The one constant in security is that we find the bad guys keep creating ever new ways to get at our computers and the data they contain while tracking our every move on line.
For example in my last post I pointed out how LSO's have replaced the standard cookie as the new threat to tracking our activities. And while they are certainly a major new threat they are hardly the worst new tactic to come from the minds of those who seek to destroy our online safety and privacy.
For example, recent work confirms what was only hinted at some years ago in a paper by a Ph.D. student Tadayoshi Kohno. It was first discussed in an article by PC magazine back in 2005 shortly after his paper was published.
And what did he see coming and fear would be an almost perfect method of tracking our movements on the web? It's what could best be called "finger printing". It seems that just as Microsoft does when you install Windows on your computer it's possible to remotely develop a description of your computer that's almost impossible to hide or change.
And being based on all the hardware and software that is installed on your computer as well as it electronic signature it is such a combination of devices and software that it is for all purposes unique to one and only one computer, yours.
Put simply that means that all the software and hardware on your computer contains identifiers that are designed to be read by your system. With that information it's possible to create a profile without your knowledge or consent based on the way your computer is designed to work. For just as Plug and Play devices (basically all computer devices today) respond with their manufacturer, model number, serial number, and version numbers when polled so does your software report what it's called, when it was made, and even when it was copied to and installed on your computer. And with the right equipment it's even possible to detect those random electronic actions and minor skips or glitches in the electronic workings of the various sub systems within your computer.
As you can readily see that means that the basic design and content of your computer works against you and your privacy. Not much you can do about that. And even worse is that it may be possible to use this "finger print" to identify individual devices even when they connect over other access points or even hidden behind NAT firewall's.
If that's true it means that even when you connect your laptop or cell phone at a remote Wi-Fi spot you could be readily spotted and tracked. So now even when you're out of your office or home your entire web profile becomes one seamless whole.
And when will this threat be not just a threat but a fact. Sadly it appears that it's already started. By all accounts some sites and providers are even now using "finger printing". Just imagine how much better the FBI likes this idea over their much maligned project called Condor. No special equipment needed! No easy way to know you're being followed! And no place to hide or disguise who you are!
Now the question is can the security establishment find an answer to this new danger? Only time will tell but I for one will sure be looking over my shoulder and wondering just who is using this dangerous tool to watch us all as we access the web.
And until someone shows me a way to avoid this method I will consider that all I do and all I see is being tracked by someone somewhere.
Tracking PCs anywhere on the Net -PC Magazine 2005
Remote Physical device fingerprinting
Fingerprinting Computer Chips