[Freedombox-discuss] UUID tracked

[Ben Mendis]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Thu, 28 Jun 2012, freebirds at hushmail.com wrote:

> I encountered skepticism that a PSN or TPM UUID is even read at all
> even if no purchase of a DRM product is transacted. When I produce
> evidence of apps reading UUIDs and selling this information, UUIDS
> are again ignored as a threat.

Because a UUID is just a number. A number, by itself, is not a threat.
The number can't execute anything, or _do_ anything. It's just there to
be read. And if it doesn't get read, then it effectively doesn't exist.

> Ben Mendis, the issue is UUID, not that browsers, other than the
> new release of Opera, intentionally send UUID to remote websites
> and advertisers. Apps and websites read the UUID.

Right... _how_ does a website read the UUID if the browser doesn't send
it to the website? Can you explain that to me? Maybe you can't, becaues
you're not a programmer. I am a programmer. I've studied these software
stacks. I've analyzed and dissected network traffic, including full
browser sessions with websites. There is not magic ability of the CPU to
tell a website what it's serial number is if the browser doesn't
explicitly send that number to the web server.

> Benb Mendis, your suggestion of "Fix the browser, and it>won't
> matter if the UDID exists on the system or not" which is what Opera
> did is a tiny step. Reread the article on Apple banning apps that
> read UUIDs. If fixing the browser was the answer, Apple would have
> simply reconfigured Safari.

I said in that case (specifically the case of the browser sending the
UDID) that was the "fix". If you have other applications that are
sending network traffic, then those applications could also potentially
read the UUID or UDID from the hardware (if they have sufficient
permissions) and send it on their own. Just like a browser does. But if
all the software on a system is written to ignore the UUID/UDID then
you're fine. Again, this isn't an issue of the serial number existing,
it's an issue of knowing what software you're putting on your system and
what that software is programmed to do. If it wasn't the UUID/UDID, it
could just as easily read the serial number from your hard drive or
flash drive, or the MAC address of your network card (and you can't
eliminate MAC addresses or you break OSI layer 2) or some other uniquely
identifying information and they could do the same thing. Simply
removing the serial number from the CPU doesn't solve the problem you're
talking about.

> Companies want to procure UUIDs. They procure them via websites,
> apps, hacking, etc. They sell the personal data they procure to
> information brokers who resell it. They will continue to do this
> regardless of browsers. Even if the government were to pass
> legislation making it unlawful to procure and/or sell personal
> data, there is a black market for it.  The government itself
> collects user information. Their data bases are available to
> investigators.

It's not UUIDs that they want. Why would they want UUIDs? What does that
do for them? Nothing. Companies don't care about you as an individual,
they care about demographics so that they can target their
advertisments. If your processor didn't have a serial number, they would
still find a way to gather demographic information on you, because
that's where the profit motive is, and as I explained above, there are
plenty of other ways for them to do it (if the software you're running
on your local system is designed to cooperate with them.)

> I do not want to repeat myself. Nor do I want to spent days
> validating the privacy risk of UUIDs. If the hardware in the
> FreedomBox is not private, please make it so.

Well, I'm sorry you feel that way. You keep asking other people to
contact Marvell and ARM to ask them about this on your behalf. Why don't
you ask them yourself? Why do you need us to ask them for you?

Furthermore, nobody on this mailing list is manufacturing the hardware.
Freedombox happens to designing a linux distribution for embedded
devices, and they happen to be using a commercially available plug
computer as the standard reference platform, but there's no Freedombox
hardware that is being made by anyone on this list (that I am aware of).
You could take the Freedombox distribution and adapt it to run on any
ARM system you like. So go find a differnt platform if you don't like
the one that people here are using.

Also, this is not my project. I'm not a Freedombox developer. I not in a
position to make any demands of the Freedombox developers or steer the
direction of their project at all. I just an interested third party. I'm
working on a different project with similar motive and overlapping
goals. Your intitial emails made it seem like the issue might be
relevant to my project as well, but if there is an technical issue here
that needs to be addressed, you seem unwilling or unable to articulate
the nature of that threat in sufficient detail for any of us to address
it. Instead you seem to be misattributing the threat to a serial number
which may or may not be present in certain modern processors.

Best regards,
Ben the Pyrate

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQEcBAEBAgAGBQJP7JEEAAoJEMco5sYyM+0wbuEH/3xF91shVpFwqKcd1MVFEoo6
bzbXHEe5VSJ+HO/jj9L8hYY7EhA721e959tiRaDaF5YWKTuZb8fPY7SIRlF3KNzW
QCP6PuNOsLieRUpkqhUrkLgRNaDEXmXNLZfEaZ7CQrDnJipMji1exQ7vuF2ip6UH
ET33IUFeDOBLypMioY3YPqoUv7ngYtwEwyj/M9CDOXnesTzX5odxt7tCmsqxr5Zb
HQaM+wh2JutX0rRSy4eIvqd2AB2El1DEz+0CimXNmv4mihx1dTGUc4ojXni4KaDY
TbQndDGZBIip/xQTWgHASy0dtHqdsd7C+/BUr+5mLxrfcNclLdQNprwRblgfOJg=
=N5Uu
-----END PGP SIGNATURE-----