Sneaky fingerprinting script in Microsoft ad slips onto StackOverflow, against site policy StackOverflow, a popular resource for developers looking for code to copy and paste solutions to tricky programming issues, has been found to be serving an ad complete with JavaScript code intended to track users regardless of their privacy choices. A user (Gregg Man from the Google Chrome developer team) noticed the issue …
true - and if you need NoScript _OFF_ for some reason, like testing your OWN web pages [don't get me started on web devs and glass houses] you can do what _I_ do, at least on Linux or FreeBSD with Xorg [not Wayland]:
a) enable the '-listen_tcp' option (or similar, whichever one)
b) enter 'xhost +localhost' in a console with X running
c) 'su - guestuser' [or whatever] in an X bash session console
d) export DISPLAY=localhost:0.0 in the 'guestuser' session
e) run your browser
this will sandbox the browser with 'guestuser'. just configure the browser (firefox) to DESTROY ALL HISTORY AND CACHES on the way out. No cookies, no fingerprints, no nothing.
then if you need a scripty-site loaded, you can have this nice sandbox to play with it in. And you exit the browser, and it flushes EVERYTHING, and you have a nice clean loo... er, BROWSER the next time you load up some CRAPPY script-ridden web site.
I have used this on Linux for as long as I can remember, currently with Palemoon(as my daily driver browser)
---
sudo -u firefox -H VDPAU_NVIDIA_NO_OVERLAY=1 /usr/local/palemoon/palemoon %u
---
I have a script that runs when I login (using Linux Mate) to gnome(on X11):
--
#!/bin/bash
gsettings set org.mate.peripherals-mouse middle-button-enabled true
xhost +si:localuser:firefox
---
forgot what that VDPAU_NVIDIA_NO_OVERLAY is for but it was probably important at one time for me (I do use Nvidia video cards)
Also forgot what that gsettings command and the specifics around xhost +si that I am using(other than I believe it is more secure than just opening xhost to a wider audience),it was setup so long ago now.
Only issue is sometimes I have to manually adjust permissions on files if I am uploading or downloading files, and of course it can't access my $HOME so if I need to upload something from there I normally just copy it to /tmp (single user machine so not worried about any other logged in users)
uMatrix plus Decentraleyes et al are a must have to ensure that every damn bloated website works at least to a degree but all these fingerprinting and data-slurping nasties stay where they belong*. Google fighting these efforts ruthlessly in Chrome seems only logical, if sad. Don't be evil, yes.
(* my analysis, though, shows that no-one should feel completely protected regardless of how well their defenses were built yesterday)
There should be no need to develop dynamic HTML via JS or to communicate with the Mother Ship.
While uBlock is wonderful, by the time I've selectively allowed enough of the JS modules to be imported to be able to use a site I've probably let in a few baddies.
If that means a site is broken and I cannot view their content... I simply never use that site again.
That, or hit F12 to open the dev console and add the display:hidden attribute to all the popovers that try to cover the screen when scripts are disabled. Independent, I'm looking at you...
Nah.
If a website refuses to work because of my defenses, then I'd prefer not to use that website even if I can work around it. Such sites proclaim loud and clear that they have no respect or regard for their users, and I want nothing to do with them.
I simply never use that site again
Which is all very well if use of that site is optional. There are many of us who for various reasons (legal and contractual) are required to use certain sites. That might be for doing tax returns, or your employer might insist you use a certain third party site for your timesheets, or it may be the only site with information on some topic you are desperately trying to get information on, or ...
That might be for doing tax returns,Since that'd be a government web site (the only one you'd have to use to do tax returns, assuming they don't allow paper filing and/or it is not being done by your accountant who is the one who interacts with the website...) then that probably doesn't matter, as they have everything they'd need from their local intelligence agency (NSA, GCHQ, whoever it is).
or your employer might insist you use a certain third party site for your timesheets,in which case you'd be using your employers computer with your employers standard image on it, right? Do you care if your employers computer is fingerprinted? I don't, not my problem. And, since I'm sitting behind a proxy and firewall on one of, oh, ~15000 identical computers with the same hardware from the same vendor with the same SOE with no ability to install additional software (let alone system components like drivers) with only a few differences in individual user preferences (e.g. resolution), then I'd probably have the same 'work' fingerprint as 5k other devices. Again, it's a work computer, I don't give a flying fcuk about it. Even if it is 'your' computer you use for work (e.g. a contractor), then you do use a separate, disposable (in terms of O/S, there a problem, just re-image it) computer than your personal computer, right?
or it may be the only site with information on some topic you are desperately trying to get information onAssuming there was no other way to get it, at all, that's what VMs via a VPN are for, or, if you are really paranoid, a separate physical machine (e.g. a chromebook or some other cheaparse computer/old computer) - still using a VPN - with the vendor-default O/S image (i.e. you haven't customised it at all so the fingerprint will be that of a million other computers) that you can just re-image after you've visited those sites (using the vendor supplied re-image options).
There are ways and means, it just depends on how far you are willing to go before you personally evaluate the trade-offs and effort involved whether it is worth it or not.
Since that'd be a government web site (the only one you'd have to use to do tax returns...) then that probably doesn't matter, as they have everything they'd need from their local intelligence agency (NSA, GCHQ, whoever it is).
Ha, telling the taxman "no I don't need to do a tax return, <insert relevant spook id> can give you all the information you need" is going to result in what ? In the UK, automatic penalties which ramp up in severity and generally a whole lot of pain. It'll also give them an excuse to "open an enquiry" into your affairs, and once they've done that then they can take a fine tooth comb through your finances for quite a few previous years - and if they accuse you of deliberately misrepresenting what tax you need to pay, then that fine tooth comb can, (AIUI) go back decades.
You can, for most individuals at the moment, still file on paper - but that needs you to do it a lot earlier, and they are slowly closing the bounds of who can still use paper, with them wanting to get to a state where anyone involved in a business at all has to file online and quarterly !
in which case you'd be using your employers computer with your employers standard image on it, right?
Wrong. Looking back, going back to pre-internet (at least, outside of academia) days, I've rarely been using an employers computer. And for quite a while and at least the last two jobs, I've been using my own laptop - maybe a bit of "more fool me for using my own when employer should provide it", but at least I get to use MY choice of computer rather than suffering another breakdown being forced to use something that just drives me nuts.
At my last job, I once had a colleague look up and say something like "you're doing your timesheet aren't you ?" He based his correct guess on the basis of the "colourful language" coming from my direction - the web application was an abomination written in house, and which forced me to fire up a VM as it only worked with Windows and Exploder 6. I did once suggest to the head dev that such constraints were perhaps a bit restrictive - his response was that all the customers used Windows and Exploder, so there was no need to support anything else. It was "interesting" watching from the sidelines as customers started complaining ;-) As an aside to that, another dev, just before he left for somewhere better, fixed the problem that made it Exploder 6 only - it was just a case of adding or removing a ";" A nice leaving present from him to the rest of us !
There are ways and means, it just depends on how far you are willing to go before you personally evaluate the trade-offs and effort involved whether it is worth it or not.
And in the most part, those options you suggest are getting way beyond what most of us (and certainly the majority of users) are prepared to do.
So yes, I stand by my suggestion that "if you don't like, just don't use that site" just isn't practical for all sites. Where the bar sits does depend very much on your level of paranoia and your technical abilities - but it's still there for most users.
It has come to this; as an example of why, I left a machine on overnight with Internet Explorer on the default MSN homepage. Came in the next day to find the anti-virus had nixed a small quantity of malicious JavaScripts at around 4 in the morning.
and yet when I try to explain to non techie people why I run something like noscript... they look at you with a confused expression. Normal people simply seem unable to comprehend the lengths that these wankers go to, to steal your data and identify you at any cost... and they do so without any seemingly meaningful repercussions.
The laws are a joke and the guilty get away with it... and we are treated like shit when we do to try and protect our privacy.
Must admit, most of my dealings with 'non techie' folks suggests that all that is thrown at them is seen as 'normal' and they just put up with it.
I have had people viewing me at one of my systems eg a laptop at a worksite and they can't understand why youtube doesn't play an ad before loading my video, why going to <this or that site> doesn't have all those 'ad things that pop up around the place', why there is no trumpet-playing monkey on <this site> etc etc
I get a few converts.
Methinks we are fighting a losing battle at times whilst us in the know still argue over which adblocker/script blocker is better than the other.
I'm not a prolific user of the phone but I've learned how to root it so I can cut down on a lot of the crap.
This has all got to be using up user's data all over the globe and costing people somewhere along the line.
"The tracking, advertising and monetization story on the internet is convoluted beyond measure, driven by huge global revenue involved, estimated at $298.1bn in 2019"
Does this represent value for money for the advertisers? I seriously doubt it. The few ads I see from search engines fall into two categories. One is irrelevant and the other is the exact ting I was looking for which the search thing should have thrown up anyway without the search target paying for it to be put there.
I would suggest that a good amount of it does represent value for money for the companies paying for the ads.
Online channels are very "Data rich", you can take a single ad and see exactly how many people saw it, how many clicked on it, how many converted through it etc. That is an impossible task for newspaper ads, billboards, Superbowl ads.
You also get different types. Awareness campaigns are run, I don't think these provide value for money because they have the intent to splurge out as many ads as possible to as many people as possible. Other campaigns will try to get you to buy something directly because there's a sale on.
SEO vs PPC is difficult. SEO is reliant upon a good number of people visiting the page along with myriad other factors, but highly specific pages are difficult to get ranked because their traffic is comparatively lower. Managing SEO is difficult because Google obfuscates as much of what's going on as possible as part of their work on getting people to stop gaming the system
PPC gives the advertiser a lot more control over exactly when and where they want a very specific ad to appear to get the searcher - Size 12 red dress can go directly to a dynamic search page which wouldn't necessarily have ever been seen by a search engine's scraping bot.
There is also a certain amount of irony in those who block any tracking to the extent that Google et al. have a minimal view of you as a person and then saying that the results they get are irrelevant.
"you can take a single ad and see exactly how many people saw it, how many clicked on it, how many converted through it etc."
Can it also tell you how many were pissed off by seeing that ad yet again? How many were so pissed off they decided there and then that they'd never buy anything more from that advertiser?
Look again at what you wrote. Look carefully. Think about it. The only "data" in what you listed is the data the advertising industry uses to flog advertising services to the clients. What's more they're probably charging the clients to be provided with that "data".
"although it looks like a static banner advertising Microsoft Azure with a link, the fingerprinting code is running in the background."
And what do Microsoft have to say about it?
Let me guess:
Rogue 3rd party advertising agency.
A former member of staff.
We take your/cusotmers'/the Universe's privacy seriously.
Only a few people affected.
Lessons learned.
Steps taken to prevent a repeat.
Next time it'll be better obfuscated - oops, that's what we really meant but it slipped out accidentally.
While the headline clearly says Microsoft, the text seems to state a Google engineer found that the Google ad network served up ads that violated Stack Exchanges advertiser policy. No mention was made where these trackers were pointing, so by the text we have no way to know who is actually responsible for this tangled web. The ads graphics may have been recycled by whoever launched the tracker, or this would have had to been a chain of failures and bad actors, from the creator of the campaign, (M$ or otherwise) to Google passing the ad though its network(and taking its cut of the profits) and Stack failing to detect and filter the adds until the fingerprinting code was discovered by and external researcher.
So many levels of fail. All because of the packrat's den that HTML and the modern web is.
> ...has previously stated that its policy "includes but is not limited to running only static, non-animated banner[s],...
Recently they've been testing advertising which includes animated banners, with a discussion here: https://workplace.meta.stackexchange.com/questions/6157/were-testing-advertisements-on-the-workplace#comment19633_6157 they are apparently 'investigating types of banner'.
StackOverflow has previously stated that its policy "includes but is not limited to running only static, non-animated banner[s], keeping all ads relevant to software development, not participating in real-time bidding or selling our inventory to ad networks. We are not selling user data or targeting ads to you based on any personally identifiable user data."And then they go and allow 3rd parties to run arbitrary Javascript in visitors browsers? That policy isn't worth the bits it takes to transmit it.
the site claims that "Every single ad to appear on any of our sites is vetted by the operations team."Exhibit A seems to contradict that statement m'lord.
There is no way web developers and advertisers would behave ethically regarding fingerprint usage. There are no regulations similar to GDPR here, unfortunately.
Instead, you should protect your fingerprint information as a user with additional software:
https://medium.com/@kameleo/browser-fingerprints-why-does-that-one-ad-follow-you-even-when-youre-in-incognito-mode-d5594277baae
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
