EFF Pub­lishes Study On Browser Fin­ger­print­ing. Rubin­stien writes “The Elec­tronic Fron­tier Foun­da­tion inves­ti­gated the degree to which mod­ern web browsers are sus­cep­ti­ble to ‘device fin­ger­print­ing’ via ver­sion and con­fig­u­ra­tion infor­ma­tion trans­mit­ted to web­sites. They imple­mented one pos­si­ble algo­rithm, and col­lected data from a large sam­ple of browsers vis­it­ing their Panop­ticlick test site, which we’ve dis­cussed in the past. Accord­ing to the PDF describ­ing the study, browsers that sup­ported Flash or Java on aver­age sup­plied at least 18.8 bits of iden­ti­fy­ing infor­ma­tion, and 94.2% of those browsers were uniquely iden­ti­fi­able in their sam­ple. My own browser was uniquely iden­ti­fi­able from both the list of plu­g­ins and avail­able fonts, among 1,557,962 browsers tested so far.” [Slash­dot]

I vis­ited the test site with my default browser with Tor and NoScipt on, and it had this to say:

Within our dataset of sev­eral mil­lion vis­i­tors, only one in 10,791 browsers have the same fin­ger­print as yours.

Cur­rently, we esti­mate that your browser has a fin­ger­print that con­veys 13.4 bits of iden­ti­fy­ing information.

How­ever, it reports the user agent incor­rectly, as Tor is set to lie about what browser I’m using. When I turned Tor off and reloaded the test page, I got this instead:

Within our dataset of sev­eral mil­lion vis­i­tors, only one in 21,435 browsers have the same fin­ger­print as yours.

Cur­rently, we esti­mate that your browser has a fin­ger­print that con­veys 14.39 bits of iden­ti­fy­ing information.

If I’m not mis­taken, this means that the test site thinks I’m in the first group of browsers when I’m actu­ally in the sec­ond group.

Flaws in Tor anonymity net­work spot­lighted. At the Chaos Com­puter Club Con­gress in Berlin, Ger­many on Mon­day, researchers from the Uni­ver­sity of Regens­burg deliv­ered a new warn­ing about the Tor anonymizer net­work, a sys­tem aimed at hid­ing details of a com­puter user’s online activ­ity from spy­ing eyes.

The attack doesn’t quite make a surfer’s activ­ity an open book, but offers the abil­ity for some­one on the same local network—a Wi-Fi net­work provider, or an ISP work­ing at law enforce­ment (or a régime’s) request, for example—to gain a poten­tially good idea of sites an anony­mous surfer is view­ing. [Ars Tech­nica]

There are things users can do to pro­tect them­selves. From the article:

Users them­selves can guard against this type of fingerprint-based eaves­drop­ping rel­a­tively eas­ily, Her­rmann noted. Down­load­ing or request­ing more than one site at a time through the net­work will muddy the pat­tern enough that cer­tainty will be very dif­fi­cult for the eaves­drop­per to establish.

And from one of the comments:

This attack should be sig­nif­i­cantly less effec­tive as well if the tar­get in ques­tion is a fully func­tional and qual­ity relay­ing node. In that case other peo­ple access­ing through the node would ran­dom­ize things sig­nif­i­cantly, and their access would be impos­si­ble to dif­fer­en­ti­ate from a local user with­out the kind of phys­i­cal access that makes the entire thing moot.

Browser add-on blocks Google Ana­lyt­ics. Google has released an add-on for Web browsers that blocks infor­ma­tion from being sent to its Ana­lyt­ics ser­vice. [Mac­Cen­tral]

This is rather point­less, as Tor blocks Google Ana­lyt­ics, and any other form of spy­ing on the Inter­net. Any­one who wants their brows­ing to be pri­vate is using it, which means that the peo­ple com­plain­ing about Google Ana­lyt­ics track­ing their activ­ity are only announc­ing their own igno­rance or stu­pid­ity (or both).

Brows­ing the web with­out Tor and com­plain­ing about pri­vacy is like stand­ing on a crowded side­walk and then com­plain­ing that peo­ple can see you.

Brief: TSA sub­poe­nas blog­gers to find source of secu­rity doc leak.

The Trans­porta­tion Secu­rity Admin­is­tra­tion is attempt­ing to find the source of a leak of a sen­si­tive secu­rity direc­tive that fol­lowed a failed air­line bomb­ing attempt on Christ­mas Day. Two travel blog­gers have revealed that they have been sub­poe­naed to pro­vide infor­ma­tion that may lead to the source of the leak.

Shortly after an attempted “under­wear” bomber was dis­cov­ered on North­west Air­lines Flight 253 from Ams­ter­dam to Detroit on Decem­ber 25, the Trans­porta­tion Secu­rity Admin­is­tra­tion issued imme­di­ate, tem­po­rary changes to secu­rity pro­ce­dures in an attempt to pre­vent sim­i­lar inci­dents. The par­tic­u­lar details of those changes were issued in an inter­nal secu­rity direc­tive, intended only for TSA employ­ees. How­ever, copies of the direc­tive were leaked to sev­eral blog­gers and quickly spread around the ‘Net.

Writ­ers Chris Elliott and Steven Frischling both received copies of the secu­rity direc­tive from anony­mous sources, and both pub­lished the text of the direc­tive after mass con­fu­sion set in among hol­i­day trav­el­ers affected by the sud­den changes in secu­rity pro­ce­dures. It appears that the TSA is not pun­ish­ing either for pub­lish­ing the doc­u­ment; rather, they are try­ing to find the source of the leak.

“The DHS & TSA are tak­ing this mat­ter seri­ously, and that tells me that they are pay­ing atten­tion to secu­rity in detail,” Frischling wrote on his blog. So far, nei­ther has admit­ted to know­ing the iden­tity of the source of the TSA directive.

The leak is some­what embar­rass­ing for the TSA, though, in light of a recent leak of the entire con­tents of the TSA’s “Stan­dard Oper­at­ing Pro­ce­dures” man­ual online. That dis­clo­sure was due to improper redact­ing of the doc­u­ment, which the TSA later claimed to be out of date.

[Ars Tech­nica]

The les­son to be learned here is that if you find your­self in pos­ses­sion of infor­ma­tion which would embar­rass the gov­ern­ment, don’t pin a giant tar­get on your­self by post­ing it to your blog. Instead, use Tor to upload it anony­mously to Wik­ileaks.

New at Rea­son: Kather­ine Mangu-Ward on Sci­ence Fic­tion Pub­lisher Tor Books.

From our Decem­ber issue, Asso­ciate Edi­tor Kather­ine Mangu-Ward offers a guided tour of the anti-authoritarian uni­verse of Tor Books, the world’s most suc­cess­ful sci­ence fic­tion publisher.

Read all about it here. 

[Hit and Run]

Some par­tic­u­larly good quotes from the article:

Sci­ence fic­tion nov­el­ist Cory Doc­torow, a self-described civil lib­er­tar­ian whose Tor titles include the bril­liantly para­noid young adult novel Lit­tle Brother, sug­gests why sci­ence fic­tion writ­ers think so much about alter­na­tive worlds. “It’s com­pletely unsur­pris­ing that peo­ple who, you can imag­ine, aren’t at the top of the peck­ing order in high school would turn to sci­ence fic­tion,” says Doc­torow, who is also co-author of the wildly pop­u­lar geek blog Boing Boing. “The peo­ple who write it have often not been ben­e­fi­cia­ries of the author­i­tar­ian sys­tem. They’re the peo­ple who don’t fit in exactly, and if you always rub up against social con­straints, you’re the kind of per­son who’s will­ing to sit down and have a good hard think about whether this is the best way to do things.”

And:

“I sus­pect S.F. has an indi­vid­u­al­is­tic, anti­au­thor­i­tar­ian trend to it not least because so many of the peo­ple who read and write it (not all by any means, but quite a few) are innerdi­rected intro­verts who make nei­ther good lead­ers nor good fol­low­ers,” emails Harry Tur­tle­dove, a best-selling author whose most famous nov­els pose ques­tions about con­tin­gency in his­tory and the impor­tance of indi­vid­ual action. “Am I talk­ing about myself? Well, now that you men­tion it, yes. But I ain’t the only one, not even close.”