HackerTrans
TopNewTrendsCommentsPastAskShowJobs

un-nf

no profile record

Submissions

[untitled]

1 points·by un-nf·16 dagen geleden·0 comments

[untitled]

1 points·by un-nf·2 maanden geleden·0 comments

[untitled]

1 points·by un-nf·2 maanden geleden·0 comments

[untitled]

1 points·by un-nf·2 maanden geleden·0 comments

LinkedIn is scanning browser extensions

404privacy.com
435 points·by un-nf·2 maanden geleden·219 comments

Show HN: 404 – a localhost proxy that substitutes your device fingerprint

404privacy.com
4 points·by un-nf·3 maanden geleden·4 comments

Show HN: I built 404 a network solution to client fingerprinting at the endpoint

github.com
1 points·by un-nf·8 maanden geleden·1 comments

Show HN: Privacy Experiment – Rewriting HTTPS, TLS, and TCP/IP Packet Headers

2 points·by un-nf·8 maanden geleden·1 comments

comments

un-nf
·16 dagen geleden·discuss
Companies like Flock that started out with just ALPRs are expanding to collect SIGINT data harvested by Bluetooth sensors at traffic lights.

This technology allows ALPRs to collect information the devices inside your car (what phone, fitness tracker, headphones, etc.). So now, the enforcement agencies using this tech will be able to tell exactly who is in the car based on unique device combinations.

While there are already cases of this data being abused by ex-partners and stalkers, we are overlook the abuse that can be done by this growing surveillance apparatus. What about the harm that can be done to journalists, activists, immigrants, or protestors when their movements are logged and reported to enforcement agencies?

Companies like Palantir already provide governments with information on our online activities, search history, sites visited, stuff like that, so the expansion of this monitoring just makes me feel uneasy.
un-nf
·2 maanden geleden·discuss
Not only are they ignoring these opt-out signals, they're certifying CMPs that have useless opt-out banners and continue to set cookies after the banner is clicked.
un-nf
·2 maanden geleden·discuss
Students often ask me why privacy matters if they have nothing to hide. The short answer is that surveillance changes behavior before the question of guilt ever comes up.

The Stoycheff research on NSA surveillance and search self-censorship and even the prison experiment are concrete examples of this.

(I meant to put a comment on my last post with this link. If you're moderating, please delete the other one)
un-nf
·2 maanden geleden·discuss
Aurornis, I appreciate your comment and want to step in to defend myself.

The LLM writing style is simply not true. I am a high-school English teacher and if my students caught me using AI to do my writing, they'd rip me to pieces.

I included the GH link as a source of proof. While I did read the browsergate piece and ended up publishing my article as a result of, I noticed this was happening months ago because I am a developer myself and saw this very strange behavior in the LinkedIn dev console. The nature of my work is that I spend many hours sometimes staring at the dev tools to debug my JS injection, CSP rewriting, and header modification that 404 does.

Is 404 a tool to stop this? Yes. But that's the point. The reason why this type of thing is allowed to happen, browser fingerprinting, is because the public is unaware of it, so trying to educate the public is a part of my outreach. There are almost no tools on the market that allow for browser fingerprinting protection. Mullvad and Tor are close options, but they're often met with their own levels of scrutiny just for using their tools. For example, my school blocks the Tor network from being accessed altogether. Some websites can block the Tor fingerprint.

The original source is more technical, of course, but I was also in communication with the Browsergate team and continue to be so this is not a one-off journalist just trying to peddle his project. This has been my life for the last 2 years and I don't appreciate you discounting the work that privacy advocates do by splitting hairs and mincing my words.

While it may not be things I would think to install, maybe they're not extensions someone with certain affiliations would think to install.
un-nf
·2 maanden geleden·discuss
I agree, and this is why I built 404. If you poke around the page a bit, you'll see a tool that prevents browser fingerprinting.

404 catches JS calls in JS proxies and returns mocked-up values (assigned by a profile), it also has protections against TLS fingerprinting, canvas fingerprinting, device enumeration, TCP/IP fingerprinting, HTTP header fingerprinting, and more.

The predatory practices that browser fingerprinting have enabled guised behind "fraud protection" are atrocious. Even with a VPN, even in incognito mode, a website can track me and see what I've been doing EVEN IF ITS NOT ON THEIR SITE.

Then a data broker buys all this data and uses an AI model to put it all into a pretty little package and sell it to Google, or the gov't, or something. It's scary.
un-nf
·2 maanden geleden·discuss
I did do my own independent audit, though. Sorry, I just checked back today and was not expecting this to get the traction it did.
un-nf
·2 maanden geleden·discuss
If that were the case, the list wouldn't have extensions that relate to a users religion, income, demographics, and more.
un-nf
·2 maanden geleden·discuss
This is unfortunately common practice on the internet.

Browser fingerprinting is the new norm. LinkedIn just didn't disclose it in their privacy policy. They do mention canvas fingerprinting and collecting other signals, but not specifically this extension enumeration stuff.

But fingerprinting is used to track people even without cookies. Take a look at this for some further reading: https://404privacy.com/blog/browser-fingerprinting-is-the-ad...
un-nf
·2 maanden geleden·discuss
Yeah, the source I used is browsergate.eu. I do a lot of developing in the dev tools (browser fingerprinting protection tool on the same site) and so I was looking at the dev tools for linked in and saw the extension enumeration a few weeks ago. I didn't realize that's what was going on, but there was a repository from a few years ago that started tracking this. There's a HN link somewhere... nefariouslinkedin I think it was called.

Then, I saw the browsergate story drop on mastodon and thought "no way," lo-and-behold, there's a lawsuit in the works for it.

I found the audit to be a bit dense and hard to read, this is a response to that. I
un-nf
·2 maanden geleden·discuss
[flagged]
un-nf
·3 maanden geleden·discuss
Hey! Would love to compare notes.

Feel free to reach out [email protected].

I truly believe there is a way to fight bot traffic without sacrificing user privacy.
un-nf
·3 maanden geleden·discuss
Yes! Sorry for the late reply. Here are a few:

LinkedIn: https://404privacy.com/blog/linkedin-is-scanning-your-browse...

Generally:

https://404privacy.com/blog/browser-fingerprinting-is-the-ad...

https://www.heraldnews.com/press-release/story/128007/calibe...

https://transcenddigital.com/blog/fingerprinting-marketing-t...

Google:

https://www.bbc.com/news/articles/cm21g0052dno
un-nf
·8 maanden geleden·discuss
This is made to fight client-fingerprinting. This is not a browser extension, but a network app that aims to give you full control over your fingerprint.

Included:

- localhost mitmproxy addons - for JS injection and HTTPS header rewriting.

- JavaScript - Comprehensive JS proxies and property overrides. Fights font enumeration, navigator fingerprinting, webRTC leaks, and much much much more. Take a look to find out, or ask a question!

- Kernel level packet spoofing - eBPF program attached at traffic control hook allows for low-level packet header modification.
un-nf
·8 maanden geleden·discuss
What fingerprinting vectors am I missing? Are there tools that I'm overlooking? What are some next steps - places the architecture is lacking?