't even visit the URL you give it. Last year they were caught hard-redirecting cryptocurrency based links to their own affiliate links, so if you manually typed in a full URL _it would not go to that URL_. Direct visit, no autocomplete or dropdowns. The bare minimum I would expect is if I am typing a full link into the address bar, not using autocomplete or search result, not clicking any native browser UI for sponsorship, it would go to that link, but no.
|
# ? Sep 21, 2021 01:32 |
|
Sickening posted:I wish we had stronger laws to protect us from the bullshit. I totally understand people wanting to be private when its reasonable to. Saying all that, I haven't met a brave browser user in any org that wasn't up to some nonsense after just a little digging. Quite a few apps just shoot a flare into the air, like having the tor browser, etc. Well, there's a reason you don't do personal stuff on work machines. I usually have my personal machine nearby for when I'm not busy.
|
# ? Sep 21, 2021 02:01 |
|
CommieGIR posted:Well, there's a reason you don't do personal stuff on work machines. I usually have my personal machine nearby for when I'm not busy. rdp with clipboard sharing disabled works well enough
|
# ? Sep 21, 2021 03:27 |
|
RFC2324 posted:rdp with clipboard sharing disabled works well enough True. Either way, your work laptop should be a fairly sterile setup, never trust your employer or their security practices not being deep in your browsing history or computer/app habits
|
# ? Sep 21, 2021 03:30 |
|
CommieGIR posted:True. Either way, your work laptop should be a fairly sterile setup, never trust your employer or their security practices not being deep in your browsing history or computer/app habits I currently waiting for our security team to remember that they told everyone to panic format our macs when the solarwinds thing happened so we have absolutely no mdm
|
# ? Sep 21, 2021 03:39 |
|
Defenestrategy posted:Yea, if you really care about your privacy and want to install a bunch of anonymizing poo poo on your computer, please keep it on your own computer and network. Because I'd rather not have to be the one doing a forensic analysis and threat hunting on the company computer/network to make sure a cryptominer isn't installed somewhere or company secrets didn't get exfiltrated. Interesting, I didn't realize it was something you'd come across in an enterprise environment. Why do those users have local admin? I absolutely see the point you and others are making, though, and I wouldn't expect privacy on an employer's equipment. Who are these people who can't wait to get home to jerk it or buy drugs or whatever? Klyith posted:Vivaldi is similar to Brave in being a chromium fork with all the google tracking stripped and a anti-data-collection stance. But that's just like, they don't collect data themselves. It's not heavily hardened against tracking and fingerprinting, any more than firefox. I'll give Vivaldi a shot for a few days, thanks. ephex posted:From a privacy point of view I can recommend Ungoogled Chromium. Bummer about the delayed updates because this sounds like what I'm looking for. Thanks for the recommendation, I'll give it a look anyway.
|
# ? Sep 21, 2021 03:44 |
|
BrianRx posted:Interesting, I didn't realize it was something you'd come across in an enterprise environment. Why do those users have local admin? I absolutely see the point you and others are making, though, and I wouldn't expect privacy on an employer's equipment. Who are these people who can't wait to get home to jerk it or buy drugs or whatever?
|
# ? Sep 21, 2021 03:45 |
|
Biowarfare posted:Chrome (?) + Brave installs into and runs %appdata% and doesn't need admin That's why the computers in my university use Applocker to block them. You can't run any .exes outside "Program Files" or some other allowed directories. I've always had local admin access and getting Spotify to work was far from trivial.
|
# ? Sep 21, 2021 04:13 |
|
BrianRx posted:Interesting, I didn't realize it was something you'd come across in an enterprise environment. Why do those users have local admin? I absolutely see the point you and others are making, though, and I wouldn't expect privacy on an employer's equipment. Who are these people who can't wait to get home to jerk it or buy drugs or whatever? Happens in smaller shops where device management isn't implemented so everyone is local admin, because it's easier to have people sign an AUP and hand them a laptop and say have at it. As far as who is doing that stuff? I dunno man, users do stupid poo poo sometimes.
|
# ? Sep 21, 2021 04:39 |
|
CommieGIR posted:So my company is looking at ForgeRock for IAM solution combined with CyberArk, anybody have any experience with ForgeRock? Only as a downstream system owner (Salesforce). It seems fine, though I haven't seen anything from my perspective that makes me go, "Ooh! Use that instead of Azure Active Directory." I don't know what my client is paying, though, so it may be less expensive than AAD. The default options seem to exclude things like UTF-8 characters in user's first name and last name fields, which can cause inaccuracies with any name that isn't very traditional English, and the implementation I saw had userid = email, which is a Very Bad Data Model imo. All that said, I'm not an expert on IAM systems so I'd weight others' opinions more heavily than mine.
|
# ? Sep 21, 2021 04:41 |
|
Brave browser used to have a far-right wiki as one of its default search engines alongside Google and Bing Eichmann added it himself, and didn't pull it until called out
|
# ? Sep 21, 2021 07:17 |
|
text editor posted:Eichmann Nice freudian slip there
|
# ? Sep 21, 2021 07:31 |
|
|
# ? May 17, 2024 07:46 |
|
brave blocking websites' ads and then trying to extort the owners with their own ad solution was fun too
|
# ? Sep 21, 2021 09:28 |