[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[Freedombox-discuss] PSN, ARM's Trust Zone and TPM

Yeah we don't want these hardware IDs to be visible on the web, but also
don't forget how well you can already be tracked anyway through

There's a company called BlueCava which has your "device ID", but by that
they don't mean a hardware ID, they just have a really good fingerprint:

They claim 99.7% accuracy. A critical article about BlueCava's "device ID"

A classic is of course also EFF's Panopticlick tool:

I assume Privoxy on the FreedomBox will somewhat reduce this fingerprinting
problem, but we should keep it in mind..

Project Danube: http://projectdanube.org
Personal Data Ecosystem Consortium: http://personaldataecosystem.org/

On Thu, Jun 28, 2012 at 2:58 PM, <freebirds at hushmail.com> wrote:

> Hash: SHA1
> Ben Mendis, you are missing my points. Regardless whether a
> product, such as software, ebook, video, etc. are purchased with
> DRM, the two UUIDs of TPM and the PSN are visible online to
> websites.
> I already quoted that Intel's PSN is sent to Microsoft. When
> Windows computers start up, Microsoft automatically authenticates
> computes regarding whether they have genuine Microsoft. Microsoft
> antivirus and WMP does this too. Microsoft reads the PSN and TPM of
> computers to match the hardware with Microsoft' serial number.
> There are articles that Microsoft's customers information is
> available to government. See
> http://newsworldwide.wordpress.com/2008/05/02/microsoft-discloses-
> government-backdoor-on-windows-operating-systems/
> http://www.pcworld.com/article/190233/microsofts_spy_guide_what_you_
> need_to_know.html
> Microsoft and Skype's backdoor for government is at:
> http://memeburn.com/2011/07/microsoft-and-skype-set-to-allow-
> backdoor-eavesdropping/
> Your quote: "there is no benefit to home users, as websites are not
> using this technology." is from a very old article that was written
> prior to TPM. From: http://www.geek.com/glossary/P/psn-processor-
> serial-number/
> TPM is not software dependent. "The TPM is bound to a single
> platform and is independent of all other platform components (such
> as processor, memory and operating system)."
> http://h20331.www2.hp.com/Hpsub/cache/292199-0-0-225-121.htm
> TPM is on by default. Users do not need to enable it.
> TPM is not used only when users purchase a DRM product. Reread the
> list of ARM's TrustZone's users in my prior email.
> Website and malware use Javascript. Javascript can read UUIDs.
> Apple prohibits javascript in apps from reading UUIDs: "The uuid
> property returns the device?s unique identification id. NOTE: Apple
> no longer permits obtaining the uuid within applications. If you
> use this property in an app intended for Apple, it may get rejected
> or pulled from the store without notice at a later date. This
> property is still permitted for Android."
> http://www.appmobi.com/documentation/device.html
> Though Apple's policy is to prohibit reading UUIDs, Apple's apps do
> read them and sell them. "An examination of 101 popular smartphone
> "apps"?games and other software applications for iPhone and Android
> phones?showed that 56 transmitted the phone's unique device ID to
> other companies without users' awareness or consent. Forty-seven
> apps transmitted the phone's location in some way. Five sent age,
> gender and other personal details to outsiders. The findings reveal
> the intrusive effort by online-tracking companies to gather
> personal data about people in order to flesh out detailed dossiers
> on them.
> Among the apps tested, the iPhone apps transmitted more data than
> the apps on phones using Google Inc.'s Android operating system."
> http://online.wsj.com/article/SB100014240527487046940045760200837035
> 74602.html
> Many apps written for smartphones are also written for tablets and
> PCs. They read the UUIDs of computers and sell this information.
> This week, Intel's processor was hacked again.
> http://thehackernews.com/2012/06/intel-cpu-vulnerability-can-
> provide.html
> News articles on hacks do not give a step by step tutorial on how
> to to do. Hacking websites and forums may have tutorials. Visible
> PSN enables hacking of processors.
> Your question of how a website determine the geolocation of a
> client is a separate topic. Browsers, such as Firefox, have
> geolocation enabled. Most people do not know that there is an
> option to disable the geolocation in Firefox. Google Gears tracks
> geolocation offline. There are other Google apps that track
> geolocation which are used by websites tracking the geolocation of
> their visitors. So what UUIDs are Google apps using to track
> geolocation?
> "Geolocation can be performed by associating a geographic location
> with the Internet Protocol (IP) address, MAC address, RFID,
> hardware embedded article/production number, embedded software
> number (such as UUID, Exif/IPTC/XMP or modern steganography),
> invoice, Wi-Fi connection location, or device GPS coordinates, or
> other, perhaps self-disclosed, information."
> http://www.privacyinfo.org/geoip
> I should not have to have the burden to take the time to research
> how PSN, TPM and ARM's TrustZone are used. They exist to enable
> tracking of computers offline and online by websites. Websites sell
> user information. Malware tracks UUIDs.
> You do not need to know everything to ask Marvell whether their PSN
> is visible and whether there is ARM TrustZone in their motherboard.
> Please ask and disclose the answer on FreedomBox's website.
> Charset: UTF8
> Version: Hush 3.0
> Note: This signature can be verified at https://www.hushtools.com/verify
> NrXeXapCgsgdfTpgNSk3eyS8f9ItMAR4OJ1Y+BuAxqhI3p4UeQcUGo3obo9dq42adlAR
> RvPuXfGU8z+SUsVeuXpFYotW1TBOENh8LH7C0LBatwZVKnJn0FyPmzrn4cRBGDj5npnY
> 8Cjt2MXmtmVYMSgMYRj0jXTX9CkTTSvpZ/Z7zEL29QuaoJkWEgn5kRxo7xSYRL76NvRm
> ye6spMBq1OiQhhm+I7gFZBqzfKQb+G2A2t0P0m8ifjkz0m1BX3TA38C7b2IimE408YRO
> l/nWpsJ8uJsguYtKsWHdXEjKtkrki7luc17nPjAnymk=
> =6WVz
> _______________________________________________
> Freedombox-discuss mailing list
> Freedombox-discuss at lists.alioth.debian.org
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/freedombox-discuss
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/freedombox-discuss/attachments/20120629/ffd229f5/attachment.html>

Reply to: