Man
Professional
- Messages
- 3,046
- Reaction score
- 571
- Points
- 113
Is everyone familiar with the word deanon? And this is not about fighting anonism. With the help of tricky technologies, you are identified by anyone and everyone - from advertising and media agencies, big data collectors to various government agencies. The problem is very serious and in this article we will only touch on the tip of the iceberg and tell you how to at least a little bit secure your Internet experience.
The widespread use of digital fingerprinting technologies makes it easy to collect personal information. In addition, users voluntarily share personal information on social networks, instant messengers, email correspondence, and other online platforms, often without even suspecting that their data could fall into the wrong hands.
In the first part, we figured out what fingerprinting is and made Firefox a little safer. In the second part, we will talk about how to hide a fingerprint, setting up a virtual machine, anonymous and not quite anonymous browsers, and of course, protecting your identity online.
Here I will describe several manipulations with VM in order to make its fingerprint less recognizable and hide the information that it is a virtual machine.
We will use VBoxHardenedLoader:
This is a great add-on for VirtualBox that allows you to change almost any settings of your virtual machine.
Just downloading the file is not enough. You also need to make the necessary settings. To do this, do everything in accordance with the manual.
Download and install VirtualBox.
Open VirtualBox and create a virtual machine with the settings you want.
Note: 2048 MB is not mandatory, you can adjust or reduce this value as you wish, but keep in mind - some detection systems try to identify a virtual machine by the available physical memory and if it is too small - this is a red flag that it is a virtual machine.
Create a virtual disk
Remember that the recommended disk size should be greater than 32, or better yet, 64 GB. A smaller size will indicate that this
is a virtual machine.
Once the virtual machine is created, open its settings – you will need to make certain changes.
In the System menu, Motherboard tab, check the Enable I/O API box.
In the Processor tab, enable PAE/NX and install at least 2 processors. If it says that there is only one processor, this is an indicator that a virtual machine is being used.
In the Acceleration menu, set Paravirtualization Interface to Legacy and enable VT-x/Nested Paging. If you leave the paravirtualization value “Default”, it gives the virtual machine the Virtual Box hypervisor and even the hypervisor name via the cpuid value. And this is a complete disaster!
On the Display tab, disable 2D/3D Acceleration.
Storage.
It should look something like this.
Save all settings and close VirtualBox completely.
Download the program from here and save it where you want. For example c:\vboxldr.
Now the important part. Go to the data folder and select the system startup script.
hidevm_ahci for VM with SATA/AHCI controller and classic BIOS
hidevm_ide for VM with IDE controller and classic BIOS
hidevm_efiahci for VM with SATA/AHCI controller and EFI
hidevm_efiide for VM with IDE controller and EFI
Edit the script according to your configuration for your needs:
set vboxman=”C:\Program Files\Oracle\VirtualBox\vboxmanage.exe”
set vmscfgdir=D:\Virtual\VBOX\Settings\
Change vmscfgdir to the folder with your machine settings.
Make the remaining settings and run the script with the name of your virtual machine.
But don't launch VirtualBox yet - you're not ready yet.
Run loader.exe with Administrator privileges.
You will have to repeat this step every time you restart the OS.
Attention! Remember that you should never install Virtual Box Additions - it will ruin everything.
As practice has shown, each configuration requires its own approach to installation and its own writing of the config file. Much depends on the operating system and its version on which we are going to build the virtual machine.
There is no doubt about the flexibility and reliability of the system. Everything is individually configured to your taste.
Let's replace all the hardware of our virtual machine:
– processor model
– motherboard manufacturer/company
– BIOS ID, version/date
– ID CPU и ID HDD
– Windows product ID
- replacing the video card (Important!)
- random Mac-Address of the network device or manual installation for each machine
- unlike a simple virtual machine, on ours we will be able to control the parameters of the sound card (a hint at replacing the audio fingerprint), but of course, we still need to work on this manually and install the necessary software.
Via VboxHardenedLoader we give our future virtual machine random properties and parameters, and only then install Windows there. All settings of our miracle machine should be made before the first launch of the OS. That is, your virtual machine is already launched with these settings as a full-fledged PC and will be identified as someone's PC, and not a virtual machine with VBOX fingerprints.
You can see how to set it all up in this video:
How to work with a virtual machine?
Having created a machine, let's call it MAIN, you load into it all the software needed for work, set up browser anti-detection, etc.
We will clone the finished MAIN machine and in the future we will work only with its clones. After “working out” the clones can be deleted and, if necessary, other clones can be made. Do not forget to give the clones values different from the MAIN VM, remembering that this is a cloned machine and it is similar to the MAIN. And it needs to be different. We launch the written config file and everything happens automatically. VboxHardened does its job.
One-click clone randomization works with all hardware except the processor and motherboard.
The processor model does not need to be changed so often, the main thing is that it differs from the host processor model. It is important that the CPUID itself has changed. The final choice is yours - when, how and how often to change the model.
For the paranoid, the configured machine (and subsequent clones) can be used in conjunction with Whonix. You can add your neighbor's Wi-Fi to this.
I used VMWare Workstation for Win.
1) A newly installed system is required for operation; I couldn’t find how to make changes to an existing one.
Prepare a virtual disk, specify the system as you usually do, and in the settings for the machine being installed, I have this item called Isolation, turn off any data exchange with the host OS.
2) Next, you need to find the VMX configuration file created at the stage of creating the machine in VMWare, and add the following lines to the end:
These options prevent programs from detecting the virtual environment through complex checks such as tracking the memory address space and counters.
Important! If there is an option like "Express install" at the installation setup stage, turn them off. Also, do not install VMWare Tools in the installed system, since some software includes the presence of this package in the check.
3) Save the file, specify the ISO with the system installer to download, and install the OS as usual.
4) Despite the fact that the vast majority of programs that do not like the virtual environment do not go beyond the checks that we cut off in step 2, some particularly stubborn ones still go further and try to search, for example, for anything that resembles the name of virtual disk controllers.
To defeat them in Windows, go to the registry editor in the branch HKLM\SYSTEM\CurrentControlSet\Services\Disk\Enum. As you can see, there is a very clear reference to the fact that the disk is virtual.
We need to change it by removing VMware, Virtual, Ven, etc. from the parameter and save it like that.
It also makes sense to replace everything that changes in the registry by searching for VMware/Virtual with something like Intel or IBM, and not just disk variables.
Afterwards, try to launch your stubborn object of experiments - in 70% of cases, the steps described will help pass the virtual environment checks.
Important! The value in HKLM\SYSTEM\CurrentControlSet\Services\Disk\Enum is overwritten after each reboot, so it must be changed after each new system startup.
Structure your virtual machines
We strongly recommend dividing your online tasks into several categories and using a separate virtual machine for each of them. For example, use one machine to access personal mail, banking, State Services and other very personal sites. Another machine to access social networks. A third one to surf the Internet. A fourth one for work. Believe me, none of this is that difficult. Don't be lazy and set everything up once. After all, security is above all else.
Are we testing?
You can check how much you have protected yourself from detection, and also get acquainted with other popular tools among developers for detecting sandboxes and virtual machines using Pafish.
A common way for websites to obtain your data is through the use of cookies. Cookies are small packets of text files that are stored on your computer and contain certain data that can provide websites with information to improve the user experience.
Every time you visit a website, your browser will download cookies. When you visit the same website later, it will compare the data packets and provide you with a customized user experience.
Think about the font size or screen resolution you view on a website. If a website knows you always use an iPhone 8, it will give you the best settings for your iPhone. This way, the site knows whether you are a unique visitor or a return visitor. Cookies also store data about browsing habits, interests, and more.
Additionally, websites use Javascript that will interact with visitors to perform certain tasks, such as playing a video. These interactions also trigger a response, and so they receive information about you.
To identify the user's browser and without cookies, technologies for constructing digital fingerprints (fingerprint) have appeared. The most widely used are Canvas fingerprint and WebGL fingerprint. Perhaps the most popular library for obtaining a digital fingerprint is FingerprintJS2, written by our compatriot Valentin Vasiliev: https://github.com/Valve/fingerprintjs2. Updates were made several months ago, so the development is active.
One of the most effective methods of protecting against browser fingerprinting is to disable JavaScript and Flash.
When JavaScript is disabled, websites will not be able to detect the list of active plugins and fonts you are using, and they will also not be able to set certain cookies in your browser.
The downside of disabling JavaScript is that websites may not always work properly.
On the other hand, Flash can be disabled without negatively affecting the performance of websites.
Font Fingerprint
It is not known exactly when the technology appeared, but it is no longer a secret that due to its simplicity and efficiency, the font fingerprinting technology has found its application in almost all major anti-fraud companies. This technology receives a list of fonts installed on the user's PC.
For protection, the user must disable Adobe Flash and JavaScript in their browser.
Conclusion: it is worth turning off if you are just surfing the net and want to be anonymous, but need a substitute for work.
The easiest way to replace the font imprint is to change the page scale. If desired, you can select an extension in Mozilla for this purpose.
There are tests of this fingerprint on the Internet, you can try it.
WebGl Fingerprint
The technology is responsible for acceleration and work with graphics, and is part of Canvas.
Microsoft once called for abandoning WebGL due to its vulnerability to external attacks.
The essence of it is that 3D triangles are drawn, then effects, gradient, various anisotropic filtering, etc. are applied to it. Then it is converted into a byte array, to which various information about platform-dependent constants defined in WebGL is also attached. There are a lot of these constants, dozens of them - this includes color depth, maximum texture size, etc. As a result, all this information is added to our image of a 3D triangle.
The driver version, the video card version, the OpenGL standard in the system, the shader language version, all of this will affect how this image will be drawn internally. And when it is converted to a byte array, it will be different on many computers.
The fingerprint provides information about the user's video card.
What to do, you ask. You can disable plugins, but we are interested in substitution.
Since WebGl is part of Canvas, it can be partially spoofed using one of the Canvas spoofing plugins.
Complete replacement occurs with manipulation of the video card.
On the virtual machine we configured via VirtualBoxHardened, with the specified commands and parameters, it had its own fingerprint, different from the main one.
In such a machine, in the Device Manager, instead of “Virtualbox Graphics Adapter”, you can see “Standard VGA graphics adapter” with its drivers and identifiers pre-installed with Windows. As a result, the video adapter device in the virtual machine was completely replaced. When we installed Windows on the virtual machine, it saw there not the VBox video adapter device as usual, but a full-fledged PC with its own hardware, so the drivers were the ones we needed. Hence the fingerprint substitution.
Сanvas fingerprint
The method itself is quite clear: when visiting a site with a user tracking code installed, such a resource requests the user's browser to draw a hidden image, and the text is drawn using the fonts and renderer available to the system. The set of fonts and anti-aliasing methods differ slightly on different machines. The renderer depends on the browser version, OS and even GPU. As a result, the rendered image is unique.
There are various browser plugins that disable Canvas, such as this one:
https://github.com/kkapsner/CanvasBlocker
Mouse Fingerprint
It is widely used in various fields – from the simplest anti-fraud systems to government surveillance programs.
Like many other things, it is implemented via JavaScript.
To protect against mouse fingerprinting technology, it is recommended to disable JavaScript in the user's browser.
Ubercookie
A new technology, which was invented by Barcelona researcher Jose Carlos, allows identifying a user even in the TOR network.
As Jose Carlos states, Ubercookie technology is one of the main methods of deanonymizing TOR network users and is actively developing in the anti-fraud sphere due to its effectiveness.
Evercookie (persistent cookie)
A small file gets onto your PC. It multiplies and furiously spreads throughout the system, hiding from you in hidden folders/files.
Evercookie is a very smart plugin that can save your data almost anywhere. Evercookie uses all available browser storages - modern HTML 5 standard, Session Storage, Local Storage, Indexed DB and others.
For an ordinary user who does not know all this, it is simply impossible to delete these cookies. You need to visit 6-8 places on the hard drive, do a number of manipulations in order to just clear them. Therefore, an ordinary user, when visiting a site that uses evercookie, will certainly not be anonymous.
Despite all this, evercookie does not work in incognito mode.
For everyone else, there is of course a solution.
The method allows you to protect the system from this infection - a correctly configured antidetect machine will accept Flash cookies, Local Shared Objects-LSO cookies with pleasure, but all of them will be sent to our RAM. As a result, the system sees that we accepted the cookies, but, in fact, they did not fall to our PC, as a result of which they did not register there and could not multiply, causing us harm. After we finish working with the site, we close the browser window, the cookies will be deleted from the RAM.
WebRTC Fingerprinting
WebRTC is a peer-to-peer communication standard via audio streams, or it is a standard for audio communications in modern browsers. It allows you to make audio calls, etc.
Why is it so dangerous? Because P2P requests the user's IP address during information exchange, and WebRTC kindly provides this information to everyone who wants it.
Even if the user works through a VPN or TOR, with the help of WebRTC the site will be able to find out your real IP address without much difficulty.
You can check on the website whoer.net or ipleak.net.
You can turn it off, but it is better to hide your local IP from the WebRTC service. Such a solution exists. As a result, you have WebRTC enabled, but the IP itself is not transmitted. Only your VPN will be detected on top, for example.
Fingerprintjs2
It appeared in 2012, the author is not asleep and updates her brainchild to this day. We wrote about it a little higher.
The essence of it is that the code of this library queries the user's browser for all specific and unique settings and data for this browser and for this system, for the computer.
The entire list of what the code asks for is listed here.
GitHub – Valve/fingerprintjs2: Modern & flexible browser fingerprinting library – looking for maintainer
FingerprintJS does not use cookies at all. No information is stored on the hard drive of the computer where the browser is installed.
Works even in incognito mode, because it does not use storage on the hard drive. It has no dependencies and the size is 1.2 KB gzipped.
Currently used by companies such as Baidu, Google in China, MasterCard, the US President's website, AddThis - a widget hosting site, etc. This library has quickly become very popular. It is used by about 6-7% of all the most visited sites on the Internet at the moment.
Question: How unique and accurate is the definition? The study that was used as a basis was done by the Electronic Frontier Foundation, they had a project called Panopticlick. It says that the uniqueness is about 94%, but according to the developer, on the real data that he had, the uniqueness was about 90%-91%.
Audio fingerprint
Our hit parade ends with the so-called audio imprint.
The method works by sending low-frequency audio signals to the user's computer using the AudioContext API, determining how it processes them, and creating a unique "sound fingerprint." Despite its complexity, this method is extremely effective.
With its help, law enforcement agencies and advertising services can deanonymize users via VPN without having to decrypt traffic.
A study was conducted and out of 1 million sites, more than 80% had audio fingerprinting technology.
There is a database online from May 2016 that lists sites that use this fingerprint.
http://webtransparency.cs.princeton.edu/webcensus/data/census_2016
At the moment, audio fingerprinting technology is actively used by US intelligence agencies – the FBI and NSA, Europe – Interpol, and is gradually taking a leading position in anti-fraud systems around the world. This form of user identification has not yet been studied to such an extent that even the creators of the TOR browser have been unsuccessfully trying to bypass it since May 2016.
To protect against audio fingerprinting, it is recommended to completely disable JavaScript in your browser, but such drastic measures will make it completely impossible to work with most sites.
It is replaced by manipulating the sound device configured on the above-mentioned virtual machine.
Available on Windows, Mac and Linux.
The TOR network is designed for one simple task - anonymous communication. This browser is the most secure.
TOR allows you to hide your location, browsing history, messages you send, and other sensitive data from people or software that analyze your traffic.
This browser routes traffic through many individual relays and tunnels in such a way that header analysis becomes meaningless. Simply put, instead of direct forwarding from point A to point B, it is forwarded through a network of many nodes.
A sniffer listening to only one node in that route will never know either the source or the destination of the intercepted information.
However, the TOR browser also has its drawbacks, the main one being speed. Since traffic is sent through many nodes, loading pages may not be as fast as you would like. If you have a good channel, the problem will not be felt, but in the case of low-speed Internet, surfing through TOR can be annoying.
It should be noted that TOR is the best solution in terms of anonymity, but complete privacy is not guaranteed. For example, downloading torrents or illegally watching TV leaves you vulnerable. However, compared to well-known browsers such as Chrome and Safari, the TOR browser is far ahead.
2. Epic Browser
Available for Windows and Mac.
While the Epic browser doesn't use a dedicated onion network, it does disable a lot of options that could negatively impact your privacy while surfing.
For example, history is not saved, DNS pre-fetching (used to speed up page loading) and cookies are disabled. DNS cache and autofill of forms are also disabled.
After closing a session, the browser automatically deletes all associated databases, settings, the contents of the Pepper Data folder, and cookies used by the Flash Player and Silverlight plug-in.
3. SRWare Iron
SRWare Iron is a free secure browser based on Chromium, optimized for maximum speed. SRWare Iron was developed by the German company SRWare as a secure alternative to the Google Chrome browser, which does not protect 100% from web sites tracking users. SRWare Iron uses the latest version of WebKit and V8, the browser does not track user actions, which ensures a high level of security and privacy.
The main difference between Chrome and SRWare Iron is improved anonymity. Experts criticize Chrome for using a “Unique User ID.” Every time a new session starts, Google is notified about the use of your data.
SRWare does not use unique identifiers or other security-sensitive features such as search suggestions.
4. Comodo Dragon Browser
Available for Windows and Mac.
Comodo is not even close to TOR, but it has some built-in tools to increase security while surfing. For example, it automatically blocks tracking, cookies, and web spies. In addition, this browser has a built-in validation function that separates strong and weak SSL certificates. It also uses antivirus software to protect against trojans, viruses, and other attacks.
As with the previous browser, Comodo Dragon is based on Chrome, so many users can easily switch.
And now about the not at all anonymous Brave
You've probably heard of the Brave browser, but the company's website explicitly states that the app "anonymously" monitors user activity. In addition, the default search engine is Google, which of course does not provide any anonymity. The browser's start page connects to the brave.com home page and sends certain requests to it, crash reports are enabled by default, which are sent along with the browser's characteristics and settings (and possibly the PC), each time Brave is turned on, it will access requests that are clearly related to their advertisers to provide targeted advertising. The browser blocks ads partially, one might say, selectively, even with the blocker enabled.
Let's go to browserleaks.com and let's go.
Go to the left menu on the site and select JavaScript :
It is necessary to change the mms.cfg file (if Flash is installed on the computer).
If the file does not exist, then create it along the path:
Windows (32Bit): C:\Windows\System32\Macromed\Flash\
Windows (64Bit): C:\Windows\SysWOW64\Macromed\Flash\
And write at the end of the file: DisableSockets=1
But it is better to delete it anyway, it is practically no longer needed anywhere. Since the same plugins are drained through it.
Let's look at the system. It would seem that you set the time as the proxy/ip location and that's it? No, that's not enough. Some of the technical points that will screw you over:
— Accordingly, the time itself and the coincidence with the IP time zone.
— The system time has text in brackets (Moscow, standard time). Sometimes it happens that it says, for example, Saudi Arabia (one of the machines had this problem), although everything is specified correctly in the time settings in Windows. It seems to me that this is related to Windows itself and can only be changed by demolishing and reinstalling with a different image. All virtual machines hosted on it had the same problem as Zennoposter.
— Deviation in seconds. As you can see, the difference between local and system here is 21 seconds. How many machines can there be with the same time deviation, logging into Facebook accounts in a row? And especially in the same IP subnet?
The value after the straight line in the Header and JavaScript is determined by the settings in the browser. (In Chrome: Settings → Advanced → Languages → Language).
Before changing settings in Chrome.
After changing settings in Chrome
The value in brackets 100% will be different for different virtual machines with different browser history.
I won't go into detail about the operating system, virtual machines definitely cover that. The last parameter, TCP/IP, is interesting here.
What to read on this subject:
https://www.netresec.com/index.ashx?page=Blog&month=2011-11&post=Passive-OS-Fingerprinting
In short, the MTU value for wired Internet and some Wi-Fi modems should be 1500 (maximum value).
For mobile operators, 1400 or 1500 (sometimes less than 1400, usually multiples of 10, such as 1380). Some USB modems have 1340-1380, the same USB modems have 1340.
Also, the text value ( Windows NT kernel ) shows that you are not a mobile operator user, but a desktop Internet user. For the same Android user, there will be at least text about Linux 2.2.x-3.x, etc. Sometimes, some (Megafon modem) have a text about VPN.
What am I getting at? If you are emulating a mobile user, but are using a modem, this item will give you away. Bad VPN/Proxy rental service providers who do not bother with such security settings will also “give away” you with this item. Moreover, they may be able to fix the problem with the MTU numerical value, but there are few solutions with a text value on the market at the moment.
One of the solutions: there is a mobile device emulation - use a mobile device to distribute the Internet. From a desktop - naturally a desktop, modem, cable.
- Gives you away as a less experienced computer user;
- The distance to the DNS servers is closer (Google's closest ones are in Finland);
- Different subnets - different DNS.
hardwareConcurrency — the number of cores.
deviceMemory — the number of GB of RAM.
In my opinion, there is no need to replace them if they are more or less standard (for example, 4 and 4). But if you have a machine with 32 GB of RAM, this will be a bad sign in the long run.
Here in terms of substitution I can't suggest anything (at least in this article at the moment, since I use my own templates for this). But in one of the following articles I think I will touch on it.
The remaining data in the Navigator submenu is irrelevant, the virtual machine solves the problem with them.
https://www.w3counter.com/globalstats.php
http://gs.statcounter.com/screen-resolution-stats
Bit depth 24 is the standard. And there is no point in changing it.
The screen resolution parameter also has such a parameter as viewport (working area in the browser). That is, because of the address bar and tabs in the browser, the taskbar strip at the bottom with the start button and scrolling in the browser on the right - the viewport resolution will differ in the smaller direction from the screen resolution. This is worth considering if you emulate, for example, a resolution larger than the monitor screen size (let's say 1920x1080), but leave the viewport the same as with a lower resolution (for example, viewport 1349x657, which belongs to the resolution 1366x768). This will be very obvious for detection systems, especially if it is repeated.
I don’t touch the doNotTrack parameter, it doesn’t really affect anything when working with the same virtual machine, rather, its forced change already allows people to think of you as a more savvy user.
Therefore, when working from a laptop, you must have a 100% charge and a constant connection to the network (when logging out and logging into different accounts, especially in the same IP subnet).
If you see this message, then everything is fine and you have one of the latest versions of your browser (I checked it on the latest Chrome and Firefox), which does not support this outdated and unsafe plugin.
In the same case, if it is present and you do not want to get rid of it, then you should clear all the data on your virtual (host) machine each time along the way:
As you can see, the situation here is the same as with Silverlight. An outdated and unsafe plugin that was removed from support in new versions of browsers. So outdated that I can't even tell you how to enable it. Do you need it?
To do this, type about:config in the address bar, then type Vendor in the search and change it to any value. For example, just Mozilla.
Next, enter Renderer and select webgl.renderer-string-override:
For example, I entered ANGLE (Intel(R) HD Graphics 620 Direct3D11 vs_5_0 ps_5_0).
WebGL Report Hash should also change. But we'll have to sweat with Image Hash. I'll leave this point, maybe I'll add to it, but for now I don't have a home-made solution for this point, I can only say that it's different in different browsers. I don't need this, since I have my own self-written browser, where this point is automatically replaced.
It is possible, of course, to block access to WebGL, but this would be a powerful wake-up call to Zucker and a quick subsequent ban.
About the presence/absence of a video camera and microphone - the request is provided by the site and the user confirms whether he wants to provide the site with access to them or not. So there can be no leak here.
Alternatively, in Mozilla you can go to Settings and find this section in the General menu :
Let's select Advanced... and uncheck the box next to Allow websites to use their own fonts instead of those installed above. Save the changes. And now let's select the default font (supporting Cyrillic) with some size (preferably standard).
This will change our Canvas (as well as Font Fingerprint by the way ).
Adblock gets detected, that's natural, BUT a non-standard and repeating set of blocklists will get detected ESPECIALLY. The solution is not to use Adblock, or not to touch it at all, so as not to stand out from the group of people.
Firefox Resources Reader is irrelevant, as the leak occurred on old versions of Firefox. The leak consisted of Firefox pretending to be Firefox and leaking some data hashes that were stored in its JS files.
ClientRects Fingerprinting — the method of combating is exactly the same as with Canvas. That is, changing the default font in Mozilla.
CSS Media Queries - should be different across different virtual machines.
Social Media Login Detection is one of the most interesting things in this article, as I haven't seen any thoughts about it anywhere. As you will notice, the site will detect on your machine which social networks you are logged into. And, probably, Facebook will do the same before you register. How unpleasant it will be for it to be your very first social network, in which you will be registered, don't you agree? Save this list to yourself and each time before registration, register on some of them randomly.
You can check your browser's data leakage here: https://browserleaks.com/
And this site from American human rights activists will allow you to analyze your anonymity on the network: https://panopticlick.eff.org/
Another good resource showing exactly what flaws can compromise your anonymity online and how anti-fraud systems respond to these anomalies: https://www.whoer.net/
Are you still reading and not freaked out by all these methods of collecting your personal information? It means you are on the same path with us and you care about yourself and your safety. And that means we will definitely tell you how to protect yourself.
Take care of yourself and remember: safety is above all. Don't be lazy and set everything up correctly.
You have been fucked, are being fucked and will be fucked. The state, hackers, officials. It is impossible to stop this swinger party. But I will teach you how to protect yourself.
I will show and tell you what the magazine "Hacker" does not write about and other channels do not tell or simply do not know. Here you will find a selection of the best articles and videos on the topic of cybersecurity. Everything from Wi-Fi auditing to opening cars (if you lost the keys). As well as hot news with author's comments.
The widespread use of digital fingerprinting technologies makes it easy to collect personal information. In addition, users voluntarily share personal information on social networks, instant messengers, email correspondence, and other online platforms, often without even suspecting that their data could fall into the wrong hands.
In the first part, we figured out what fingerprinting is and made Firefox a little safer. In the second part, we will talk about how to hide a fingerprint, setting up a virtual machine, anonymous and not quite anonymous browsers, and of course, protecting your identity online.
VirtualBox setup
It is no secret that a virtual system has a very unique configuration and digital fingerprint. To verify this, you don’t even need to use software like AIDA64 or EVEREST. Simply open the “Device Manager”. Your entire system simply “screams” that it is a virtual machine.Here I will describe several manipulations with VM in order to make its fingerprint less recognizable and hide the information that it is a virtual machine.
We will use VBoxHardenedLoader:
This is a great add-on for VirtualBox that allows you to change almost any settings of your virtual machine.
Just downloading the file is not enough. You also need to make the necessary settings. To do this, do everything in accordance with the manual.
Download and install VirtualBox.
Open VirtualBox and create a virtual machine with the settings you want.
Note: 2048 MB is not mandatory, you can adjust or reduce this value as you wish, but keep in mind - some detection systems try to identify a virtual machine by the available physical memory and if it is too small - this is a red flag that it is a virtual machine.
Create a virtual disk
Remember that the recommended disk size should be greater than 32, or better yet, 64 GB. A smaller size will indicate that this
is a virtual machine.
Once the virtual machine is created, open its settings – you will need to make certain changes.
In the System menu, Motherboard tab, check the Enable I/O API box.
In the Processor tab, enable PAE/NX and install at least 2 processors. If it says that there is only one processor, this is an indicator that a virtual machine is being used.
In the Acceleration menu, set Paravirtualization Interface to Legacy and enable VT-x/Nested Paging. If you leave the paravirtualization value “Default”, it gives the virtual machine the Virtual Box hypervisor and even the hypervisor name via the cpuid value. And this is a complete disaster!
On the Display tab, disable 2D/3D Acceleration.
Storage.
It should look something like this.
Save all settings and close VirtualBox completely.
Download the program from here and save it where you want. For example c:\vboxldr.
Now the important part. Go to the data folder and select the system startup script.
hidevm_ahci for VM with SATA/AHCI controller and classic BIOS
hidevm_ide for VM with IDE controller and classic BIOS
hidevm_efiahci for VM with SATA/AHCI controller and EFI
hidevm_efiide for VM with IDE controller and EFI
Edit the script according to your configuration for your needs:
set vboxman=”C:\Program Files\Oracle\VirtualBox\vboxmanage.exe”
set vmscfgdir=D:\Virtual\VBOX\Settings\
Change vmscfgdir to the folder with your machine settings.
Make the remaining settings and run the script with the name of your virtual machine.
But don't launch VirtualBox yet - you're not ready yet.
Run loader.exe with Administrator privileges.
You will have to repeat this step every time you restart the OS.
Attention! Remember that you should never install Virtual Box Additions - it will ruin everything.
As practice has shown, each configuration requires its own approach to installation and its own writing of the config file. Much depends on the operating system and its version on which we are going to build the virtual machine.
There is no doubt about the flexibility and reliability of the system. Everything is individually configured to your taste.
Let's replace all the hardware of our virtual machine:
– processor model
– motherboard manufacturer/company
– BIOS ID, version/date
– ID CPU и ID HDD
– Windows product ID
- replacing the video card (Important!)
- random Mac-Address of the network device or manual installation for each machine
- unlike a simple virtual machine, on ours we will be able to control the parameters of the sound card (a hint at replacing the audio fingerprint), but of course, we still need to work on this manually and install the necessary software.
Via VboxHardenedLoader we give our future virtual machine random properties and parameters, and only then install Windows there. All settings of our miracle machine should be made before the first launch of the OS. That is, your virtual machine is already launched with these settings as a full-fledged PC and will be identified as someone's PC, and not a virtual machine with VBOX fingerprints.
You can see how to set it all up in this video:
How to work with a virtual machine?
Having created a machine, let's call it MAIN, you load into it all the software needed for work, set up browser anti-detection, etc.
We will clone the finished MAIN machine and in the future we will work only with its clones. After “working out” the clones can be deleted and, if necessary, other clones can be made. Do not forget to give the clones values different from the MAIN VM, remembering that this is a cloned machine and it is similar to the MAIN. And it needs to be different. We launch the written config file and everything happens automatically. VboxHardened does its job.
One-click clone randomization works with all hardware except the processor and motherboard.
The processor model does not need to be changed so often, the main thing is that it differs from the host processor model. It is important that the CPUID itself has changed. The final choice is yours - when, how and how often to change the model.
For the paranoid, the configured machine (and subsequent clones) can be used in conjunction with Whonix. You can add your neighbor's Wi-Fi to this.
Setting up VMWare
There is also a commercial virtual machine from the pioneers of the virtualization topic. Although in VMWare the hardware settings are not as flexible as in VirtualBox with add-ons, here it is possible to hide the fact that this is a virtual machine without any add-ons and plugins, using your own means.I used VMWare Workstation for Win.
1) A newly installed system is required for operation; I couldn’t find how to make changes to an existing one.
Prepare a virtual disk, specify the system as you usually do, and in the settings for the machine being installed, I have this item called Isolation, turn off any data exchange with the host OS.
2) Next, you need to find the VMX configuration file created at the stage of creating the machine in VMWare, and add the following lines to the end:
Code:
[I]isolation.tools.getPtrLocation.disable = «TRUE»isolation.tools.setPtrLocation.disable = «TRUE»isolation.tools.setVersion.disable = «TRUE»isolation.tools.getVersion.disable = «TRUE»monitor_control.disable_directexec = «TRUE»monitor_control.disable_chksimd = «TRUE»monitor_control.disable_ntreloc = «TRUE»monitor_control.disable_selfmod = «TRUE»monitor_control.disable_reloc = «TRUE»monitor_control.disable_btinout = «TRUE»monitor_control.disable_btmemspace = «TRUE»monitor_control.disable_btpriv = «TRUE»monitor_control.disable_btseg = «TRUE»[/I]These options prevent programs from detecting the virtual environment through complex checks such as tracking the memory address space and counters.
Important! If there is an option like "Express install" at the installation setup stage, turn them off. Also, do not install VMWare Tools in the installed system, since some software includes the presence of this package in the check.
3) Save the file, specify the ISO with the system installer to download, and install the OS as usual.
4) Despite the fact that the vast majority of programs that do not like the virtual environment do not go beyond the checks that we cut off in step 2, some particularly stubborn ones still go further and try to search, for example, for anything that resembles the name of virtual disk controllers.
To defeat them in Windows, go to the registry editor in the branch HKLM\SYSTEM\CurrentControlSet\Services\Disk\Enum. As you can see, there is a very clear reference to the fact that the disk is virtual.
We need to change it by removing VMware, Virtual, Ven, etc. from the parameter and save it like that.
It also makes sense to replace everything that changes in the registry by searching for VMware/Virtual with something like Intel or IBM, and not just disk variables.
Afterwards, try to launch your stubborn object of experiments - in 70% of cases, the steps described will help pass the virtual environment checks.
Important! The value in HKLM\SYSTEM\CurrentControlSet\Services\Disk\Enum is overwritten after each reboot, so it must be changed after each new system startup.
And more about virtual machines
Structure your virtual machines
We strongly recommend dividing your online tasks into several categories and using a separate virtual machine for each of them. For example, use one machine to access personal mail, banking, State Services and other very personal sites. Another machine to access social networks. A third one to surf the Internet. A fourth one for work. Believe me, none of this is that difficult. Don't be lazy and set everything up once. After all, security is above all else.
Are we testing?
You can check how much you have protected yourself from detection, and also get acquainted with other popular tools among developers for detecting sandboxes and virtual machines using Pafish.
Bypassing fingerprints
Let's start with what identification methods exist, and then move on to ways to bypass/disable them.A common way for websites to obtain your data is through the use of cookies. Cookies are small packets of text files that are stored on your computer and contain certain data that can provide websites with information to improve the user experience.
Every time you visit a website, your browser will download cookies. When you visit the same website later, it will compare the data packets and provide you with a customized user experience.
Think about the font size or screen resolution you view on a website. If a website knows you always use an iPhone 8, it will give you the best settings for your iPhone. This way, the site knows whether you are a unique visitor or a return visitor. Cookies also store data about browsing habits, interests, and more.
Additionally, websites use Javascript that will interact with visitors to perform certain tasks, such as playing a video. These interactions also trigger a response, and so they receive information about you.
To identify the user's browser and without cookies, technologies for constructing digital fingerprints (fingerprint) have appeared. The most widely used are Canvas fingerprint and WebGL fingerprint. Perhaps the most popular library for obtaining a digital fingerprint is FingerprintJS2, written by our compatriot Valentin Vasiliev: https://github.com/Valve/fingerprintjs2. Updates were made several months ago, so the development is active.
One of the most effective methods of protecting against browser fingerprinting is to disable JavaScript and Flash.
When JavaScript is disabled, websites will not be able to detect the list of active plugins and fonts you are using, and they will also not be able to set certain cookies in your browser.
The downside of disabling JavaScript is that websites may not always work properly.
On the other hand, Flash can be disabled without negatively affecting the performance of websites.
Font Fingerprint
It is not known exactly when the technology appeared, but it is no longer a secret that due to its simplicity and efficiency, the font fingerprinting technology has found its application in almost all major anti-fraud companies. This technology receives a list of fonts installed on the user's PC.
For protection, the user must disable Adobe Flash and JavaScript in their browser.
Conclusion: it is worth turning off if you are just surfing the net and want to be anonymous, but need a substitute for work.
The easiest way to replace the font imprint is to change the page scale. If desired, you can select an extension in Mozilla for this purpose.
There are tests of this fingerprint on the Internet, you can try it.
WebGl Fingerprint
The technology is responsible for acceleration and work with graphics, and is part of Canvas.
Microsoft once called for abandoning WebGL due to its vulnerability to external attacks.
The essence of it is that 3D triangles are drawn, then effects, gradient, various anisotropic filtering, etc. are applied to it. Then it is converted into a byte array, to which various information about platform-dependent constants defined in WebGL is also attached. There are a lot of these constants, dozens of them - this includes color depth, maximum texture size, etc. As a result, all this information is added to our image of a 3D triangle.
The driver version, the video card version, the OpenGL standard in the system, the shader language version, all of this will affect how this image will be drawn internally. And when it is converted to a byte array, it will be different on many computers.
The fingerprint provides information about the user's video card.
What to do, you ask. You can disable plugins, but we are interested in substitution.
Since WebGl is part of Canvas, it can be partially spoofed using one of the Canvas spoofing plugins.
Complete replacement occurs with manipulation of the video card.
On the virtual machine we configured via VirtualBoxHardened, with the specified commands and parameters, it had its own fingerprint, different from the main one.
In such a machine, in the Device Manager, instead of “Virtualbox Graphics Adapter”, you can see “Standard VGA graphics adapter” with its drivers and identifiers pre-installed with Windows. As a result, the video adapter device in the virtual machine was completely replaced. When we installed Windows on the virtual machine, it saw there not the VBox video adapter device as usual, but a full-fledged PC with its own hardware, so the drivers were the ones we needed. Hence the fingerprint substitution.
Сanvas fingerprint
The method itself is quite clear: when visiting a site with a user tracking code installed, such a resource requests the user's browser to draw a hidden image, and the text is drawn using the fonts and renderer available to the system. The set of fonts and anti-aliasing methods differ slightly on different machines. The renderer depends on the browser version, OS and even GPU. As a result, the rendered image is unique.
There are various browser plugins that disable Canvas, such as this one:
https://github.com/kkapsner/CanvasBlocker
Mouse Fingerprint
It is widely used in various fields – from the simplest anti-fraud systems to government surveillance programs.
Like many other things, it is implemented via JavaScript.
To protect against mouse fingerprinting technology, it is recommended to disable JavaScript in the user's browser.
Ubercookie
A new technology, which was invented by Barcelona researcher Jose Carlos, allows identifying a user even in the TOR network.
As Jose Carlos states, Ubercookie technology is one of the main methods of deanonymizing TOR network users and is actively developing in the anti-fraud sphere due to its effectiveness.
Evercookie (persistent cookie)
A small file gets onto your PC. It multiplies and furiously spreads throughout the system, hiding from you in hidden folders/files.
Evercookie is a very smart plugin that can save your data almost anywhere. Evercookie uses all available browser storages - modern HTML 5 standard, Session Storage, Local Storage, Indexed DB and others.
For an ordinary user who does not know all this, it is simply impossible to delete these cookies. You need to visit 6-8 places on the hard drive, do a number of manipulations in order to just clear them. Therefore, an ordinary user, when visiting a site that uses evercookie, will certainly not be anonymous.
Despite all this, evercookie does not work in incognito mode.
For everyone else, there is of course a solution.
The method allows you to protect the system from this infection - a correctly configured antidetect machine will accept Flash cookies, Local Shared Objects-LSO cookies with pleasure, but all of them will be sent to our RAM. As a result, the system sees that we accepted the cookies, but, in fact, they did not fall to our PC, as a result of which they did not register there and could not multiply, causing us harm. After we finish working with the site, we close the browser window, the cookies will be deleted from the RAM.
WebRTC Fingerprinting
WebRTC is a peer-to-peer communication standard via audio streams, or it is a standard for audio communications in modern browsers. It allows you to make audio calls, etc.
Why is it so dangerous? Because P2P requests the user's IP address during information exchange, and WebRTC kindly provides this information to everyone who wants it.
Even if the user works through a VPN or TOR, with the help of WebRTC the site will be able to find out your real IP address without much difficulty.
You can check on the website whoer.net or ipleak.net.
You can turn it off, but it is better to hide your local IP from the WebRTC service. Such a solution exists. As a result, you have WebRTC enabled, but the IP itself is not transmitted. Only your VPN will be detected on top, for example.
Fingerprintjs2
It appeared in 2012, the author is not asleep and updates her brainchild to this day. We wrote about it a little higher.
The essence of it is that the code of this library queries the user's browser for all specific and unique settings and data for this browser and for this system, for the computer.
The entire list of what the code asks for is listed here.
GitHub – Valve/fingerprintjs2: Modern & flexible browser fingerprinting library – looking for maintainer
FingerprintJS does not use cookies at all. No information is stored on the hard drive of the computer where the browser is installed.
Works even in incognito mode, because it does not use storage on the hard drive. It has no dependencies and the size is 1.2 KB gzipped.
Currently used by companies such as Baidu, Google in China, MasterCard, the US President's website, AddThis - a widget hosting site, etc. This library has quickly become very popular. It is used by about 6-7% of all the most visited sites on the Internet at the moment.
Question: How unique and accurate is the definition? The study that was used as a basis was done by the Electronic Frontier Foundation, they had a project called Panopticlick. It says that the uniqueness is about 94%, but according to the developer, on the real data that he had, the uniqueness was about 90%-91%.
Audio fingerprint
Our hit parade ends with the so-called audio imprint.
The method works by sending low-frequency audio signals to the user's computer using the AudioContext API, determining how it processes them, and creating a unique "sound fingerprint." Despite its complexity, this method is extremely effective.
With its help, law enforcement agencies and advertising services can deanonymize users via VPN without having to decrypt traffic.
A study was conducted and out of 1 million sites, more than 80% had audio fingerprinting technology.
There is a database online from May 2016 that lists sites that use this fingerprint.
http://webtransparency.cs.princeton.edu/webcensus/data/census_2016
At the moment, audio fingerprinting technology is actively used by US intelligence agencies – the FBI and NSA, Europe – Interpol, and is gradually taking a leading position in anti-fraud systems around the world. This form of user identification has not yet been studied to such an extent that even the creators of the TOR browser have been unsuccessfully trying to bypass it since May 2016.
To protect against audio fingerprinting, it is recommended to completely disable JavaScript in your browser, but such drastic measures will make it completely impossible to work with most sites.
It is replaced by manipulating the sound device configured on the above-mentioned virtual machine.
Anonymous and not so anonymous browsers
1. Tor BrowserAvailable on Windows, Mac and Linux.
The TOR network is designed for one simple task - anonymous communication. This browser is the most secure.
TOR allows you to hide your location, browsing history, messages you send, and other sensitive data from people or software that analyze your traffic.
This browser routes traffic through many individual relays and tunnels in such a way that header analysis becomes meaningless. Simply put, instead of direct forwarding from point A to point B, it is forwarded through a network of many nodes.
A sniffer listening to only one node in that route will never know either the source or the destination of the intercepted information.
However, the TOR browser also has its drawbacks, the main one being speed. Since traffic is sent through many nodes, loading pages may not be as fast as you would like. If you have a good channel, the problem will not be felt, but in the case of low-speed Internet, surfing through TOR can be annoying.
It should be noted that TOR is the best solution in terms of anonymity, but complete privacy is not guaranteed. For example, downloading torrents or illegally watching TV leaves you vulnerable. However, compared to well-known browsers such as Chrome and Safari, the TOR browser is far ahead.
2. Epic Browser
Available for Windows and Mac.
While the Epic browser doesn't use a dedicated onion network, it does disable a lot of options that could negatively impact your privacy while surfing.
For example, history is not saved, DNS pre-fetching (used to speed up page loading) and cookies are disabled. DNS cache and autofill of forms are also disabled.
After closing a session, the browser automatically deletes all associated databases, settings, the contents of the Pepper Data folder, and cookies used by the Flash Player and Silverlight plug-in.
3. SRWare Iron
SRWare Iron is a free secure browser based on Chromium, optimized for maximum speed. SRWare Iron was developed by the German company SRWare as a secure alternative to the Google Chrome browser, which does not protect 100% from web sites tracking users. SRWare Iron uses the latest version of WebKit and V8, the browser does not track user actions, which ensures a high level of security and privacy.
The main difference between Chrome and SRWare Iron is improved anonymity. Experts criticize Chrome for using a “Unique User ID.” Every time a new session starts, Google is notified about the use of your data.
SRWare does not use unique identifiers or other security-sensitive features such as search suggestions.
4. Comodo Dragon Browser
Available for Windows and Mac.
Comodo is not even close to TOR, but it has some built-in tools to increase security while surfing. For example, it automatically blocks tracking, cookies, and web spies. In addition, this browser has a built-in validation function that separates strong and weak SSL certificates. It also uses antivirus software to protect against trojans, viruses, and other attacks.
As with the previous browser, Comodo Dragon is based on Chrome, so many users can easily switch.
And now about the not at all anonymous Brave
You've probably heard of the Brave browser, but the company's website explicitly states that the app "anonymously" monitors user activity. In addition, the default search engine is Google, which of course does not provide any anonymity. The browser's start page connects to the brave.com home page and sends certain requests to it, crash reports are enabled by default, which are sent along with the browser's characteristics and settings (and possibly the PC), each time Brave is turned on, it will access requests that are clearly related to their advertisers to provide targeted advertising. The browser blocks ads partially, one might say, selectively, even with the blocker enabled.
You can turn it off. But what about replacing it?
Here we will only touch on Firefox, I will talk about other methods and browsers in the next article.Let's go to browserleaks.com and let's go.
Go to the left menu on the site and select JavaScript :
IP, WEBRTC
I will not touch upon IP and WebRTC here. These parameters are talked about too much and, moreover, I will touch upon WebRTC in one of the following articles, namely how to organize its substitution in a virtual machine with one of the powerful technical solutions for anti-detection.FLASH
IP, merging via Flash - cannot be skipped. Now many, of course, do not have flash installed on your desktop solution, but if you do and do not want to get rid of it - then you will have to do the following manipulations:It is necessary to change the mms.cfg file (if Flash is installed on the computer).
If the file does not exist, then create it along the path:
Windows (32Bit): C:\Windows\System32\Macromed\Flash\
Windows (64Bit): C:\Windows\SysWOW64\Macromed\Flash\
And write at the end of the file: DisableSockets=1
But it is better to delete it anyway, it is practically no longer needed anywhere. Since the same plugins are drained through it.
TIME
Let's look at the system. It would seem that you set the time as the proxy/ip location and that's it? No, that's not enough. Some of the technical points that will screw you over:
— Accordingly, the time itself and the coincidence with the IP time zone.
— The system time has text in brackets (Moscow, standard time). Sometimes it happens that it says, for example, Saudi Arabia (one of the machines had this problem), although everything is specified correctly in the time settings in Windows. It seems to me that this is related to Windows itself and can only be changed by demolishing and reinstalling with a different image. All virtual machines hosted on it had the same problem as Zennoposter.
— Deviation in seconds. As you can see, the difference between local and system here is 21 seconds. How many machines can there be with the same time deviation, logging into Facebook accounts in a row? And especially in the same IP subnet?
LANGUAGE
The language, namely the share of one (q=0.9 or 90%) of the user is determined by his history and cookies. The higher the value, the higher the probability that the user uses this language as his native language.The value after the straight line in the Header and JavaScript is determined by the settings in the browser. (In Chrome: Settings → Advanced → Languages → Language).
Before changing settings in Chrome.
After changing settings in Chrome
The value in brackets 100% will be different for different virtual machines with different browser history.
TCP/IP STACK FINGERPRINTING (PASSIVE OS FINGERPRINTING)
I won't go into detail about the operating system, virtual machines definitely cover that. The last parameter, TCP/IP, is interesting here.
What to read on this subject:
https://www.netresec.com/index.ashx?page=Blog&month=2011-11&post=Passive-OS-Fingerprinting
In short, the MTU value for wired Internet and some Wi-Fi modems should be 1500 (maximum value).
For mobile operators, 1400 or 1500 (sometimes less than 1400, usually multiples of 10, such as 1380). Some USB modems have 1340-1380, the same USB modems have 1340.
Also, the text value ( Windows NT kernel ) shows that you are not a mobile operator user, but a desktop Internet user. For the same Android user, there will be at least text about Linux 2.2.x-3.x, etc. Sometimes, some (Megafon modem) have a text about VPN.
What am I getting at? If you are emulating a mobile user, but are using a modem, this item will give you away. Bad VPN/Proxy rental service providers who do not bother with such security settings will also “give away” you with this item. Moreover, they may be able to fix the problem with the MTU numerical value, but there are few solutions with a text value on the market at the moment.
One of the solutions: there is a mobile device emulation - use a mobile device to distribute the Internet. From a desktop - naturally a desktop, modem, cable.
DNS
I don't see anything wrong with Google's DNS ( 8.8.8.8 and 8.8.4.4 ), but using it only on one subnet in the long run is already a suspicious thing for AI. It's better, in my opinion, to use the standard DNS of your subnet:- Gives you away as a less experienced computer user;
- The distance to the DNS servers is closer (Google's closest ones are in Finland);
- Different subnets - different DNS.
NAVIGATOR
The data we need:hardwareConcurrency — the number of cores.
deviceMemory — the number of GB of RAM.
In my opinion, there is no need to replace them if they are more or less standard (for example, 4 and 4). But if you have a machine with 32 GB of RAM, this will be a bad sign in the long run.
Here in terms of substitution I can't suggest anything (at least in this article at the moment, since I use my own templates for this). But in one of the following articles I think I will touch on it.
The remaining data in the Navigator submenu is irrelevant, the virtual machine solves the problem with them.
PLUGINS
If it's Chrome, it will show you a more or less standard set of three plugins. Naturally, the site sees more of them. To do this, you should have a set of links to the most popular 25-30 plugins and install 2-3 plugins each time you configure your own anti-detect browser.LOCATION
I don't see any point in discussing the location, since if the IP is configured correctly, the location will be tied to it.SCREEN RESOLUTION AND BIT DEPTH
There is no reason to pervert and use some obsolete computer resolutions. You can use the standard and most popular 1366x768 and not worry too much. Of course, at a distance of 50-100, something needs to be changed, but I do not think that this parameter will be negative from the AI. Statistics of the most popular resolutions:https://www.w3counter.com/globalstats.php
http://gs.statcounter.com/screen-resolution-stats
Bit depth 24 is the standard. And there is no point in changing it.
HTTP HEADERS
The virtual machine also solves the problem with them.JAVASCRIPT
What do we pay attention to?The screen resolution parameter also has such a parameter as viewport (working area in the browser). That is, because of the address bar and tabs in the browser, the taskbar strip at the bottom with the start button and scrolling in the browser on the right - the viewport resolution will differ in the smaller direction from the screen resolution. This is worth considering if you emulate, for example, a resolution larger than the monitor screen size (let's say 1920x1080), but leave the viewport the same as with a lower resolution (for example, viewport 1349x657, which belongs to the resolution 1366x768). This will be very obvious for detection systems, especially if it is repeated.
I don’t touch the doNotTrack parameter, it doesn’t really affect anything when working with the same virtual machine, rather, its forced change already allows people to think of you as a more savvy user.
BATTERY STATUS API
I specifically checked whether the latest version of Chrome has a drain for this parameter by turning off my laptop from the network. It has:
Therefore, when working from a laptop, you must have a 100% charge and a constant connection to the network (when logging out and logging into different accounts, especially in the same IP subnet).
WEB AUDIO API
I'll touch on this when discussing AudioContext Fingerprint (below).INSTALLED PLUG-INS
I touched on this in the previous article. Keep a list of links to the 30 most popular plugins and randomly install 3-5 each time.SILVERLIGHT
Next, in the left menu, skip Flash and select Silverlight.
If you see this message, then everything is fine and you have one of the latest versions of your browser (I checked it on the latest Chrome and Firefox), which does not support this outdated and unsafe plugin.
In the same case, if it is present and you do not want to get rid of it, then you should clear all the data on your virtual (host) machine each time along the way:
- C:\Users\%Username%\AppData\LocalLow\Microsoft\Silverlight\is\
JAVA APPLET
The next item in the menu on the left is Java Applet.
As you can see, the situation here is the same as with Silverlight. An outdated and unsafe plugin that was removed from support in new versions of browsers. So outdated that I can't even tell you how to enable it. Do you need it?
WEBGL
I'll give you a hint only with changing the values: Unmasked Vendor, Unmasked Renderer and WebGL Report Hash (which changes after changing the first two). And only for Mozilla. I'll discuss the last value later in one of the following articles.To do this, type about:config in the address bar, then type Vendor in the search and change it to any value. For example, just Mozilla.
Next, enter Renderer and select webgl.renderer-string-override:
For example, I entered ANGLE (Intel(R) HD Graphics 620 Direct3D11 vs_5_0 ps_5_0).
WebGL Report Hash should also change. But we'll have to sweat with Image Hash. I'll leave this point, maybe I'll add to it, but for now I don't have a home-made solution for this point, I can only say that it's different in different browsers. I don't need this, since I have my own self-written browser, where this point is automatically replaced.
It is possible, of course, to block access to WebGL, but this would be a powerful wake-up call to Zucker and a quick subsequent ban.
WEBRTC LEAK TEST
With WebRTC, I can highlight one thing here - the so-called Media Devices. Again, this moment is replaced in my browser, but here I can tell you that you can add some devices to this list using the Virtual Audio Cable program (you can find it on torrents). Play with this program, it doesn't matter which parameters you change. The main thing is to change the final value of the audio fingerprint.About the presence/absence of a video camera and microphone - the request is provided by the site and the user confirms whether he wants to provide the site with access to them or not. So there can be no leak here.
CANVAS FINGERPRINT
To replace the Canvas fingerprint, you can use the Canvas Defender extension. It is available for both Mozilla and Chrome. Yes, this is somewhat of a bummer, as sites can probably detect that you are currently using this extension. But if there are no other options, then this is exactly what you can do.Alternatively, in Mozilla you can go to Settings and find this section in the General menu :
Let's select Advanced... and uncheck the box next to Allow websites to use their own fonts instead of those installed above. Save the changes. And now let's select the default font (supporting Cyrillic) with some size (preferably standard).
This will change our Canvas (as well as Font Fingerprint by the way ).
FONT FINGERPRINT
As I said in the previous article - you need to have a set of fonts, randomly install some of them before starting a new virtual machine, for example. I will add some of my thoughts - you need to install the most popular fonts possible (and have a set of the most popular fonts). Since when pulling with JS, the site pulls installed fonts from its internal list (that is, it may not detect your overseas ones and your fingerprint will be similar to the previous one). It can pull the entire list only with Flash, which has long been disabled for everyone.CONTENT FILTERING
That's what I was talking about. Canvas Protection is exposed and the alternative solution is better in this regard.
Adblock gets detected, that's natural, BUT a non-standard and repeating set of blocklists will get detected ESPECIALLY. The solution is not to use Adblock, or not to touch it at all, so as not to stand out from the group of people.
FEATURES DETECTION
A huge set of highlighting any working/non-working parameters on the machine. What can be said? When an account is banned on a virtual machine and you have not removed Windows or cleaned everything thoroughly, it is possible that this set remains and will give you away with its fingerprint on the next account. That is, do not install unnecessary drivers like KLite Media Codec Pack. Of course, you do not need to look closely at each step, but compare, for fun, what values you have on the host and virtual machines for Modernizr.video.h264 and, for example, Modernizr.jpeg2000 and Modernizr.jpegxr. On the host machine, h264 is probably true, but on the virtual ones it is not. And the values with jpeg are false in both places. This is a completely normal thing, but if there is something unusual and over a long period of time, this will again make an unfavorable imprint on you in the eyes of anti-fraud systems. You shouldn't cling to this as one of the moments of the ban, but with the chain of values where the drain will occur - it will play more negatively than vice versa.MORE TOOLS
Next, select More Tools and I will explain some of the options:Firefox Resources Reader is irrelevant, as the leak occurred on old versions of Firefox. The leak consisted of Firefox pretending to be Firefox and leaking some data hashes that were stored in its JS files.
ClientRects Fingerprinting — the method of combating is exactly the same as with Canvas. That is, changing the default font in Mozilla.
CSS Media Queries - should be different across different virtual machines.
Social Media Login Detection is one of the most interesting things in this article, as I haven't seen any thoughts about it anywhere. As you will notice, the site will detect on your machine which social networks you are logged into. And, probably, Facebook will do the same before you register. How unpleasant it will be for it to be your very first social network, in which you will be registered, don't you agree? Save this list to yourself and each time before registration, register on some of them randomly.
AUDIOFINGERPRINT.OPENWPM.COM
For audio fingerprint I use a separate site audiofingerprint.openwpm.com. As I said above, to change it you need to play around with the installed Virtual Audio Cable program. To check your fingerprint, click Fingerprint me! and see.How to check your safety?
There are several resources that use the same data collection methods, but show you the weak points in your settings. By visiting such sites, you can clearly see how likely it is that you will be identified online:You can check your browser's data leakage here: https://browserleaks.com/
And this site from American human rights activists will allow you to analyze your anonymity on the network: https://panopticlick.eff.org/
Another good resource showing exactly what flaws can compromise your anonymity online and how anti-fraud systems respond to these anomalies: https://www.whoer.net/
Are you still reading and not freaked out by all these methods of collecting your personal information? It means you are on the same path with us and you care about yourself and your safety. And that means we will definitely tell you how to protect yourself.
Take care of yourself and remember: safety is above all. Don't be lazy and set everything up correctly.
You have been fucked, are being fucked and will be fucked. The state, hackers, officials. It is impossible to stop this swinger party. But I will teach you how to protect yourself.
I will show and tell you what the magazine "Hacker" does not write about and other channels do not tell or simply do not know. Here you will find a selection of the best articles and videos on the topic of cybersecurity. Everything from Wi-Fi auditing to opening cars (if you lost the keys). As well as hot news with author's comments.
