[Freedombox-discuss] PSN, ARM's Trust Zone and TPM

Markus Sabadello markus at personaldataecosystem.org
Fri Jun 29 08:36:54 UTC 2012


Yeah we don't want these hardware IDs to be visible on the web, but also
don't forget how well you can already be tracked anyway through
fingerprinting.

There's a company called BlueCava which has your "device ID", but by that
they don't mean a hardware ID, they just have a really good fingerprint:
http://www.bluecava.com/

They claim 99.7% accuracy. A critical article about BlueCava's "device ID"
technology:
http://news.idg.no/cw/art.cfm?id=A36FB35A-9CA1-6125-AC87C18E040B4065

A classic is of course also EFF's Panopticlick tool:
https://panopticlick.eff.org/

I assume Privoxy on the FreedomBox will somewhat reduce this fingerprinting
problem, but we should keep it in mind..

Markus
-- 
Project Danube: http://projectdanube.org
Personal Data Ecosystem Consortium: http://personaldataecosystem.org/

On Thu, Jun 28, 2012 at 2:58 PM, <freebirds at hushmail.com> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Ben Mendis, you are missing my points. Regardless whether a
> product, such as software, ebook, video, etc. are purchased with
> DRM, the two UUIDs of TPM and the PSN are visible online to
> websites.
>
> I already quoted that Intel's PSN is sent to Microsoft. When
> Windows computers start up, Microsoft automatically authenticates
> computes regarding whether they have genuine Microsoft. Microsoft
> antivirus and WMP does this too. Microsoft reads the PSN and TPM of
> computers to match the hardware with Microsoft' serial number.
>
> There are articles that Microsoft's customers information is
> available to government. See
> http://newsworldwide.wordpress.com/2008/05/02/microsoft-discloses-
> government-backdoor-on-windows-operating-systems/
>
> http://www.pcworld.com/article/190233/microsofts_spy_guide_what_you_
> need_to_know.html
>
> Microsoft and Skype's backdoor for government is at:
> http://memeburn.com/2011/07/microsoft-and-skype-set-to-allow-
> backdoor-eavesdropping/
>
> Your quote: "there is no benefit to home users, as websites are not
> using this technology." is from a very old article that was written
> prior to TPM. From: http://www.geek.com/glossary/P/psn-processor-
> serial-number/
>
> TPM is not software dependent. "The TPM is bound to a single
> platform and is independent of all other platform components (such
> as processor, memory and operating system)."
> http://h20331.www2.hp.com/Hpsub/cache/292199-0-0-225-121.htm
>
> TPM is on by default. Users do not need to enable it.
>
> TPM is not used only when users purchase a DRM product. Reread the
> list of ARM's TrustZone's users in my prior email.
>
> Website and malware use Javascript. Javascript can read UUIDs.
> Apple prohibits javascript in apps from reading UUIDs: "The uuid
> property returns the device’s unique identification id. NOTE: Apple
> no longer permits obtaining the uuid within applications. If you
> use this property in an app intended for Apple, it may get rejected
> or pulled from the store without notice at a later date. This
> property is still permitted for Android."
> http://www.appmobi.com/documentation/device.html
>
> Though Apple's policy is to prohibit reading UUIDs, Apple's apps do
> read them and sell them. "An examination of 101 popular smartphone
> "apps"—games and other software applications for iPhone and Android
> phones—showed that 56 transmitted the phone's unique device ID to
> other companies without users' awareness or consent. Forty-seven
> apps transmitted the phone's location in some way. Five sent age,
> gender and other personal details to outsiders. The findings reveal
> the intrusive effort by online-tracking companies to gather
> personal data about people in order to flesh out detailed dossiers
> on them.
> Among the apps tested, the iPhone apps transmitted more data than
> the apps on phones using Google Inc.'s Android operating system."
> http://online.wsj.com/article/SB100014240527487046940045760200837035
> 74602.html
>
> Many apps written for smartphones are also written for tablets and
> PCs. They read the UUIDs of computers and sell this information.
>
> This week, Intel's processor was hacked again.
> http://thehackernews.com/2012/06/intel-cpu-vulnerability-can-
> provide.html
>
> News articles on hacks do not give a step by step tutorial on how
> to to do. Hacking websites and forums may have tutorials. Visible
> PSN enables hacking of processors.
>
> Your question of how a website determine the geolocation of a
> client is a separate topic. Browsers, such as Firefox, have
> geolocation enabled. Most people do not know that there is an
> option to disable the geolocation in Firefox. Google Gears tracks
> geolocation offline. There are other Google apps that track
> geolocation which are used by websites tracking the geolocation of
> their visitors. So what UUIDs are Google apps using to track
> geolocation?
>
> "Geolocation can be performed by associating a geographic location
> with the Internet Protocol (IP) address, MAC address, RFID,
> hardware embedded article/production number, embedded software
> number (such as UUID, Exif/IPTC/XMP or modern steganography),
> invoice, Wi-Fi connection location, or device GPS coordinates, or
> other, perhaps self-disclosed, information."
> http://www.privacyinfo.org/geoip
>
> I should not have to have the burden to take the time to research
> how PSN, TPM and ARM's TrustZone are used. They exist to enable
> tracking of computers offline and online by websites. Websites sell
> user information. Malware tracks UUIDs.
>
> You do not need to know everything to ask Marvell whether their PSN
> is visible and whether there is ARM TrustZone in their motherboard.
> Please ask and disclose the answer on FreedomBox's website.
> -----BEGIN PGP SIGNATURE-----
> Charset: UTF8
> Version: Hush 3.0
> Note: This signature can be verified at https://www.hushtools.com/verify
>
> wsBcBAEBAgAGBQJP7FT0AAoJEMry4TZLOfxmHL4IAIqMwhXjT22tfVOyI4LFpQsxwLTd
> NrXeXapCgsgdfTpgNSk3eyS8f9ItMAR4OJ1Y+BuAxqhI3p4UeQcUGo3obo9dq42adlAR
> RvPuXfGU8z+SUsVeuXpFYotW1TBOENh8LH7C0LBatwZVKnJn0FyPmzrn4cRBGDj5npnY
> 8Cjt2MXmtmVYMSgMYRj0jXTX9CkTTSvpZ/Z7zEL29QuaoJkWEgn5kRxo7xSYRL76NvRm
> ye6spMBq1OiQhhm+I7gFZBqzfKQb+G2A2t0P0m8ifjkz0m1BX3TA38C7b2IimE408YRO
> l/nWpsJ8uJsguYtKsWHdXEjKtkrki7luc17nPjAnymk=
> =6WVz
> -----END PGP SIGNATURE-----
>
>
> _______________________________________________
> Freedombox-discuss mailing list
> Freedombox-discuss at lists.alioth.debian.org
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/freedombox-discuss
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/freedombox-discuss/attachments/20120629/ffd229f5/attachment.html>


More information about the Freedombox-discuss mailing list