One solution to wreck privacy-hating websites: Flood them with bogus info using browser tools

Call for software to throw badly behaved biz in fake data tar pits


Ad and JavaScript blocking is not enough to thwart privacy invasions by the likes of Facebook: more active countermeasures are needed.

The internet ought to "route around" known privacy abusers, shifting from passive blocking of cookies, host names, and scripts to a more active deception model. Just like enterprises and other large organizations set up honeypots and decoys to misdirect hackers' attention, browsers and similar software should lure website operators into tar pits of useless and false personal information.

That's according to Chad Loder, chief executive of Californian security awareness training biz habitu8, and Rapid7 founder.

“In information security, we're content to block nuisances, but with active adversaries, we take a more forward-leaning stance," Loder said. "If we classify the Facebooks of the world as active adversaries, you're going to see active countermeasures being incorporated into browsers."

Isolate and bamboozle

Loder advocates the use of “active deception” in throwing off websites and ad networks that track people around the 'net. These measures would include the automatic creation of fake profiles and identities to “isolate and bamboozle abusive sites,” effectively flooding their databases with garbage.

“We've been passive in this arms race so far, content to smugly proclaim ‘I don't use Facebook’ – but the tide is about to change,” said Loder.

“If bots can be used to spread propaganda, bots can also be used to create an immune system-like response to isolate and envelop these abusive sites while they starve for resources. If bots can be used to spread disinformation, they can also be used to create a crowd within which to hide and stay anonymous.

"Most importantly, it’s much harder for the next Cambridge Analytica to abuse data that’s riddled with synthetic but plausible garbage."

“It's not impossible to have a browser plugin that creates ephemeral and synthetic identities, flooding known privacy ghettos with bad throwaway data while preserving your anonymity,” he added on Twitter. “If we can tar-pit spammers, we can tar-pit Facebook and Google from the browser.”

Stalked everywhere we go

The harvesting of personal data from millions of people's Facebook profiles by Cambridge Analytica through its associates led to the trending #deleteFacebook campaign online.

However, deleting your FB account may not be enough. Third-party Facebook applications have gathered vast amounts of personal information from people's accounts simply by inviting users to sign up for quizzes and games. Thousands of app owners and developers still have personal data slurped from millions of users, and it is not clear how and when they will use it, or if they have since deleted the records.

Meanwhile, internet users are tracked in multiple ways all day long: by search engines, advertisers, phone apps, and similar platforms, as well as crafty ISPs. You don't need an account with a website to be stalked, and have ads targeted at you; various site operators build so-called shadow profiles of people as they click around the web, gathering databases of intelligence on folks.

“Any online platform that we use collects information about our behavior, location and so on,” said Marty Kamden, chief marketing officer of NordVPN. “Apps and platforms use cross-device tracking, where they build a consumer’s profile based on their activity throughout devices.

“Browsing history may be combined with physical location, retail purchases with watched TV programs, commute to work and so on."

There are various tools to protect one's privacy online, as Reg readers know. For example, there's Disconnect Private Browsing: it blocks third-party cookies and prevents organizations such as Facebook, Google, and Twitter from tracking you around the internet against your wishes. Another option is Privacy Badger by the non-profit Electronic Frontier Foundation.

And the freshly released Facebook Container add-on helps Firefox users shield their web activity from Facebook.

Block and tackle

For Loder, this sandboxing of identities is a step in the right direction, although it doesn’t go far enough, in his opinion. He advocated the development of a browser plugin that not only blocks access to people's real identities, but also automatically torpedoes badly behaved sites by feeding them garbage personal information.

Websites to be misled by the plugin would be selected from a crowd-sourced list. Loder batted away criticism that this mob-decided hit list could be gamed to swamp legit sites with fake data.

“There are plenty of cases where imperfect solutions provide the ‘greatest good for the greatest number’ – technically, Google's Safe Browsing database can be abused, but the value far outweighs the potential for abuse,” he argued.

The greater good would be served by going after privacy abusers, Loder maintained.

“This is where the arms race starts to heat up: infosec starts treating abusers as more than a nuisance – they start treating them as an active adversary. The stance shifts from ‘block’ to ‘actively contain, deceive, and interdict’,” Loder concluded. ®


Other stories you might like

  • Saved by the Bill: What if... Microsoft had killed Windows 95?

    Now this looks like a job for me, 'cos we need a little, controversy... 'Cos it feels so NT, without me

    Former Microsoft veep Brad Silverberg has paid tribute to Bill Gates for saving Windows 95.

    Silverberg posted his comment in a Twitter exchange started by Fast co-founder Allison Barr Allen regarding somebody who'd changed your life. Silverberg responded "Bill Gates" and, in response to a question from Microsoft cybersecurity pro Ashanka Iddya, explained Gates's role in Windows 95's survival.

    Continue reading
  • UK government opens consultation on medic-style register for Brit infosec pros

    Are you competent? Ethical? Welcome to UKCSC's new list

    Frustrated at lack of activity from the "standard setting" UK Cyber Security Council, the government wants to pass new laws making it into the statutory regulator of the UK infosec trade.

    Government plans, quietly announced in a consultation document issued last week, include a formal register of infosec practitioners – meaning security specialists could be struck off or barred from working if they don't meet "competence and ethical requirements."

    The proposed setup sounds very similar to the General Medical Council and its register of doctors allowed to practice medicine in the UK.

    Continue reading
  • Microsoft's do-it-all IDE Visual Studio 2022 came out late last year. How good is it really?

    Top request from devs? A Linux version

    Review Visual Studio goes back a long way. Microsoft always had its own programming languages and tools, beginning with Microsoft Basic in 1975 and Microsoft C 1.0 in 1983.

    The Visual Studio idea came from two main sources. In the early days, Windows applications were coded and compiled using MS-DOS, and there was a MS-DOS IDE called Programmer's Workbench (PWB, first released 1989). The company also came up Visual Basic (VB, first released 1991), which unlike Microsoft C++ had a Windows IDE. Perhaps inspired by VB, Microsoft delivered Visual C++ 1.0 in 1993, replacing the little-used PWB. Visual Studio itself was introduced in 1997, though it was more of a bundle of different Windows development tools initially. The first Visual Studio to integrate C++ and Visual Basic (in .NET guise) development into the same IDE was Visual Studio .NET in 2002, 20 years ago, and this perhaps is the true ancestor of today's IDE.

    A big change in VS 2022, released November, is that it is the first version where the IDE itself runs as a 64-bit process. The advantage is that it has access to more than 4GB memory in the devenv process, this being the shell of the IDE, though of course it is still possible to compile 32-bit applications. The main benefit is for large solutions comprising hundreds of projects. Although a substantial change, it is transparent to developers and from what we can tell, has been a beneficial change.

    Continue reading
  • James Webb Space Telescope has arrived at its new home – an orbit almost a million miles from Earth

    Funnily enough, that's where we want to be right now, too

    The James Webb Space Telescope, the largest and most complex space observatory built by NASA, has reached its final destination: L2, the second Sun-Earth Lagrange point, an orbit located about a million miles away.

    Mission control sent instructions to fire the telescope's thrusters at 1400 EST (1900 UTC) on Monday. The small boost increased its speed by about 3.6 miles per hour to send it to L2, where it will orbit the Sun in line with Earth for the foreseeable future. It takes about 180 days to complete an L2 orbit, Amber Straughn, deputy project scientist for Webb Science Communications at NASA's Goddard Space Flight Center, said during a live briefing.

    "Webb, welcome home!" blurted NASA's Administrator Bill Nelson. "Congratulations to the team for all of their hard work ensuring Webb's safe arrival at L2 today. We're one step closer to uncovering the mysteries of the universe. And I can't wait to see Webb's first new views of the universe this summer."

    Continue reading
  • LG promises to make home appliance software upgradeable to take on new tasks

    Kids: empty the dishwasher! We can’t, Dad, it’s updating its OS to handle baked on grime from winter curries

    As the right to repair movement gathers pace, Korea’s LG has decided to make sure that its whitegoods can be upgraded.

    The company today announced a scheme called “Evolving Appliances For You.”

    The plan is sketchy: LG has outlined a scenario in which a customer who moves to a locale with climate markedly different to their previous home could use LG’s ThingQ app to upgrade their clothes dryer with new software that makes the appliance better suited to prevailing conditions and to the kind of fabrics you’d wear in a hotter or colder climes. The drier could also get new hardware to handle its new location. An image distributed by LG shows off the ability to change the tune a dryer plays after it finishes a load.

    Continue reading

Biting the hand that feeds IT © 1998–2022