Browser finger-printing, privacy leakage.. some tips

I’m not turning into RMS, but it’s becoming more and more sensible to be concerned about ‘Big Brother’ and the apparent abuse of privacy or free speech on the internet, particularly in the western world, where normal parts of life now require internet access.

It was mostly tracking from advertisers that people were concerned about a few years back, but now it’s turned into a much darker and sinister form of tracking, and it’s not from advertisers, whether you know about Edward Snowden’s chilling revelations, and whether you believe him or not, the info should not be dismissed, and, if you do care, it is a very good thing ™ to cut down your attack surface, or at very least, take some sort of control as to what info can easily be leaked from your web browser, which, for most users, is the primary interface for the Internet.

Innocuous as they seemingly are, even TV sets are often connected to the internet, the interface is of course pretty closed and basic, and offer little (or no) privacy controls, there’s not too much you can tweak, after all, they *do* want your data, mentioning no names (but a particular S.Korean manufacturer does spring to mind) yet they, and almost all other set-top boxes now report back to base for updates and ‘fixes’ but also with varying degrees of snoopingness, and so it is with the ‘Internet of Things’  and ‘big data’ it’s not just an American thing either, here in old Blighty it’s welcomed by the people collecting it, and most people (users) dont know or care. It’s getting worse too.

A computer is different however, ‘browser finger-printing’ as it is known, is something we need to be aware of, as we have much more control of what data can be leeched from us in the operating system, so here we will discuss a few of those simple tips for at least keeping the worst of it all somewhat at bay, and bear in mind, while you can not really be anonymous on the internets, you can limit the info leaked from your browser,  of course it’s a sliding scale between web functionality and privacy, and you will need to find the compromise that works for you, it’s a huge subject and not one i even aim to skim the surface of here, but most people can quite safely tighten up their browser settings without too much inconvenience.  The trade off between functionality and security and privacy is ON !

Browsers: Forget Internet Explorer, or Cordona (or core_dump or whatever it’s called nowadays) I won’t get into the why’s and why not’s, you can search that for yourself, forget Windows 10 even if you’re a ‘power user’ and you install the OS with all the crap apparently switched off, i believe it still phones home and it can even remove software you might have installed, and it does. There are numerous reasons not to use Win 10, the Internet is full of reasons why not, so I won’t waste your time or mine recanting them here.

Google Chrome isn’t privacy respecting, Google Chromium neither, as Google and friends all make money from adverts, Opera isn’t open source, so cannot be trusted either. Safari, nope, for similar reasons. Obviously ‘social media’ sites are huge sources of info, and of course are being constantly hoovered up by almost all agencies who want your data, there are many (true) scary stories about this, and the apparent Federal ‘Govt official’ who popped his head ’round the corner into Zuckerbergs office, whilst someone was doing an interview with Mark Zuckerberg.. i believe the Fed had a neighbouring office at Facebook HQ there and was maybe just popping in for a neighbourly ‘borrow a cup of sugar’

Firefox is where you might want to start then. Apart from being open-source, Firefox has developed a huge eco-system around itself, and for good reason too, (and because the web needs it) This does not stop Mozilla from screwing the thing up, they screwed the GUI then added crapware like ‘Pocket’ and stuff, but many eyes are watching, so you can get rid and disable crap you don’t want or need. It’s a good place to be in this case, and for privacy enhancements, there are many plugins which will help us.

You can use a ‘web Proxy‘ with all browsers, i won’t go into how, the link is clickable and will whisk you off to Wiki if you need to know more. Your ISP probably uses some kind of proxy, maybe a transparent one, but you can install your own, in days gone by we used to use ‘squid’ but a nice easy cross-platform one is called ‘Privoxy’ give it a look.

Windows obviously has backdoors (some would say it has front doors too, with carpeted steps, marble hallways and fountains welcoming you to the lobby) Later versions of Mac OS X phone home, though this is easier to stamp out, and Linux seems the best of the bunch in privacy terms, but even Ubuntu and derivatives have had a little flack for certain little blips in the past) though Linus Torvalds wasn’t pulling too many punches when he was asked to install backdoors in Linux

Really really forget Adobe Flash Plugin. apart from being an outdated CPU hog and full of crap code, it’s a rich bed of exploits for virus’ and all kinds of nasties, flash cookies and much more horror, uninstall it and don’t look back, html5 is here, i never miss it, i won’t pollute my OS with Adobe crapware, and i am glad Omniture is gone too, and the other crap it brings.

Have a look at this website www.privacytools.io which explains much more, and recommends you install some goodies.

TOR is somewhat compromised, it can be de-anonymised quite reliably, (questions were asked about those that originally devised it) and planned talks at ‘Blackhat’ on TOR de-anonymisation didn’t go ahead.

Ublock Origin is a low CPU/ RAM adblocker and HTML firewall. like many adblockers it kills Youtube pre-rolls too which is nice in the Ublock Origin settings, enable all the blocklists too. It also adds element hiding functionality.

I think ‘Noscript’ takes the most getting used to, but it’s my favourite as i dislike surfing without it, and many sites don’t work without some javascript enabled, With NoScript though, you whitelist which other domains the site is calling code from until you’re on to get the functionality you need, once you enable the main domain many sites work, and you will be able to see how much crap is going on..  for example Youtube requires scripts fro youtube.com to run, and also ytimg.com too, but the video is actually often being served from googlevideo (remember that?) and once you enabled that script on that site, it won’t ask again, unless you’re only temporary unblocking.

Once again, like with almost all software, check all of default options and whitelists, as it’s up to you to tweak the tools once you have them installed and enabled, as supplying the software with overly restrictive defaults or whitelists can cause support headaches, and are usually not offering nearly as much protection as they can, instead, preferring users to wind up the security as they progress, and learn what they need as they go along. I delete all whitelists myself on newly installed extensions, as i don’t trust someone elses’ idea of what domains are acceptable.. see Steve Gibson’s excellent site (and podcast) at GRC.com mentioning the tyranny of the default..

Taking the steps outlined on www.privacytools.io and doing the about:config tweaks will take care of most of the main privacy leakage, and Ublock origin cleans up most of the adverts and trackers and annoyances.

For hardened Firefox tweakers there’s ‘Configuration Mania’ which has a few more tweaks, some (not all) of which are available in browser spoofing agent.. for example DOM storage and certain browser APIs.. they dont need to know that stuff.

Check DNS Crypt for your computer  and read up on OpenNIC for DNS resolution .. and other DNS options

 

With most of these extensions and plugins, do check the defaults, like with modern operating systems, much more functionality is enabled by default than you need, they ship default settings that don’t restrict much, and by definition, don’t work as much as they can, so check all default settings, don’t blindly accept them, experiment and reduce your CPU, battery drain, memory consumption, and increase your security, privacy and safety.

There are so many things to understand with this one, but really check these websites and get familiar with the these plugins and extensions, maybe you will leak a little info about yourself and increase your browser security a bit and understand more how our privacy is under threat, and how much crap is not needed on the web to get your stuff done, and even improves your surfing experience.. indeed how much crap and bloatware in being included in almost all popular operating systems is another rant i won’t got onto, i would run out of server space.. but Dear Microsoft and Apple.. yes, and even Linux distro vendors, take note. stop filling the OS full of crapware, desktop search / web integration, social media integration etc etc.. but i fear Apple & Microsoft are already lost causes, as software vendors also often ‘dumb down’ the functionality and hide features and configuration tools from users, as is the fashion nowadays, and most users just accept the default settings and carry on, but with many agencies around the web collecting all your info, it really is time to wise up to all the dumbing down that’s going on, and as Radio Amateurs, we’re still (mostly) a technically savvy bunch, it isn’t beyond the realms of most of us to take these steps.. it’s a jungle out there…

sites with a little more reading or listening and geek appeal, some are quite deep and involved.

https://www.browserleaks.com

Grc.com     Steve Gibson’s site, some good info going way back too, also a good podcast, well worth listening to.

Scott Moulton’s ‘My Hard drive died’ site… contains videos and podcasts

Paul Security Weekly   a slightly more heavyweight but funnier / more drunk uber geek security podcast & more

Infosec podcast from Sans Internet Storm Center –

Krebs on Security

Dan Kiminsky

-Hax-
All work, text and images © GB7MB

Decoding DMR / P25 with the RTL SDR – an update

Setting up  SDR# (or SDRsharp) for use with an RTL dongle is the easiest and cheapest way of listening to most digital voice modes on the VHF and UHF bands, and you don’t need to know talkgroups, colour codes, slot or anything, so it’s much easier than any other method, and it’s also great for general FM, AM and SSB monitoring too, with sensitivity on par with typical purpose made mobile and portable transceivers, though, for analogue listening, i do think the SSB AGC performance on the SDR side needs some improvement, but that may just be my personal preference, and  on the decoding side, there is no DSTAR audio decode built into DSDPlus ‘out of the box’ (on Windows)  but apart from those very minor issues, it’s a great way to go listening nowadays, and it’s not half as fiddly to set up as it was  earlier, so, as interest in decoding digital voice is still on the increase, it seemed like a good time for a refresh.

You will need:
PC  –
anything from the last several years should be fine,  most of us have PCs that are at least dual core by now, so anything runs Vista (remember that nightmare?)  will do. Windows 10 users may be a little out of luck at the moment, as i believe results can be variable.

pc
Of course, You need an RTL SDR dongle.. this blue MK II one (below) was £6 off a well known auction site, and came with the usual TV remote and the pointless UHF magmount, but hey.. i need  fridge magnet, The SDRs’ coaxial connector is probably going to be an MCX, it was on mine, but some dongles do come with the more traditional TV type Belling-Lee or even other connections, but i prefer BNC. On my previous SDR dongle i removed the whole MCX and fitted a BNC flylead. You can use 2 or 3 extension USB cables to get the receiver up and away from the often ‘RF noisy’ computer gear and possibly save a little bit of cable loss too.
RTL SDR dongles also run well under Linux, Linux driver installation here and Mac OS X Mac OSX driver installation here and an old 2012 GQRX SDR receiver complied for Mac (Thanks Elias) it’s GNU Radio based too. Even Raspberry PI’s and other SBCs can run RTL SDRs too. RTL SDR dongles can even run on Android, with drivers available in the App store, and it can even decode digital voice.

Linux can, of course, run digital voice decoding quite well too, in fact the first DSD decoder program ran on Linux only, not Windows, so to decode on Windows you had to run Cygwin and it seemed a bit fiddly, until DSD was be ported to work on Windows natively. There is a great amount of SDR work going on, not least of all on Linux – check your repo and GIT for goodies, Linux can even decode unencrypted TETRA voice, with GNUradio, so Windows and Mac users are out of luck again with that one, i may do an article on that in the future, if anyone’s interested, but it’s not for the beginner or faint-hearted, but is reasonably straight forward if you’ve compiled  software before on Linux.

 

The MK II RTL SDR – slightly better spec.

dongle2

and you may want something like this MCX to BNC lead..

mcx

The RTL SDR dongles have recently had a bit of a makeover recently, and are now available as the updated R820T2 tuner, and these do seem to have a slightly better receiver compared to my other 2 or 3 year old SDR, it does seem slightly better too.  The chinese sellers have got a little more wise too, and are often selling these with SDR in the description too, so searching for RTL SDR easily brings results, expect about £6 from Chinese sellers.
Before we start, a brief overview might seem appropriate, as using a PC to tune the bands is still an experimental, but maturing technology, and may take a little getting used to, tuning around on a SDR is quite different, no worse, no better, just different, and besides using your mouse wheel as the VFO, you can buy actual hardware VFO type knobs – on USB leads to control software. Electronic musicians have been quick to adopt real hardware controls for software instruments, and they work well too.

The RF signals come in from your dongle to your PC running the SDR program, then (my badly drawn green cable thingy) signal carries the FM audio into the decoder program (DSD Plus) and then out to your speakers. You will need a software version of one of the green cables i have drawn. Yes.. i know my quick drawing below is rubbish !

cabling

You can install it now if you like, but it will want to reboot to take effect. Don’t install the other ‘Banana’ or ‘Voiceemeter’ apps, as they’re far too complicated for what we need.

First things first, Windows drivers often come with dozens of CPU chomping addons and crapware, some soundcard drivers can be over 150Mb download, which, frankly, is ridiculous, and they can install unneeded and unwanted software and sys-tray icons which can, in some cases, be a privacy threat and slow down your PC down. The only reason I am bitching about this, is because some audio drivers, by default, run your computer’s audio through some weird surround sound DSP nonsense automatically, which is no good at all if we want to use the soundcard for something genuinely useful, so it’s worthwhile checking your Windows system tray, and  / or Windows control panel to make sure all DSP and sound effects are turned OFF, these effects can occasionally hamper attempts at decoding digital voice.

Software List:

 

VB Cable

Airspy SDRsharp receiver  and  here’s the Airspy wiki   (it’s actually quite good)

DSD Plus (digital voice decoder)  and it’s associated homepage  HERE

When you plug in you RTL SDR – Windows will prompt you to install some drivers – don’t bother – but if it does try to download dtivers, let it finish, as you’ll be replacing them in a few minutes anyway.
You’ll may need to install the Microsoft .net framework too, depending on what version of Windows you are using, but you probably have it installed already.

You will have unzipped SDRsharp into a folder then, the file is still called sdrsharp.exe, and you might need to move the whole folder somewhere else, other than the downloads directory where it probably extracted to, You could make a shortcut if you like, to sdrsharp.exe, and also unzip the DSDPlus_xxx.zip you downloaded too, and you could create a shortcut to DSDPlus.exe for convenience. I dragged these two shortcut icons into the start menu for ease of use.


Now it’s time to test it.
start SDRsharp and you should see something like this below:

Capture


First thing, check at the top left where it says “Source” and open the drop down menu and select RTL SDR (USB) …. if you dont see RTL SDR listed and the dongle is plugged in, either navigate to the SDRsharp folder and run Zadig  and follow the instructions below, if Zadig,exe is not in your SDRsharp folder already, d/load it here and run it as Administrator, Windows will prompt you for permission.
In the running SDR screenshot above, DSDPlus displays Radio ID, group ID (talkgroup) colour code, and slot.

Running ZADIG (if you need to)
select Options – then List All devices and then from the drop-down, select “Bulk In Interface 0” In the drop down box, choose Bulk-In, Interface (Interface 0) thoughit might also show up as something like  ‘RTL 28320’ or something similar, and that’s ok.
Just make sure that ‘WinUSB’ is selected as the target driver, and then click on ‘Replace Driver’.. you may have to reboot, but next time you start SDRsharp, your RTL SDR should now be in the list of available devices, select it.


Setting it up.

Under the left hand RADIO tab (see the above screenshot) set the mode to NFM, i generally set the filter bandwidth about 12500 for DMR decoding, that’s fine for most normal comms FM listening too, and on NFM i set the steps to 12.5 kc.

These USB devices are cheap and mass produced, the things are not calibrated too accurately, and so we need to fine tune the SDR so they both agree on freq.  (if you’re adventurous and run Linux, try Kalibrate which uses GSM, but it’s really overkill) and you *can* fit a much more accurate crystal.. but i’ll leave that up to you to decide.

Start SDRsharp and click the cog on the SDRsharp toolbar, you will see your device listed, now click both the AGC tickboxes to maximise RF gain, note the frequency correction adjustment there too, we need to find a known signal on air and tune the SDR to the correct freq readout, then, whilst listening, tweak the frequency correction to get it spot on. CW or SSB mode is good as you can more or less find zero beat, as you see, this one is set at +68

tghhhre


Now you’re up and running with SDRsharp, you may want to try to decode digital, check the screenshot, and notice the ‘filter audio’ needs to be unticked for decoding: same for Pocsag etc. squelch off/ open.

Captuyyuyyyyre


also make sure to send the SDR’s audio to the DSDPlus decoder program – select Output to ‘VB Cable input‘ and you should see the ‘scope display on the DSDPlus program jumping about wildly.  If you dont see DSDPlus’ scope displaying activity (even on random FM noise) it could be that audio routing may need one slight tweak, here on my old Windows7 craptop here, i had to go into the control panel, then sounds then check in and output devices as you see below, then it worked. note the audio bargraph level meters reading, your soundcard will probably be named something different.


pb2pb

Get tuning !   if the signals you see are good, but garbled or no audio, they may be using privacy or encryption, or have interference, or it may be data or GPS (LRRP) and all kinds of stuff going back and forwards, still getting problems, check your audio levels, RX bandwidth, make sure your fine tune is correct,  that filter audio is OFF and you are indeed on NFM with no squelch. Remember there is no windows binary widely availble for dstar audio yet (that i have seen) and encryption is used alot.

In case anyone is wondering, clear / unencrypted TETRA isn’t able to be decoded on anything other than Linux at the moment, and it will probably never appear on Windows anyway, On Linux it’s only done with GNURadio as a base, GNUradio companion has the most horrible interface i have ever seen (but it works very well indeed) and there’s not much unencrypted TETRA about anyway, but after all the hours of compiling and patching stuff, it’s a lot of  fun learning about it.

SDR and decoding digital voice can be fascinating, cheap, and lots of fun,  thanks to some really smart people out there, and some really cheap hardware. It offers up a new way of visualising the band and is a crossover of radio experimentation and computer tech, and it’s a developing part of the hacker and radio amateur communities too..  and who knows what direction that may lead to ?   and long may it continue.. Have Fun..

If money’s no object, or if you really must have a VFO knob for your SDR, and let’s face it, most mouse-wheels are pretty crummy for making small or accurate incremental adjustments for any length of time, so you might want to treat yourself to something like the Griffin PowerMate controller .. it’s bluetooth, but it’s still hugely overpriced as it’s little more than a rotary encoder, i wouldn’t mind, but such devices have been around for several years already, and the Chinese manufacturers still haven’t got around to making them for a fiver yet, most you see on Ebay are from Japan or the USA, or if you like the idea, you could always make one…  happy SDRing..

 

-Hax-
All work, text and images © GB7MB

Snowblind….

You know what ?

I think there’s too many white backgrounds on the web – there, i’ve said it. (yes, i know this site is bright, but it may be changing design slightly, soon) But If you have a headache, or maybe it’s late at night, or both, do you really think it’s healthy to be staring in to a light for hours on end ? – i don’t, because I get migraines and some photophobia, of course, if i have a migraine, the computers and radios are switched off and i go away..  so, i am careful to my eyes and i don’t stare into lights unnecessarily, even when i have no headache.

Pity then, that most websites are dark text on a light background.  I understand the idea of skeumorphism where it seems this idea comes from, as throughout history, printing is just dark ink on dried pulp, so i imagine it was decided this makes sense on electronic displays too.

I disagree.  To add to my ‘problem’, I’m a night owl too, so I’m often up late, typing away – but at 3AM  i’m not sat here with full house-lights switched on, it would make no sense.

So what to do ?   every site is different and that’s a problem … or is it ?

I’ll be discussing Firefox here, because that’s the most popular browser and is cross-platform, although similar add-ons can be found for other browsers, and Stylish is available for other browsers too.

First up, is a Firefox Add-on called No Squint  ..  i shan’t go into much detail about the add-ons themselves, but this lets you adjust the page zoom on Firefox, which is kind of redundant, because Firefox already has zoom + and – toolbar buttons – it’s just that they’re not enabled by default.

NoSquint does however, let you customise text and background colour, on either a site-by-site basis, or on all sites globally, which may be all that you want or need.. and  NoSquint‘s  default zoom level is 120% anyway, globally, so there will be less wasted space on your widescreen monitor.. as many sites still have a thin paragraph of content in the middle of the screen – and wasted space either side, just in case we’re all still using an old  4:3 800 x 600 CRT monitor from years ago..

Next up is Stylish  – it doesn’t do anything on it’s own, but it allows for much more fun and customisation than Nosquint does !

It’s main job is website customisation, There are hundreds of styles for the most popular sites, tweaks and fixes that other people have shared, but the less popular sites will have had nobody creating specific styles for them, so use ‘Global styles’ for all remaining websites, some styles just work on just one site, other styles change every site.

If you like this idea, I’m typing this using a global style called  Midnight Surfing  which can be found (like many more) at Stylish’s user-submitted styles site User Styles.org   so have a look to see what sites they have..  some hide Youtube comments, or remove the ads on Facebook and that chat box and all that other nonsense,  of course some styles don’t work perfectly – and some styles may work, but hide pictures or parts of the site you do use, and you have option to preview them before you apply them anyway.  Lets go through finding a dark global theme for Stylish.

As you see, I like my Firefox with the classic layout, add-on bar at the bottom, which is where i placed the Stylish ” S ” icon. by default it will likely be up at the top-right corner on the Firefox toolbar.

findnewstyle

whatever webpage you are on, to search for some styles for it, simply click the icon and select ‘Find New Styles for this site’  Easy huh ?

the Userstyles website will open and you can scroll through and see which sites suit you, and work well.

if you want global styles – click ‘advanced’ and select ‘global’ and if you were looking for dark global themes, that’s where you need to search.

advanced styles

I always install the Safari Font Rendering style too, for when i’m using light backgrounds, because Firefox’s font rendering on all three major platforms is still poor, this style invokes either anti-aliasing or more likely, sub-pixel hinting.

Another highly recommended dark style is MyFavolors which seems to be a good one too. there are hundreds more.

So Far, so good.. you even installed a dark theme in Firefox too ? good.

I even found a Yaesu FT 920 Firefox theme (my main HF rig) but now, i can’t see what i’m typing.  

Why are backlit keyboards not standard on all computers by now ? all cellphones since about 1985 have, but we are behind the times already with this, many (outrageously expensive) Amateur radio sets still do not have illuminated buttons. it’s 2015, and Yaesu, Icom and Kenwood are still fobbing Hams off with backwards tech, (who mentioned FDMA) – thank goodness for the likes of Motorola where i dont have to switch a lamp or torch on to change frequency or find a button ! The same goes with computers, or any electronic device nowadays, everthing has buttons now.. or is it only ‘PC Gamers’ who use their PCs in low light levels, because most illuminated keyboards are trash, and they look trashy too, or are some juvenile design, like Darth Vader’s sunday best helmet… or something..

To see my keyboard in low light, I bought a Apple Macbook Pro 15″ not because I’m a fanboi, I’m REALLY NOT,  but because it’s got a proper, high quality backlit keyboard, and the thing is made of metal, not cheap black plastic, where you need a torch or keyboard lamp if typing at night.. forget buying those long flexible gooseneck USB LED lights too – they stress your USB socket and will make your laptop require repair eventually. isn’t it time accessibility was extended to keyboards on PCs and Amateur Radio Gear ?

maccy

Here’s an example – a Dark Google… so why buy sunglasses or headache pills ?

dark google

Hax

All work, text and images © GB7MB

%d bloggers like this: