I zap Google cookies but it tracks me by IP - what else?

Discussion in 'Computer Security' started by WM, Jan 20, 2006.

  1. WM

    Reg Edwards Guest

    To all involved.

    Now, now, don't fall out about it!

    Very few of you understand very much how the Internet works. You are
    just users without knowing what goes on in the intricacies under the
    bonnet.

    The real problem lies in the fact that the so-called engineers and
    technicians and other hangers-on, they who install and maintain the
    system, know no more about how it works than you do.

    Service providers severely neglect technical training of staff. It's
    not an immediately profitable investment. It's short-terminism. The
    result is system unreliability, which often descends to chaos, as can
    be judged from service providers' so-called 'support' newsgroup
    enquiries and frustrations.

    The service reliabilty of the old telephone, local and trunk dialling
    system was almost perfect. It catered in a few hours for national
    storm and flood disasters. The old General Post Office had staff
    training amongst its top priorities under a Postmaster General of rank
    equal to a cabinet minister, and the Chancellor of the Exchequer, next
    to the prime minister.

    But Maggie buggered that up for the sake of the City of London and the
    profit motive.

    You voted for it - and that's what you got! Try not to do it again.
     
    Reg Edwards, Jan 24, 2006
    #61
    1. Advertisements

  2. WM

    TwistyCreek Guest

    30+ years of hands on including building my own ISP, designing,
    implementing, and administering networks in hospitals, local/regional
    government offices, courthouses, police stations, private businesses and
    private homes.

    Decades of ironing out problems in many scenarios where security has
    always been a top priority, like patient confidentiality, attorney-client
    privilege, and how to keep the competition from finding out you're rolling
    out a new product with a ridiculously simple modification any of them
    could implement that will make you millions if you get it there before
    them.

    You know..... silly things like that.
    So you're saying you have terminals that allow "community" logins and do
    absolutely no logging? And they're connected to the outside world?

    <laugh>

    You're either a liar, crazy, or you have the worst admins the universe has
    ever conceived. I suspect the truth is your mythical terminals aren't
    quite as "anonymous" as you are misled to believe they are though.
    You just don't get it. Even in the absolute best case of nobody possibly
    knowing which of X number of people were doing a deed, which you do NOT
    have, you're still one of definable set X as opposed to 1 of ALL. You are
    in no way, shape, or form anonymous. Anonymous by definition can not
    include that sort of restriction.

    You're also trivial to ferret out in the real world, where Joe is going
    to remember something about Frank using that "anonymous terminal" last
    Wednesday when the cops say Jane got that harassing email. The real life
    implications of your misunderstanding of the term anonymous are even more
    detrimental to the concept than the math. That terminal is a fixed point,
    easily compromised under any of the scenarios I've already tried to lay
    out for you, and more.
    I would find out who fsbmgr is, who has access to that account, and who
    actually used it last Wednesday at 4:30 PM when the logs show it was used
    to send that email. It's not going to be very hard at all. Certainly not
    problematic enough to thwart even a coworker with any real desire to find
    out.

    You're just.... wrong. I don't know how to explain it any other way. The
    question was about being hidden or anonymous, from government snoops no
    less, and your "solution" won't even keep the average local snoop at bay.
    It *might* fool your grandmother if she's technically illiterate, but I'd
    wager even a bright high schooler could figure it out if given admin
    access. Or set up something to figure it out automatically. It's a trivial
    problem.

    Like I said, security through obscurity..... bad medicine. :(
     
    TwistyCreek, Jan 24, 2006
    #62
    1. Advertisements

  3. WM

    usenet Guest

    We have terminals and other access all within a reasonably secure
    environment. There's a very secure (so I am told) firewall between us
    and the outside world but within the building access is still pretty
    free and easy - the 'Unix' way really.
    Ho, ho, ho. (well you said I should)

    Oh dear, maybe we're at cross purposes. *ALL* I said originally was
    that there was no way to tell which of quite a large number of people
    had accessed the web from a particular machine. I obviously wasn't
    suggesting it could be anyone in the world.

    Dozens of people know the fsbmgr password and they probably keep the
    logins live for days.

    It wasn't a *solution* it was just a comment that there's no easy way
    to tell which of a (finite) numebr of people accessed the web in this
    particular case.
     
    usenet, Jan 24, 2006
    #63
  4. You're waffling.... "reasonably", "pretty free"....

    Either you have the sort of unlogged, wide open access by groups of
    hundreds who share a community login that supports your assertions, or you
    don't. It's that simple.

    And even if you DO, you're still far from being anything at remotely
    resembles anonymous or secure from the types of snoops we're discussing.
    There's a definable trial directly back to you that other methods simply
    do not provide. A trail the something like a "government" could exploit on
    a whim.
    No, you're mistaken about that too. I was amused BY you, not along
    side you. :)
    100 isn't a larger number. Neither is 1000 in context. Compared to the
    mathematical problems of sifting through billions, those are rather
    laughable numbers in fact.
    But there ARE ways to tell, and I've tried to explain some of them to you.
    There's is a tangible, discoverable connection between that web site and
    your fingers. What you're describing is "obscurity". It's a myth, a widely
    accepted security fallacy. If you're depending on it to CYA against
    anything but the most trivial attacks you are a misguided or self
    deluding fool setting themselves up for a severe disappointment.
    Fine. We line them all up and start beating them with rubber hoses. Or we
    extend those logs by court order. Or we install cameras. Or we question
    everyone until someone remembers they saw "Dave" at the terminal on such
    and such a date at such and such a time. Or we run a "sting" on whoever
    we're after by leading them to a site that does a little more than fill
    their eyes with naked ladies. Or we traffic analyze and collate access
    with time cards.

    Any number of things can be used to "catch" an individual in this scenario.
    You're just.... wrong. If there is a weakness that's within practical
    limits it WILL be exploited by a dedicated attacker. The simple fact of
    the matter is your "suggestion" has a few gaping holes in it. This makes
    it a useless suggestion any way you turn it around, and even YOU realize
    this because you've attempted to defend it with what essentially amounts
    to a lie about the "anonymity" of some alleged terminal in your alleged
    place of work.
     
    Borked Pseudo Mailed, Jan 25, 2006
    #64
  5. WM

    usenet Guest

    The original question was about Google's ability to show usage based
    on IP address. In the case of the systems I'm talking about we're
    behind a firewall that also uses NAT. Thus every user in the business
    will appear (to Google) to have the same IP address.

    Yes, given a large number of heavies, you might beat the information
    out of someone but that would really be the only way to do it and
    you'd have to bash up quite a few people.

    Apart from that it would be *very* difficult to assign particular
    usage to particular people as we have lots of non-personal logins
    which are used extensively by lots of different people and we
    regularly change both timezones and actual system times on machines to
    simulate operation in other countries and at different times of the
    day (especially over midnight for example).

    We do not have a lot of auditing of system usage simply *because*
    this is a development environment and there is no sensitive personal
    information on it, we go to considerable lengths to ensure that there
    isn't any. Any system which does have sensitive information (HR
    records, customer information, etc.) is not within the development
    environment.

    Thus browsing from of this environment is unlikely to provide any
    useful information to be passed on by Google. Given that there are
    probably quite a large number of businesses working behind similar
    firewalls it makes the task of finding things out from Google's
    records even more 'needle in a haystack'.

    OK, if something really 'nasty' was spotted in the Google logs then,
    with a huge amount of effort, something might be traced and uncovered
    but I should think the bird would have flown long before the 'heavies'
    arrived.

    I would also point out that I don't think I (or anyone else here) is
    doing anything that would be of the slightest interest to the US
    government or anyone else for that matter.
     
    usenet, Jan 25, 2006
    #65
  6. WM

    Robert Guest

    Ahhhh IP addresses....Ya just gotta love em! Even when someone uses
    secondary or work computers to create different accounts. It makes no
    difference.
     
    Robert, Feb 9, 2006
    #66
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.