<v0idifyy>
well, not using tor would probably exposed them even more :) but yes\
<v0idifyy>
(btw, mac address randomizing is becoming the default in that specific case)
<V>
that's an argument for not manually randomising your mac address
<V>
better leave it to the system, or else you're exposing yourself to analysis of the randomisation method
<V>
are you randomising across all mac addresses? all addresses by a specific vendor? etc
ehmry has joined #spectrum
<V>
and... I disagree about not using tor exposing them more. they'd probably be screwed either way, but here it acted as a fingerprint
<V>
maybe don't make bomb threats :)
<v0idifyy>
well, it would probably have exposed them to the same degree; they could've checked who connected to guerrila mail
<v0idifyy>
ofc don't make bomb threats
<v0idifyy>
but there are legitimate reasons for doing something similar
<v0idifyy>
i'm curious of what could have been to _not_ get caught in that situation, not because i want to make a bomb threat...
<v0idifyy>
it seems that if he didn't admit he could've been fine (plausible deniability)
<v0idifyy>
then again... off topic.
stigo has quit [Ping timeout: 246 seconds]
ashkitten has quit [Quit: WeeChat 3.0]
stigo has joined #spectrum
ashkitten has joined #spectrum
<hyperfekt>
there's nothing you can principally do against an anonymity set that is too small. the answer is either to increase the size of the set or to remove yourself from observation.
cole-h has quit [Ping timeout: 265 seconds]
nicoo has quit [Remote host closed the connection]
nicoo has joined #spectrum
<sterni>
v0idifyy: well probably using harvard's network was the problem
<sterni>
v0idifyy: they seem to have had quite the surveillance operation going on if they could figure out who was using tor at a specific point in time after the fact
<IdleBot_561ed31e>
I guess with a lot of commercial tracking trackable randomisation that requires the tracker to spend more per user might still be a public good from cost-benefit perspective?
<puck>
sterni: tor entry guards are well-known, so if you just store "this IP connected to these IP/ports", that's more than enough, and you probably want to keep that for abuse detection either way
<sterni>
checks out yeahu
hooway has joined #spectrum
pastbytes has quit [Quit: Leaving]
hooway has quit [Quit: Gone fishing.]
aranea is now known as mewra
lukegb is now known as lukeg
cole-h has joined #spectrum
cole-h has quit [Quit: Goodbye]
cole-h has joined #spectrum
cole-h has quit [Client Quit]
cole-h has joined #spectrum
cole-h has quit [Quit: Goodbye]
cole-h has joined #spectrum
cole-h has quit [Quit: Goodbye]
cole-h has joined #spectrum
cole-h has quit [Client Quit]
cole-h has joined #spectrum
cole-h has quit [Client Quit]
cole-h has joined #spectrum
cole-h has quit [Quit: Goodbye]
cole-h has joined #spectrum
<qyliss>
I expect Spectrum itself to be able to provide very little in terms of privacy
<qyliss>
your hardware will always be fingerprintable no matter your OS
<qyliss>
you could mitigate that by fully virtualizing, perhaps, but I don't think that's an experience very many people would be willing to put up with
<v0idifyy>
qyliss, qubes doesn't "fully virtualize" on the default Linux VMs right?
<v0idifyy>
i believe the moment you have "window integration" you've already given yourself up to fingerprinting
<v0idifyy>
i think fingerprinting is a very hard issue that almost no one has properly solved. tor browser has the most amount of mitigations and works decently well
<qyliss>
I don't think window integration necessarily makes much of a difference
<v0idifyy>
well, i'm saying assuming you took other mitigation steps, window integration usually has things like showing your WM's config and size of display(s) but also there's implementation details
<qyliss>
I'm not sure that either of those necessarily have to be visible to Wayland clients, but I'm not entirely sure
<qyliss>
my reading of the Qubes documentation is that they use hardware virtualisation, so they don't fully virtualize -- by that I mean you'd have to fully emulate hardware rather than using CPU virtualisation extensions or doing any device passthrough. It would be unworkably slow.
<qyliss>
and you'd also have to limit it further so you couldn't just fingerprint by the speed of that emulation
<hypokeimenon[m]>
<v0idifyy "i like the poisoning approach: c"> Yeah, same. Along with maybe encouraging frameworks for managed services where they can process data that fingerprints users, but never have unencrypted access to that data or store it. Or at least have non-profit intermediaries that process that on behalf of the companies.
<qyliss>
and even then there would probably be all sorts of other ways you could fingerprint that I haven't thought of
<hypokeimenon[m]>
Making everyone use the same browser -> operating system -> hardware seems unworkable to me.
<qyliss>
indeed
<hypokeimenon[m]>
> <@freenode_v0idifyy:matrix.org> i like the poisoning approach: change the fingerprint constantly
<hypokeimenon[m]>
* Yeah, same. Along with maybe encouraging frameworks for managed services where they can process data that fingerprints users, but never have unencrypted/non-anonymised access to that data or store it. Or at least have non-profit intermediaries that process that on behalf of the companies.
<qyliss>
poisoning has the problem that you can only randomise fingerprinting mechanisms that you thought of ahead of time
<qyliss>
virtually all anti-fingerprinting techniques have the same problem
<josias>
hypokeimenon🏳️🌈: But making it look like that isn't so hard. Consider the Tor Browser for example.
<qyliss>
the only "solution" I can really see there is to limit the amount of control you give untrusted parties over your computer
<qyliss>
to limit what they can measure
<qyliss>
e.g. don't run JavaScript (not that that fully prevents fingerprinting)
<hypokeimenon[m]>
I really respect the Tor Browser project but it seems more a stopgap measure than a (route to a) final solution.
<qyliss>
but that's very difficult to do while still providing something useful, because our society is now built around running untrusted and unauditable third-party programs to get anything done
<qyliss>
fingerprinting is a very difficult problem and I don't expect to be able to address it at all
<v0idifyy>
something i noticed is that even the seemingly most sophisticated fingerprinting techniques like fingerprintjs2 can't fingerprint tor browser, even less so running on different VMs
<v0idifyy>
so I believe that for the general public, web browsing fingerprinting is already solved there
<qyliss>
I assume that the fingerprinting techniques known to the public are only the tip of the iceberg
<hypokeimenon[m]>
I think it depends what you mean by most sophisticated.