Tuesday, July 22, 2014

INTERNET - The Impossible to Block Tracking Device

"Meet the Online Tracking Device That is Virtually Impossible to Block" by Julia Angwin, ProPublica 7/21/2014

Update: A YouPorn.com spokesperson said that the website was "completely unaware that AddThis contained a tracking software that had the potential to jeopardize the privacy of our users." After this article was published, YouPorn removed AddThis technology from its website.

A new, extremely persistent type of online tracking is shadowing visitors to thousands of top websites, from WhiteHouse.gov to YouPorn.com.

First documented in a forthcoming paper by researchers at Princeton University and KU Leuven University in Belgium, this type of tracking, called canvas fingerprinting, works by instructing the visitor’s Web browser to draw a hidden image.  Because each computer draws the image slightly differently, the images can be used to assign each user’s device a number that uniquely identifies it.

Like other tracking tools, canvas fingerprints are used to build profiles of users based on the websites they visit — profiles that shape which ads, news articles, or other types of content are displayed to them.

But fingerprints are unusually hard to block.  They can’t be prevented by using standard Web browser privacy settings or using anti-tracking tools such as AdBlock Plus.

The researchers found canvas fingerprinting computer code, primarily written by a company called AddThis, on 5 percent of the top 100,000 websites.  Most of the code was on websites that use AddThis’ social media sharing tools.  Other fingerprinters include the German digital marketer Ligatus and the Canadian dating site Plentyoffish. (A list of all the websites on which researchers found the code is here).

Rich Harris, chief executive of AddThis, said that the company began testing canvas fingerprinting earlier this year as a possible way to replace “cookies,” the traditional way that users are tracked, via text files installed on their computers.

“We’re looking for a cookie alternative,” Harris said in an interview.

Harris said the company considered the privacy implications of canvas fingerprinting before launching the test, but decided “this is well within the rules and regulations and laws and policies that we have.”

He added that the company has only used the data collected from canvas fingerprints for internal research and development.  The company won’t use the data for ad targeting or personalization if users install the AddThis opt-out cookie on their computers, he said.

Arvind Narayanan, the computer science professor who led the Princeton research team, countered that forcing users to take AddThis at its word about how their data will be used, is “not the best privacy assurance.”

Device fingerprints rely on the fact that every computer is slightly different: Each contains different fonts, different software, different clock settings and other distinctive features. Computers automatically broadcast some of their attributes when they connect to another computer over the Internet.

Tracking companies have long sought to use those differences to uniquely identify devices for online advertising purposes, particularly as Web users are increasingly using ad-blocking software and deleting cookies.

In May 2012, researchers at the University of California, San Diego, noticed that a Web programming feature called “canvas” could allow for a new type of fingerprint — by pulling in different attributes than a typical device fingerprint.

In June, the Tor Project added a feature to its privacy-protecting Web browser to notify users when a website attempts to use the canvas feature and sends a blank canvas image.  But other Web browsers did not add notifications for canvas fingerprinting.

A year later, Russian programmer Valentin Vasilyev noticed the study and added a canvas feature to freely available fingerprint code that he had posted on the Internet.  The code was immediately popular.

But Vasilyev said that the company he was working for at the time decided against using the fingerprint technology.  “We collected several million fingerprints but we decided against using them because accuracy was 90 percent,” he said, “and many of our customers were on mobile and the fingerprinting doesn’t work well on mobile.”

Vasilyev added that he wasn’t worried about the privacy concerns of fingerprinting.  “The fingerprint itself is a number which in no way is related to a personality,” he said.

AddThis improved upon Vasilyev’s code by adding new tests and using the canvas to draw a pangram “Cwm fjordbank glyphs vext quiz” — a sentence that uses every letter of the alphabet at least once.  This allows the company to capture slight variations in how each letter is displayed.

AddThis said it rolled out the feature to a small portion of the 13 million websites on which its technology appears, but is considering ending its test soon.  “It’s not uniquely identifying enough,” Harris said.

AddThis did not notify the websites on which the code was placed because “we conduct R&D projects in live environments to get the best results from testing,” according to a spokeswoman.

She added that the company does not use any of the data it collects — whether from canvas fingerprints or traditional cookie-based tracking — from government websites including WhiteHouse.gov for ad targeting or personalization.

The company offered no such assurances about data it routinely collects from visitors to other sites, such as YouPorn.com.  YouPorn.com did not respond to inquiries from ProPublica about whether it was aware of AddThis’ test of canvas fingerprinting on its website.

Thursday, July 10, 2014

NSA - How to Insure Your Are On the Watch List

"Here’s One Way to Land on the NSA’s Watch List" by Julia Angwin and Mike Tigas, ProPublica 7/9/2014

Last week, German journalists revealed that the National Security Agency has a program to collect information about people who use privacy-protecting services, including popular anonymizing software called Tor.  But it's not clear how many users have been affected.

So we did a little sleuthing, and found that the NSA's targeting list corresponds with the list of directory servers used by Tor between December 2010 and February 2012 – including two servers at the Massachusetts Institute of Technology.  Tor users connect to the directory servers when they first launch the Tor service.

That means that if you downloaded Tor during 2011, the NSA may have scooped up your computer's IP address and flagged you for further monitoring.  The Tor Project is a nonprofit that receives significant funding from the U.S. government.

The revelations were among the first evidence of specific spy targets inside the United States.  And they have been followed by yet more evidence.  The Intercept revealed this week that the government monitored email of five prominent Muslim-Americans, including a former Bush Administration official.

It's not clear if, or how extensively, the NSA spied on the users of Tor and other privacy services.

After the news, one of Tor's original developers, Roger Dingledine, reassured users that they most likely remained anonymous while using the service:  "Tor is designed to be robust to somebody watching traffic at one point in the network – even a directory authority."  It is more likely that users could have been spied on when they were not using Tor.

For its part, the NSA says it only collects information for valid foreign intelligence purposes and that it "minimizes" information it collects about U.S. residents.  In other words, NSA may have discarded any information it obtained about U.S. residents who downloaded Tor.

However, according to a recent report by the Privacy and Civil Liberties Oversight Board, the NSA's minimization procedures vary by program.  Under Prism, for example, the NSA shares unminimized data with the FBI and CIA.

In addition, the NSA can also later search the communications of those it has inadvertently caught in its Prism dragnet, a tactic some have called a " backdoor" search.  It's not clear if similar backdoors exist for other types of data such as IP addresses.

In response to the Tor news, the NSA said it is following President Obama's January directive to not conduct surveillance for the purpose of "suppressing or burdening criticism or dissent, or for disadvantaging persons based on their ethnicity, race, gender, sexual orientation, or religion."

[Disclosure:  Mike Tigas is the developer of an app that uses Tor, called the Onion Browser.]

Monday, July 7, 2014

LINUX - Rules on Supercomputers


"Where Linux rules:  Supercomputers" by Steven J. Vaughan-Nichols, ZDNet 11/25/2013

Summary:  Linux is everywhere, except on traditional PCs.  But when it comes to total platform domination, you can't beat Linux on supercomputers.

The latest Top 500 Supercomputer list is out.  At the very tip-top, you'll find Tianhe-2.  This supercomputer, developed by China’s National University of Defense Technology, is once more the world’s fastest supercomputer with a performance of 33.86 petaflop/s (quadrillions of calculations per second) on the Linpack benchmark.  Also on top, as it has been for more than a decade now, you'll find Linux.

When it comes to supercomputers, Linux is the operating system of choice and it has been since 2004.  The latest round-up of the world's fastest computers underlines just how dominant Linux is in supercomputers.

In the November 2013 listing, 482 of the world's top supercomputers run Linux.  The free, open-source operating system is followed by Unix, with eleven; four systems running a mix of operating systems, two with Windows and a single system running BSD Unix.  That's an advantage of 96.4 percent for Linux to 3.6 percent for everyone else, if you're keeping score at home.

The vast majority of these Linux hot-rod computers use cluster architectures with 86.4 percent.  Only 15.4 percent use a massively parallel processor (MPP) design.

A related development, behind the high-tide of Linux, is that most of these supercomputers use AMD and Intel chips.  To be exact, 82 percent use Intel Xeon chips with the Xeon E5 SandyBridge processor leading the way.  9 percent use AMD Opteron and 8 percent use IBM Power processors.  All of these chips can, and do, run Linux on supercomputers.

Just over 10 percent of supercomputers, 53 systems, use accelerator/co-processor technology.  Of these, 38 use NVIDIA chips, 13 systems with Intel's Xeon Phi and two use ATI Radeon.

Looking ahead, the supercomputer testers are well aware that the Linpack benchmark is dated.  Jack Dongarra, distinguished professor of computer science at the University of Tennessee, creator of the TOP500 and Linpack's inventor, is working on a new supercomputer benchmark:  the High Performance Conjugate Gradient.

We don't have a date yet for when the HPCG will appear.  We can, however, be certain that whenever it appears, Linux will still be the top supercomputer operating system.