We had an off-topic excursion over on this thread concerning web-site valuations, advertising, the tracking of our activity on the web, and related matters.

This is an off-topic followup - some of the points made over there were rather mistaken, but it's a fact of modern life that our activities are tracked and correlated. If you care about that and intend to avoid being tracked, you'll need to take relatively drastic action. Merely switching your search-engine provider won't be enough - as is evidenced by


Tracking web behaviour is big business - see this article.


Personally I block almost all advertising using a hosts file which serves all the machines in my home network. If you use an adblocking addon to your browser, be aware that it might merely suppress the display of adverts - if they are still fetched, as they usually are, then you will still be tracked across almost all sites which have adverts or tracking.

I don't bother to avoid cookies, but you'd need to do that too, as well as blocking flash. Every page with a "like" button is calling home to Facebook to correlate your activity, and that applies also to those without a Facebook account. Similarly every page carrying Google's +1 button or Google's textual adverts.

If you don't take dramatic and purposeful action then your IP address is inevitably known to every website you visit and every provider of embedded content on that website. It is not the only identifier that's used to correlate activity, but it is one of many. Bear in mind that commerce doesn't care who you are, as such, but they care about what you're likely to buy. They want to categorise you, and the finer the categorisation the better.

There are those who say that they would prefer to see relevant ads, compared to irrelevant ones, and they might have a point. Personally I prefer no ads, although I understand that's a challenge to the funding model of some websites. We've seen that a funding drive from readers can be a practical alternative.

Finally, all the search engines at least will crawl the web - as much of it and as often as they can. That's why you see bingbot and googlebot as sometime visitors on a forum like this - they are updating their indexes by reading the forums. Nothing particularly sinister about that. Making the forum private to subscribers or unindexed by search engines would surely be a net loss.

Thanks Ed,

I didn't want to reply in the thread as it had already gone too much off-topic. So I'm adding one here instead.

This part from the post is not correct, there is no hard drive number, and even Microsoft wouldn't be able to add something like that to general internet traffic - there's no IP or TCP or UDP header field that could be used for it (which isn't already occupied). A 'message through the internet' is a bit too vague though - there's a vast number of application-specific protocol overlays there. But in any case, the only 'computer identifier' in use is the common HTTP/HTTPS cookie - which doesn't originate on your computer but is sent to you.

The rest of the post (which I don't quote above) is, unfortunately, generally correct, except that how mobile phones are registered and with what information varies between countries.

-Tor

We use Ad Block Plus to get rid of ads and we don't see popups which could contain malware so our computer is less likely to get infected because we aren't clicking on things or letting the computer see things which could insert malware into the computer.

A lot of sites have scripting and advertising that I had to use Adblock Plus.

My coworkers read it in the newspaper and one of them is a programmer.

Well, yes, I am a programmer too.. and I could write a network stack from scratch if I really really needed to. The hard disk number tagging of IP traffic is just an urban myth. But unfortunately there are tons of other ingenious ways to track people, and you listed some of them. There are more. Ghostery, Ad block, Privoxy proxy, anonymous browser window, all these tools and extensions fortunately do help though.

-Tor

I have decided that the effort required to prevent the sharing of my browsing habits is not worth the waste of my valuable free time. I'm not a terrorist or drug smuggler or pedophile, and I limit my financial exposure to a single cash-reloadable VISA, which never has more than about US$100 loaded at a time. The risk of losing control of some embarrassing e-mails and/or $100 isn't so bad, in my estimation, but that's just my personal opinion. My Spam folder seems to be enjoying a lot of recent activity, but I find that to be only a minor annoyance.

The habit that I need to break is the sharing of passwords among several of my accounts, and that's on my to-do list.

Mike B.

Have a look at Master Password!

Cheers

Peter

Tor,

Or not documented.

Chuck

One of the best ideas I've seen is Self-Destructing Cookies. It lets a page set any cookies it wants, then deletes them all when you close the tab. No need to white-list cookies to make sites work, unless you want it to remember things across sessions. Things within a tab can be tracked (unless you blacklist them in the browser itself), but nothing persists. It's sort of like a per-tab private browsing session.

I also manually blacklist google.com cookies and some others, so they don't even get a foothold, but I think it's a pretty nifty idea, and a whole lot easier than my prior (but a bit better) solution of blocking all cookies + manual whitelisting. It "just works".

Here's my current Firefox from-scratch config notes, which I keep updated:



Also, the hard drive ID should only be visible through a malicious native-code plugin that the user has installed. I'm sure that has occurred at some point in time, but it certainly is not something that can happen by default.

_________________
WFDis Interactive 6502 Disassembler
AcheronVM: A Reconfigurable 16-bit Virtual CPU for the 6502 Microprocessor

Please, Chuck.. the internet protocols are all in the open, there's nothing secret hidden anywhere there. If you work with low-level networking programming you soon get to know the data formats intimately. There's nothing complicated there.

As for harddisks, they *do* sometimes have a serial number and for a privileged process it's possible to access the firmware and read it. I can read the serial number of my Western Digital 4TB disk if I log in as root. My browser or any other application I run as myself (a non-priviliged, normal user account) cannot. The network layer, running in the kernel, could in principle do that, but a) on Linux I would actually know about it - I used to read *all* the kernel source code through several iterations of the Linux network implementations, from the very beginning of Linux, and b) even on Windows, where I don't have that access, I do know about the internet protocols and the network headers that *have* to be used and there's no place there to secretly add some serial number from the harddisk. And you can just use 'tcpdump' or other tools (as I've done a lot) to dump every IP packet going out of your computer.. you can see for yourself what's in there.

But obviously it's perfectly possible for e.g. Windows Update to read a serial number from a harddisk, and forward it as part of its *own* top-level protocol. And presumably it's something like that (although it's more likely to be the disk label created when the disk was formatted, not the serial number) which is used to enforce Windows licensing. But for general tracking of internet activity? No. Doesn't work.

The fact is that there are other, much better ways of tracking you, and you listed some of them yourself. Cookies and cross-site JS scripting are the most obvious and efficient ones.

@Mike B:
The reason I still to some extent block stuff (it's difficult to enforce that on Android, but easier on a PC) is not because I've got something to hide, but because I'm getting extremely tired of the directed advertising and the continuous narrowing of my G* search results, clearly due to previous activity. And Amazon.. don't get me started but boy they are annoying. Happen to end up on an Amazon page after some googling (or by any other means), just visiting *any* page of theirs, and they start spamming you with emails about 'as you've shown interest in..' ads. Just because there's a cookie stored somewhere and you didn't remember to open that link through an anonymous tab or window.

@White Flame:
Thanks for the link to the self-destructing cookies extension! If it's flexible enough (I do need to keep some cookies) then that'll be a good addition to my current arsenal.

-Tor

I've switched to Ghostery for blocking -- if nothing else, web pages load dramatically faster on my Chromebook. One difference to AdBlock is that it shows you a count of how many trackers it has blocked, which is something of an eye-opener. For the "Economist", for instance, I currently see a count of 18 (that's eighteen) tracking, spying, measuring, "click-me" items that are being blocked. Those are the ones that Ghostery knows of at the moment, of course.

One thing I don't understand about trageted ads is that they seem to be total crap. We bought a freezer, because best deal was online, and then after that I've been seing ads for, tada, freezers. Except we already have one now, and we really don't need two, duh. The only thing I have found useful is the "other people who bought this also liked" version of data mining, say in iTunes.

Otherwise - from what I have read from the experts, the short of it is that there is no security online for anyone anymore, period. If you have something that the bad guys (what ever your definition of them is) are not supposed to copy, delete, falsify, encrypt for ransom, put it on an air-gapped computer that never, ever connects to the net.

Thanks for the the suggestion for Ghostery; I normally use AdBlock, but Ghostery looks like a leaner alternative.

Some things are not documented. Some users on another forum say this isn't possible because they've read the specs:

http://www.techrepublic.com/article/cyb ... -bulletin/

Some things are not understood.

I'm not going to say anymore.

Thanks Chuck that's an interesting read. It doesn't quite equate to what I thought you were saying originally, and it's not strictly to do with tracking.
Cheers
Ed

It is just the tip of the iceberg, Ed.

http://www.wired.com/2014/07/usb-security/

http://www.reuters.com/article/2014/07/ ... K420140731

I saw a .pdf on how it works but so much has been written on it that there are now thousands of articles to search through.