Computer Identity and Internet Spying?

Does a specific computer have a specific identity regardless of who is
using it and where?

Suppose a person changed ISPs, got a completely new email address from
their new ISP, used a new personal name for it, and didn't put anything
identifying on their email profile, such as a home address or phone
number?

Could someone who was spying before on what this person was doing
online continue spying although the computer has a new ISP and
(supposedly) new user, because the computer itself has some identifying
code embedded in its very vitals?

Does the physical location of the computer matter at all? That is, if
the person moved completely out of the region (which would obviously
result in changing ISPs) but took their same computer, could that same
computer still be traced to them?

Is a Macintosh specifically different in this regard than any other
computer, more easy to identify, less easy, or does this work the same
for all computers?

Thanks for any information on clearing up these questions.

Cori

Re: Computer Identity and Internet Spying?

cmashieldscapting@hotmail.com writes:
> Does a specific computer have a specific identity regardless of who is
> using it and where?

It depends.

> Suppose a person changed ISPs, got a completely new email address
> from their new ISP, used a new personal name for it, and didn't put
> anything identifying on their email profile, such as a home address
> or phone number?

Assuming their computer is not compromised with a key logger, or
anything that phoned home and tipped an individual snoop off to the
physical machine's new whereabouts, it would be fairly untraceable,
at least by mortals.

> Could someone who was spying before on what this person was doing
> online continue spying although the computer has a new ISP and
> (supposedly) new user, because the computer itself has some
> identifying code embedded in its very vitals?

If the creepy snoop managed to get software onto that computer
unbeknownst to its rightful owner, then all bets are off.

If one wanted to be reasonably certain against being traced to a new
location, purchasing a new computer, or completely reinstalling the
operating system from original media would be the prescription I'd
write.

> Does the physical location of the computer matter at all?

> That is, if the person moved completely out of the region (which
> would obviously result in changing ISPs) but took their same
> computer, could that same computer still be traced to them?

Depends... The biggies for making the move untraceable would be to
change the email address completely, use no identifying information in
the new email addresses, don't leave traces behind in usenet
newsgroups that might identify someone based on writing style or word
choice, or whatever, change the version/type of email/news reader
being used (or use one that's exceedingly common), and completely
reinstall the operating system on the computer to make sure there
isn't any spyware. If you wanted to be very paranoid and rule out the
possibility of a hardware based snooping on the computer itself
somehow... buy a new machine entirely.

Another thing to consider is that there was (and maybe still is)
unique identifiers embedded in Microsoft office documents that
someone very very savvy could use to try to track someone...but that's
getting into the realm of having to have someone as resourceful as
goverment agencies who REALLY want to find someone able to track
taht.


> Is a Macintosh specifically different in this regard than any other
> computer, more easy to identify, less easy, or does this work the
> same for all computers?

Not much difference ultimately.

While macs are designed such that they're perhaps a little harder to
penetrate to begin with, and less pieces are available in terms of
public exploits as a manner to get malicious software onto a system
(such as a keylogger or some program that phoned home periodically).
But that's a moot point, if you're following the advice of
reinstalling the operating system to clear off any rogue bad programs
that might let a very determined and creepy stalker tip off to new
wherabouts.

Best Regards,
--
Todd H.
http://www.toddh.net/

Re: Computer Identity and Internet Spying?

Of course. you should never assume these things, and I'm pretty sure
that every computer has a built in un-chanageble serial number which is
attached to the motherboard.

Re: Computer Identity and Internet Spying?

cmashieldscapting@hotmail.com wrote:
> Does a specific computer have a specific identity regardless of who is
> using it and where?

For PCs: usually not (even the MAC address of the NIC usually can be
changed easily). And this is a good idea.

Some people want to change this, for enforcing what they call DRM:
http://en.wikipedia.org/wiki/Trusted_Computing_Group

But DRM only means, that Microsoft or another TCG member wants to decide,
what you can do with your computer. So this cannot be in your interest at
all.

> Could someone who was spying before on what this person was doing
> online continue spying although the computer has a new ISP and
> (supposedly) new user, because the computer itself has some identifying
> code embedded in its very vitals?

Not, if the computer was not modified (or is a computer, say with a
CPU ID, for example).

> Is a Macintosh specifically different in this regard than any other
> computer, more easy to identify, less easy, or does this work the same
> for all computers?

A Macintosh is not different here.

Yours,
VB.
--
maximum inquementum tum biguttam egresso scribe. meo maximo vestibulo
perlegamentum da. da duo tum maximum conscribementa meis listis. dum listis
decapitamentum damentum nexto fac sic nextum tum novumversum scribe egresso.
lista sic hoc recidementum nextum cis vannementa da listis. cis.

Re: Computer Identity and Internet Spying?

Lars wrote:
> I'm pretty sure
> that every computer has a built in un-chanageble serial number which is
> attached to the motherboard.

So please show me, how I can read this number out of a simple PC or
a simple Macintosh.

Yours,
VB.
--
maximum inquementum tum biguttam egresso scribe. meo maximo vestibulo
perlegamentum da. da duo tum maximum conscribementa meis listis. dum listis
decapitamentum damentum nexto fac sic nextum tum novumversum scribe egresso.
lista sic hoc recidementum nextum cis vannementa da listis. cis.

Re: Computer Identity and Internet Spying?

Post removed (X-No-Archive: yes)

Re: Computer Identity and Internet Spying?

Jim Watt wrote:
> On 15 Jan 2006 00:42:43 -0800, "Lars" wrote:
>
> > I'm pretty sure
> >that every computer has a built in un-chanageble serial number which is
> >attached to the motherboard.
>
> Please explain how this is done for the benefit of those of
> us who don't understand quite how this is done and how its
> included in internet messages.
> --
> Jim Watt
> http://www.gibnet.com

Yes! (Although I doubtless won't be able to pretend to completely
understand your answer, I am interested in the subject and) by all
means please do!

Cori

Re: Computer Identity and Internet Spying?

Post removed (X-No-Archive: yes)

Re: Computer Identity and Internet Spying?

cmashieldscapting@hotmail.com wrote:
> Does a specific computer have a specific identity regardless of who is
> using it and where?

Each will have a MAC address, although I'm not sure if that is passed
around the internet, unless you have some sort of spyware or virus. As
someone else said, that can be changed, but I'm sure the details of how
to do it would depend on the hardware and so might not always be possible.

Sun workstations have a hostid

sparrow /export/home/drkirkby % hostid
80aaf46d

which some software uses (mainly for licensing issues). That can be
changed, but it is a bit risky, since if you get it wrong, you can end
up with a dead system that needs a chip replaced - not a particulary
difficult task as it is socketed on all them I know.

And of course, as someone else mentioned, there is spyware.

If you are really bothered, upgrade Windows to Solaris. I'm not aware of
any viruses for Solaris, and none of the usual winblows exploits will
work. That is not to say a Solaris system can't be compromised, but it
is far more difficult since it is much more secure than winblows. Few
know anything much about it either, which again is to your advantage.
Solaris on x86 (or SPARC hardware for that matter) is a free download,
although it is a large download. There are 4 CDs or a DVD image

http://www.sun.com/software/solaris/

You can buy a CD for a nominal fee from Sun if you can't download it due
to bandwidth limitations. Both 32 and 64-bit is supported on x86. For
SPARC hardware, you *must* have a 64-bit system, but that should not
bother you.
--
Dave K

http://www.southminster-branch-line.org.uk/

Please note my email address changes periodically to avoid spam.
It is always of the form: month-year@domain. Hitting reply will work
for a couple of months only. Later set it manually. The month is
always written in 3 letters (e.g. Jan, not January etc)

Re: Computer Identity and Internet Spying?

Todd H. wrote:
[deleted]

> Assuming their computer is not compromised with a key logger, or
> anything that phoned home and tipped an individual snoop off to the
> physical machine's new whereabouts, it would be fairly untraceable,
> at least by mortals.

The original poster ("Cori") did not set clear limits on the scope of
the "spying" part of "someone who was spying before", so I guess it
needs to be said, that not only the computer must not be compromised,
but also the 'local' network, if any, to which that computer is
connected must not be compromised. In other words, if the *network* has
been compromised, re-installing the *computer* on that network will do
little good.

[deleted]

Re: Computer Identity and Internet Spying?

Jim Watt writes:
>
> 1. Each network card/device has a unique number, although it can be
> changed
>
> 2. Intel processors have a unique ID which can be turned off
>
> 3. MS Windows maintains unique identifiers derrived from the hardware
> and software in the actual configuatarion.
>
> 4. When you use the Internet you are given a IP address which may only
> be leased to you for the session, the ISP logs this the time and
> date.
>
> 5. Spyware programs and others can identify which computer you are
> using as can cookies legitimatly used to maintain state with web
> servers which are otherwise stateless.
>
> Otherwise its down to paranoia.

And none of the first 4 things are passed around in internet messages
unless there is malware on the computer that is hunting them down.

Reinstalling the operating systems removes those threats from the
possibility list.

The only possible exception are Microsoft office documents containing
their unique identifier number that could be traceable back to you by
a very diligent and resourceful spy. I'm not sure, however, if
reinstalling office on a fresh OS would yield a different unique ID.

--
Todd H.
http://www.toddh.net/

Re: Computer Identity and Internet Spying?

"Volker Birk" wrote:

> Lars wrote:
>> I'm pretty sure that every computer has a built in un-chanageble
>> serial number which is attached to the motherboard.
>
> So please show me, how I can read this number out of a simple PC or
> a simple Macintosh.

Intel and some other processors support a CPUID instruction which
returns information about the CPU. The PIII added a serial number,
and caused a lot of fuss about privacy issues at the time. Intel
removed the serial number with the Pentium 4. Macs using a Motorola
chip don't have this feature.

Privacy issues:
http://www.cdt.org/privacy/issues/pentium3/
CPUID guide:
http://www.paradicesoftware.com/specs/cpuid/index.htm
Intel processor serial no. FAQ
http://support.intel.com/support/processors/pentiumiii/sb/CS -007579.htm
Intel documentation (pdf):
http://download.intel.com/design/Xeon/applnots/24161829.pdf

Re: Computer Identity and Internet Spying?

Todd H. wrote:
> Jim Watt writes:
> >
> > 1. Each network card/device has a unique number, although it can be
> > changed
> >
> > 2. Intel processors have a unique ID which can be turned off
> >
> > 3. MS Windows maintains unique identifiers derrived from the hardware
> > and software in the actual configuatarion.
> >
> > 4. When you use the Internet you are given a IP address which may only
> > be leased to you for the session, the ISP logs this the time and
> > date.
> >
> > 5. Spyware programs and others can identify which computer you are
> > using as can cookies legitimatly used to maintain state with web
> > servers which are otherwise stateless.
> >
> > Otherwise its down to paranoia.
>
> And none of the first 4 things are passed around in internet messages
> unless there is malware on the computer that is hunting them down.

It depends on what the "spy" is doing. The OP said that the spy is
looking at what the 'victim' is doing online. *That* part relates to
"internet messages" (which probably also includes information on
websites). But perhaps the spy is doing *more* than that. For example if
the spy has access to the victim's local network (see my earlier
response), (s)he could match a MAC address to an IP address. Later, when
the IP is changed, (s)he can again determine the IP because (s)he knows
the MAC. Next (s)he can use the IP to trace the victim in "internet
messages". So the MAC address *can* be relevant.

Bottom line: It all depends on which pieces of information the spy has
access to and to which pieces (s)he has no access.

Re: Computer Identity and Internet Spying?

"Ant" writes:

>"Volker Birk" wrote:

>> Lars wrote:
>>> I'm pretty sure that every computer has a built in un-chanageble
>>> serial number which is attached to the motherboard.
>>
>> So please show me, how I can read this number out of a simple PC or
>> a simple Macintosh.

>Intel and some other processors support a CPUID instruction which
>returns information about the CPU. The PIII added a serial number,
>and caused a lot of fuss about privacy issues at the time. Intel
>removed the serial number with the Pentium 4. Macs using a Motorola
>chip don't have this feature.

Of course using that feature means that you have to be able to send teh cpu
the appropriate instruction. If the attacker has such control he already
has more than enough info to figure out who he is dealing with.
(Note that OS like Linux disable the serial number info. AFAIK the cpuid
does not return anything but generic info (what cpu, what speed, etc)
rather than any specific identifier.
Of course with enough generic info one can often figure out the exact
identity.


>Privacy issues:
>http://www.cdt.org/privacy/issues/pentium3/
>CPUID guide:
>http://www.paradicesoftware.com/specs/cpuid/index.htm
>Intel processor serial no. FAQ
>http://support.intel.com/support/processors/pentiumiii/sb/C S-007579.htm
>Intel documentation (pdf):
>http://download.intel.com/design/Xeon/applnots/24161829.pdf

Re: Computer Identity and Internet Spying?

Frank Slootweg writes:

>Todd H. wrote:
>> Jim Watt writes:
>> >
>> > 1. Each network card/device has a unique number, although it can be
>> > changed
>> >
>> > 2. Intel processors have a unique ID which can be turned off
>> >
>> > 3. MS Windows maintains unique identifiers derrived from the hardware
>> > and software in the actual configuatarion.
>> >
>> > 4. When you use the Internet you are given a IP address which may only
>> > be leased to you for the session, the ISP logs this the time and
>> > date.
>> >
>> > 5. Spyware programs and others can identify which computer you are
>> > using as can cookies legitimatly used to maintain state with web
>> > servers which are otherwise stateless.
>> >
>> > Otherwise its down to paranoia.
>>
>> And none of the first 4 things are passed around in internet messages
>> unless there is malware on the computer that is hunting them down.

> It depends on what the "spy" is doing. The OP said that the spy is
>looking at what the 'victim' is doing online. *That* part relates to
>"internet messages" (which probably also includes information on
>websites). But perhaps the spy is doing *more* than that. For example if
>the spy has access to the victim's local network (see my earlier
>response), (s)he could match a MAC address to an IP address. Later, when
>the IP is changed, (s)he can again determine the IP because (s)he knows
>the MAC. Next (s)he can use the IP to trace the victim in "internet
>messages". So the MAC address *can* be relevant.

There are no MAC to IP databases. the mac is relevant only on the immediate
local network, and that is the only place where the mac is liable to be
known. Ie, it is tough (not impossible) but tough) for someone in Ulan
Bator to find a machine with a specific mac address even if he knows the
country or city.


> Bottom line: It all depends on which pieces of information the spy has
>access to and to which pieces (s)he has no access.

Re: Computer Identity and Internet Spying?

Todd H. wrote:

> If one wanted to be reasonably certain against being traced to a new
> location, purchasing a new computer, or completely reinstalling the
> operating system from original media would be the prescription I'd
> write.

I've heard there are such things as programs to rid a computer of any
spyware and viruses it may have picked up, and am asking what programs
are best recommended and where can they be obtained? Will this be good
enough? Thanks.

Cori

Re: Computer Identity and Internet Spying?

cmashieldscapting@hotmail.com writes:

>Todd H. wrote:

>> If one wanted to be reasonably certain against being traced to a new
>> location, purchasing a new computer, or completely reinstalling the
>> operating system from original media would be the prescription I'd
>> write.

>I've heard there are such things as programs to rid a computer of any
>spyware and viruses it may have picked up, and am asking what programs
>are best recommended and where can they be obtained? Will this be good
>enough? Thanks.

Good enough for what. a stool may be good enough for reaching a jar on a
shelf in your cupboard, but it is not very good for getting to the moon.



The best idea is to use an operating system which is not susceptible to the
viruses, spyware, etc out there. (Your sysytem should NOT have picked up
anything that you did not want on there).
If your system does pick up something, backup, replace the operating system
completely and restore your own material from the backup (trying to make
sure that nasties are not hidden in your own materail)

Re: Computer Identity and Internet Spying?

cmashieldscapting@hotmail.com writes:

> Todd H. wrote:
>
> > If one wanted to be reasonably certain against being traced to a new
> > location, purchasing a new computer, or completely reinstalling the
> > operating system from original media would be the prescription I'd
> > write.
>
> I've heard there are such things as programs to rid a computer of any
> spyware and viruses it may have picked up, and am asking what programs
> are best recommended and where can they be obtained? Will this be good
> enough? Thanks.

Such programs can only deal (at best) with known threats. Programs in
wide deployment that the program knows about. There are no
guarantees it'll get everything, and it'd be useless against a
custom-written bit of nastyware. Again, the sophistication of hte
attacker has to figure in.

As with any time you have the slightest suspicion that a rogue program
may have entered your system, the only way to be certain that it is
rid from teh system is to reformat the disk, and reinstall the OS from
original media.

Best Regards,
--
Todd H.
http://www.toddh.net/

Re: Computer Identity and Internet Spying?

> The original poster ("Cori") did not set clear limits on the scope of
> the "spying" part of "someone who was spying before", so I guess it
> needs to be said, that not only the computer must not be compromised,
> but also the 'local' network, if any, to which that computer is
> connected must not be compromised. In other words, if the *network* has
> been compromised, re-installing the *computer* on that network will do
> little good.

Well, of course not. For one, when you're trying to be mysterious you
don't get specific, for another, when you're asking a question of
possible benefit to many people you make the question as broad as
possible.

Cori

Re: Computer Identity and Internet Spying?

> It depends on what the "spy" is doing. The OP said that the spy is
> looking at what the 'victim' is doing online. *That* part relates to
> "internet messages" (which probably also includes information on
> websites). But perhaps the spy is doing *more* than that. For example if
> the spy has access to the victim's local network (see my earlier
> response), (s)he could match a MAC address to an IP address. Later, when
> the IP is changed, (s)he can again determine the IP because (s)he knows
> the MAC. Next (s)he can use the IP to trace the victim in "internet
> messages". So the MAC address *can* be relevant.
>
> Bottom line: It all depends on which pieces of information the spy has
> access to and to which pieces (s)he has no access.

Well, I have good news and bad news. The good news is I asked this
question at Macintosh forums and was ABSOLUTELY ASSURED "there are no
viruses or spyware for Mac OSX."

To which I replied: Thanks, you guys make me feel so much better.
This is one reason I bought a Mac, but I was afraid in the several
years since purchasing it, some new viruses and spyware may have been
invented for it.

(You know, just to show them I'm keeping on top of things.)

The bad news is, I happen to KNOW ON GOOD AUTHORITY that this computer
user (let's call him "the victim") was using Mac OSX and that this
other computer user (let's call him "the spy") KNEW that "the victim"
had visited certain websites. ("The spy" was trying to prevent "the
victim" from viewing a certain website on which "the victim" would like
to view information that is not in any way private or confidential.)
"The victim" has asked me to ask around whether if they do all these
things (upgrading their Mac to a higher version of OSX, changing their
ISP and their email) does "the spy" still have a secret way of
identifying "the victim" through the computer itself?

"The victim" will be most greatful for your replies.

Cori

Re: Computer Identity and Internet Spying?

cmashieldscapting@hotmail.com writes:

> Well, I have good news and bad news. The good news is I asked this
> question at Macintosh forums and was ABSOLUTELY ASSURED "there are
> no viruses or spyware for Mac OSX."

That seems like something that mac forum users cannot absolutely
assure.

Nothing keeps a clever individual from writing and installing such
software if they have access to the computer. A cron job written in
perl that spits our the URL cache of all known web browsers on the
system and makes a connection dumping that information out via netcat
to a remote internet address... can certainly be done if the attacker
has local or remote access to the computer (e.g. old roommate or
s.o.). And because it's custom written, nothing on the mac would
redflag it, and because there's no widespread malware for the mac,
software level egress firewall filtering on a per application basis
(e.g. anything to block outbound netcat connections) is in place, and
even if there was malware protection on teh machine, the custom
written solution would have a signature that no antivirus vendor would
have bothered to write for...because it's custom.

> To which I replied: Thanks, you guys make me feel so much better.
> This is one reason I bought a Mac, but I was afraid in the several
> years since purchasing it, some new viruses and spyware may have
> been invented for it.
>
> (You know, just to show them I'm keeping on top of things.)
>
> The bad news is, I happen to KNOW ON GOOD AUTHORITY that this computer
> user (let's call him "the victim") was using Mac OSX and that this
> other computer user (let's call him "the spy") KNEW that "the victim"
> had visited certain websites.

Here's where it gets interesting.

Now we all wanna know "how." What was the relationship between the
victim and the spy? Was the spy random remote dude, or was it
someone who had frequent and unfettered access to teh machine? What
was the computing background of the spy? Someone capable of writing
some software or simple scripts?

> ("The spy" was trying to prevent "the victim" from viewing a certain
> website on which "the victim" would like to view information that is
> not in any way private or confidential.) "The victim" has asked me
> to ask around whether if they do all these things (upgrading their
> Mac to a higher version of OSX, changing their ISP and their email)
> does "the spy" still have a secret way of identifying "the victim"
> through the computer itself?
>
> "The victim" will be most greatful for your replies.

Not enough information is provided about what sort of access the spy
had to the victim's computer to perform a forensic analysis.

I would certainly continue to recommend the merits of a complete
re-installation of the original operating system (or a fresh
installation of a newer version of that operating system) from
original media... while the computer is disconnected from the 'net.



Best Regards,
--
Todd H.
http://www.toddh.net/

Re: Computer Identity and Internet Spying?

cmashieldscapting@hotmail.com wrote:
> I've heard there are such things as programs to rid a computer of any
> spyware and viruses it may have picked up

This is impossible.

Yours,
VB.
--
maximum inquementum tum biguttam egresso scribe. meo maximo vestibulo
perlegamentum da. da duo tum maximum conscribementa meis listis. dum listis
decapitamentum damentum nexto fac sic nextum tum novumversum scribe egresso.
lista sic hoc recidementum nextum cis vannementa da listis. cis.

Re: Computer Identity and Internet Spying?

Ant wrote:
> > Lars wrote:
> >> I'm pretty sure that every computer has a built in un-chanageble
> >> serial number which is attached to the motherboard.
> > So please show me, how I can read this number out of a simple PC or
> > a simple Macintosh.
> Intel and some other processors support a CPUID instruction which
> returns information about the CPU. The PIII added a serial number,
> and caused a lot of fuss about privacy issues at the time. Intel
> removed the serial number with the Pentium 4. Macs using a Motorola
> chip don't have this feature.

Yes. This is why I'm asking. But Lars tells us about a serial on the
motherboard which can be read out. So I wanted to know from him, what
he's referencing, because the CPU ID he cannot mean.

Yours,
VB.
--
maximum inquementum tum biguttam egresso scribe. meo maximo vestibulo
perlegamentum da. da duo tum maximum conscribementa meis listis. dum listis
decapitamentum damentum nexto fac sic nextum tum novumversum scribe egresso.
lista sic hoc recidementum nextum cis vannementa da listis. cis.

Re: Computer Identity and Internet Spying?

Jim Watt wrote:
> 1. Each network card/device has a unique number, although it can be
> changed

Yes, and if you're not using IPv6 but IPv4, any IP packet is losing
this information by being routed (or never had it, only the frame around
had it).

> 2. Intel processors have a unique ID which can be turned off

Only Intel Pentium III processors have this feature.

> 3. MS Windows maintains unique identifiers derrived from the hardware
> and software in the actual configuatarion.

Yes. GUIDs are a big problem. But they're only a problem, if you're using
Microsoft Office documents.

> 4. When you use the Internet you are given a IP address which may only
> be leased to you for the session, the ISP logs this the time and
> date.

He has to. And he has to erase this data after a while.

> 5. Spyware programs and others can identify which computer you are
> using as can cookies legitimatly used to maintain state with web
> servers which are otherwise stateless.

You're mixing two things here, which don't have to do with each other.

Yours,
VB.
--
maximum inquementum tum biguttam egresso scribe. meo maximo vestibulo
perlegamentum da. da duo tum maximum conscribementa meis listis. dum listis
decapitamentum damentum nexto fac sic nextum tum novumversum scribe egresso.
lista sic hoc recidementum nextum cis vannementa da listis. cis.

Re: Computer Identity and Internet Spying?

Todd H. wrote:
> I'm not sure, however, if
> reinstalling office on a fresh OS would yield a different unique ID.

With a very high likeliness: yes.

Yours,
VB.
--
maximum inquementum tum biguttam egresso scribe. meo maximo vestibulo
perlegamentum da. da duo tum maximum conscribementa meis listis. dum listis
decapitamentum damentum nexto fac sic nextum tum novumversum scribe egresso.
lista sic hoc recidementum nextum cis vannementa da listis. cis.

Re: Computer Identity and Internet Spying?

cmashieldscapting@hotmail.com wrote:
> does "the spy" still have a secret way of
> identifying "the victim" through the computer itself?

Yes. He is the one with the Macintosh.

SCNR,
VB.
--
maximum inquementum tum biguttam egresso scribe. meo maximo vestibulo
perlegamentum da. da duo tum maximum conscribementa meis listis. dum listis
decapitamentum damentum nexto fac sic nextum tum novumversum scribe egresso.
lista sic hoc recidementum nextum cis vannementa da listis. cis.

Re: Computer Identity and Internet Spying?

Todd H. wrote:

> Here's where it gets interesting.
>
> Now we all wanna know "how." What was the relationship between the
> victim and the spy? Was the spy random remote dude, or was it
> someone who had frequent and unfettered access to teh machine? What
> was the computing background of the spy? Someone capable of writing
> some software or simple scripts?

> Not enough information is provided about what sort of access the spy
> had to the victim's computer to perform a forensic analysis.

"The spy" never saw "the victim" or his computer in person. "The spy"
helps maintain the website in question (which, again, is not private or
confidential in ANY WAY except for the usual membership
requirements/logging in--"the victim" was NOT spying--just got on the
wrong side of a few vindictive individuals there) and "the spy" has
access to some sort of program available to message board moderators
(so supposedly they can tell where the messages are coming from?) "The
victim" does not believe "the spy" actually did anything bad to his
machine, just that he has it in for him regarding having access to that
one particular website.

> I would certainly continue to recommend the merits of a complete
> re-installation of the original operating system (or a fresh
> installation of a newer version of that operating system) from
> original media... while the computer is disconnected from the 'net.
>
>
>
> Best Regards,
> --
> Todd H.
> http://www.toddh.net/

Hey, Todd, stupid question: if the connector/cable/what-have-you is
unplugged and internet connect turned off during the operation, and the
operating system newly installed, will this in any way affect files
saved on "the victim"'s Hard Drive or other things such as favorites
saved on a browser? I mean, it's just replacing the OS, right? Not
everything stored everywhere on the whole machine? Thanks.

Cori

Re: Computer Identity and Internet Spying?

To try to further unravel the mystery, I double-checked with my friend
as to whether "the spy" had used any identifying phrases to indicate
what he had done and my friend said he specifically made reference to
"Your IP address."

Now, surely "the spy" CAN'T be out to get EVERYONE who subscribes to
the same Internet Service Provider as my friend, unless I mistake the
meaning of "IP" as being "Internet Provider" as opposed to "Identity
Personal" or some other thing. So this must indicate "the spy" has
some way to, if not infiltrate, at least identify my friend's Mac in
particular? What my friend wants to know is does this persist if he
changes Internet Service Providers and Operating Systems but not Macs?
Thanks on his behalf.

Cori

Re: Computer Identity and Internet Spying?

cmashieldscapting@hotmail.com writes:
> Todd H. wrote:
> > Here's where it gets interesting.
> >
> > Now we all wanna know "how." What was the relationship between
> > the victim and the spy? Was the spy random remote dude, or was it
> > someone who had frequent and unfettered access to teh machine?
> > What was the computing background of the spy? Someone capable of
> > writing some software or simple scripts?
>
> > Not enough information is provided about what sort of access the spy
> > had to the victim's computer to perform a forensic analysis.
>
> "The spy" never saw "the victim" or his computer in person.

Ah. Okay, that rules out a lot of the tin foil hat stuff I was
talking about earlier then.

> "The spy" helps maintain the website in question (which, again, is
> not private or confidential in ANY WAY except for the usual
> membership requirements/logging in--"the victim" was NOT
> spying--just got on the wrong side of a few vindictive individuals
> there) and "the spy" has access to some sort of program available to
> message board moderators (so supposedly they can tell where the
> messages are coming from?)

About all a remote website authore can know about an inbound poster:
o ip address (which you said was different because the victim
had moved and had new service established). Did the spy
have any way of knowing where the victim had moved?
o account name/password (which you said was different becaust
he victim created a new login/password on the site in quetion)
o Web browser (if the victim uses a unique web browser, this
can be a good clue)
o Persistent cookies (if any). This is my leading suspicion
how the remote web site spy knew the person had come back,
and from which new ip address.
o writing style and word choice. even the words that are
misspelled and how they are misspelled can be used to
identify someone. How you sign your posts can also give ya
away. A determined spy can tell a lot just from word
choice.

> Hey, Todd, stupid question: if the connector/cable/what-have-you is
> unplugged and internet connect turned off during the operation, and the
> operating system newly installed, will this in any way affect files
> saved on "the victim"'s Hard Drive or other things such as favorites
> saved on a browser?

> I mean, it's just replacing the OS, right? Not everything stored
> everywhere on the whole machine? Thanks.

Depends if you reinstall the operating system over what's already
there, or you do as i suggest and format the hard drive first, then
reinstall the OS. In the former situation, the cookie and cache data
may persist, in the latter they definitely do not. But, with a format
of the hard drive you also lose all your data unless you back up
first.

However that's probably not necessary in this case, now that we can
reasonably rule out a malware infection or intentionally installed
software as the answer of "how didthe spy detected the victim?" If
all the spy is is a remote website operator, the solution is easier:

o Anonymous web surfing software such as Ghostsurf or
Tor+Privoxy. Because the victim's new ip address is already
known to the spy, they have to change it somehow. Short of
getting a new ISP (which will be in the same geographic area
anyway, and provide a clue), anonymouse surfing software is
the way to go.
o Delete all cookies from the current web brwoser. Empty the
cache files.
o Change web browsers. If the victim uses IE now, switch
to Firefox. If they use Firefox now, switch to Opera.
This does two things: changes the browser info that is sent
to the web site in question and uses a different cookie set
so a persistent cookie from th eold days won't be seen.
o start writing in a different style.


If the remote website operator did manage to get some spyware
installed onto the computer, then the reformat and reinstall the
operating system takes care of that.

or better still, the simple and obvious solution:

o The victim should leave the board pursue other interests.
If there's a group that has it out for the victim on a given
board, it's just not good for the victim's mental health to
keep going back and doing battle. There are few if any
discussion boards that are worth this level of drama.

I hope it all works out regardless!

Best Regards,
--
Todd H.
http://www.toddh.net/

Re: Computer Identity and Internet Spying?

cmashieldscapting@hotmail.com writes:

> To try to further unravel the mystery, I double-checked with my friend
> as to whether "the spy" had used any identifying phrases to indicate
> what he had done and my friend said he specifically made reference to
> "Your IP address."
>
> Now, surely "the spy" CAN'T be out to get EVERYONE who subscribes to
> the same Internet Service Provider as my friend, unless I mistake the
> meaning of "IP" as being "Internet Provider" as opposed to "Identity
> Personal" or some other thing. So this must indicate "the spy" has
> some way to, if not infiltrate, at least identify my friend's Mac in
> particular? What my friend wants to know is does this persist if he
> changes Internet Service Providers and Operating Systems but not Macs?
> Thanks on his behalf.

Your friend uses a computer that only 5% at best of folks use, which
cuts down the search space quite a bit for the admin. A persistent
cookie might also be the identifying culprit.


Here's a sample line from my apache web server log on my web site. It
tells me the IP address of the person who came along with a lot of
info about their browser and operating system. My guess is that the
website operator used this browser string to identify the victim
because, unless there were tons of mac users on that board, your
buddy's would look pretty unique since macs only command a small
portion of the web surfing populace:

222.XX.XX.233 - - [16/Jan/2006:10:09:51 -0600] "GET /images/emacs.gif HTTP/1.1" 200 2064 "http://toddh.net/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"

Your friend should clear all cookies from his web browser, and isntall
and configure a web proxy for his Mac. Here's the link to privoxy for
the mac:
http://sourceforge.net/project/showfiles.php?group_id=11118& package_id=29783

Privoxy can be configured to rewrite this browser identification
string to something extremely generic, and to look like internet
explorer on Windows XP service pack 2, for instance, which will make
them blend in with the crowd quite a bit.

http://msdn.microsoft.com/workshop/author/dhtml/overview/abo utuseragent.asp


Best Regards,
--
Todd H.
http://www.toddh.net/

Re: Computer Identity and Internet Spying?

Unruh wrote:
> Frank Slootweg writes:
>
> >Todd H. wrote:
> >> Jim Watt writes:
> >> >
> >> > 1. Each network card/device has a unique number, although it can be
> >> > changed
> >> >
> >> > 2. Intel processors have a unique ID which can be turned off
> >> >
> >> > 3. MS Windows maintains unique identifiers derrived from the hardware
> >> > and software in the actual configuatarion.
> >> >
> >> > 4. When you use the Internet you are given a IP address which may only
> >> > be leased to you for the session, the ISP logs this the time and
> >> > date.
> >> >
> >> > 5. Spyware programs and others can identify which computer you are
> >> > using as can cookies legitimatly used to maintain state with web
> >> > servers which are otherwise stateless.
> >> >
> >> > Otherwise its down to paranoia.
> >>
> >> And none of the first 4 things are passed around in internet messages
> >> unless there is malware on the computer that is hunting them down.
>
> > It depends on what the "spy" is doing. The OP said that the spy is
> >looking at what the 'victim' is doing online. *That* part relates to
> >"internet messages" (which probably also includes information on
> >websites). But perhaps the spy is doing *more* than that. For example if
> >the spy has access to the victim's local network (see my earlier
> >response), (s)he could match a MAC address to an IP address. Later, when
> >the IP is changed, (s)he can again determine the IP because (s)he knows
> >the MAC. Next (s)he can use the IP to trace the victim in "internet
> >messages". So the MAC address *can* be relevant.
>
> There are no MAC to IP databases. the mac is relevant only on the immediate
> local network, and that is the only place where the mac is liable to be
> known.

This is now rather moot, because the OP now indicated that the "spy"
is someone associated with some web-board ("helps maintain the website
in question") and the "spying" is done *on* the system which runs the
web-board. So what we have is an 'operator'/'moderator'/ who
is not really playing nice, but "spying" is, IMO, a gross overstatement.

It looks like the "spy" just determined the "victim"'s IP address,
probably from his (the spy's) logs and blocked the IP address, so the
victim can no longer log in. Big deal!

It would have been nice if Cori would have said so from the start,
i.e. provide the *real* information on the circumstances of the
"spying"/"victim". Would have saved us a lot of time which was now
wasted on silly cloak and dagger stuff.

But to respond to your response: Yes, I know and that (access to the
immediate local network) is what I meant. That may *seem* far-fetched,
but in this day and age of wide-open private WLANs, it isn't.

> Ie, it is tough (not impossible) but tough) for someone in Ulan
> Bator to find a machine with a specific mac address even if he knows the
> country or city.

Yup, but that's not what I meant. See above.

> > Bottom line: It all depends on which pieces of information the spy has
> >access to and to which pieces (s)he has no access.

Re: Computer Identity and Internet Spying?

Frank Slootweg writes:

> It would have been nice if Cori would have said so from the start,
> i.e. provide the *real* information on the circumstances of the
> "spying"/"victim". Would have saved us a lot of time which was now
> wasted on silly cloak and dagger stuff.

Much agreed.

--
Todd H.
http://www.toddh.net/

Re: Computer Identity and Internet Spying?

Todd H. wrote:
> cmashieldscapting@hotmail.com writes:
>
> > To try to further unravel the mystery, I double-checked with my friend
> > as to whether "the spy" had used any identifying phrases to indicate
> > what he had done and my friend said he specifically made reference to
> > "Your IP address."
> >
> > Now, surely "the spy" CAN'T be out to get EVERYONE who subscribes to
> > the same Internet Service Provider as my friend, unless I mistake the
> > meaning of "IP" as being "Internet Provider" as opposed to "Identity
> > Personal" or some other thing. So this must indicate "the spy" has
> > some way to, if not infiltrate, at least identify my friend's Mac in
> > particular? What my friend wants to know is does this persist if he
> > changes Internet Service Providers and Operating Systems but not Macs?
> > Thanks on his behalf.
>
> Your friend uses a computer that only 5% at best of folks use, which
> cuts down the search space quite a bit for the admin. A persistent
> cookie might also be the identifying culprit.
>
>
> Here's a sample line from my apache web server log on my web site. It
> tells me the IP address of the person who came along with a lot of
> info about their browser and operating system. My guess is that the
> website operator used this browser string to identify the victim
> because, unless there were tons of mac users on that board, your
> buddy's would look pretty unique since macs only command a small
> portion of the web surfing populace:
>
> 222.XX.XX.233 - - [16/Jan/2006:10:09:51 -0600] "GET /images/emacs.gif HTTP/1.1" 200 2064 "http://toddh.net/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
>

> Your friend should clear all cookies from his web browser, and isntall
> and configure a web proxy for his Mac. Here's the link to privoxy for
> the mac:
> http://sourceforge.net/project/showfiles.php?group_id=11118& package_id=29783
>
> Privoxy can be configured to rewrite this browser identification
> string to something extremely generic, and to look like internet
> explorer on Windows XP service pack 2, for instance, which will make
> them blend in with the crowd quite a bit.
>
> http://msdn.microsoft.com/workshop/author/dhtml/overview/abo utuseragent.asp
>
>
> Best Regards,
> --
> Todd H.
> http://www.toddh.net/

Thanks for your answers, Todd! I had NO IDEA Macintoshes were so
unique, let alone that they could be disguised! How should Hard Drive
material be saved to back up and reinstall after the Hard Drive is
wiped clean? On a CD or by some other means?

Cori

Re: Computer Identity and Internet Spying?

cmashieldscapting@hotmail.com writes:

> Thanks for your answers, Todd! I had NO IDEA Macintoshes were so
> unique, let alone that they could be disguised! How should Hard
> Drive material be saved to back up and reinstall after the Hard
> Drive is wiped clean? On a CD or by some other means?

I found this wikipedia page that's pretty interesting that shows the
variety of user agents out there.
http://en.wikipedia.org/wiki/User_agent

And here are the stats from one source about relative browser
popularity for their sites--which shows Mac browsers being pretty
rare.
http://www.w3schools.com/browsers/browsers_stats.asp

another source:
http://en.wikipedia.org/wiki/Usage_share

Backup data... Cd or external hard drive, either way. But the more I
think about it, and that you're on mac, the likelihood the remote web
operator getting software installed on a mac via drive-by download is
quite small, so reinstalling the OS might be overkill for a Mac user.

I think if your friend gets their browser User-agent string to look a
lot more like the rest of the world (by using Privoxy to spoof it as
say
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

I think he might have a better shot of evading the web admin's
detection. Good luck!

Best Regards,
--
Todd H.
http://www.toddh.net/

Re: Computer Identity and Internet Spying?

Todd H. wrote:

> Backup data... Cd or external hard drive, either way. But the more I
> think about it, and that you're on mac, the likelihood the remote web
> operator getting software installed on a mac via drive-by download is
> quite small, so reinstalling the OS might be overkill for a Mac user.

Yes, my friend and I are both on Macs. I do have other questions about
removing items from the Hard Drive, but it has nothing to do with
spying so I'll save it for another thread.

> I think if your friend gets their browser User-agent string to look a
> lot more like the rest of the world (by using Privoxy to spoof it as
> say
> Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
>
> I think he might have a better shot of evading the web admin's
> detection. Good luck!
>
> Best Regards,
> --
> Todd H.
> http://www.toddh.net/

That would be GREAT if that was all my friend had to do! He does have
one other teeny question. Does his former IP address and the record
the unscrupulous moderator no doubt has of it allow the moderator to
spy on ALL my friend's online activities? Will it look suspicious if
there was a whole bunch of activity on that IP up to a point and then
suddenly none? My friend is thinking of maybe waiting six months after
changing OSs and IPs before trying to join the message board, to
further throw them off the trail. Thanks.

Cori

Re: Computer Identity and Internet Spying?

cmashieldscapting@hotmail.com wrote:
> Thanks for your answers, Todd! I had NO IDEA Macintoshes were so
> unique, let alone that they could be disguised!

Every web browser can be disguised, if it's not lying. And usually there
is no harm from this.

> How should Hard Drive
> material be saved to back up and reinstall after the Hard Drive is
> wiped clean? On a CD or by some other means?

Why do you want to flatten and rebuild your Mac?

Yours,
VB.
--
maximum inquementum tum biguttam egresso scribe. meo maximo vestibulo
perlegamentum da. da duo tum maximum conscribementa meis listis. dum listis
decapitamentum damentum nexto fac sic nextum tum novumversum scribe egresso.
lista sic hoc recidementum nextum cis vannementa da listis. cis.

Re: Computer Identity and Internet Spying?

cmashieldscapting@hotmail.com wrote:
> Does his former IP address and the record
> the unscrupulous moderator no doubt has of it allow the moderator to
> spy on ALL my friend's online activities?

No.

Yours,
VB.
--
maximum inquementum tum biguttam egresso scribe. meo maximo vestibulo
perlegamentum da. da duo tum maximum conscribementa meis listis. dum listis
decapitamentum damentum nexto fac sic nextum tum novumversum scribe egresso.
lista sic hoc recidementum nextum cis vannementa da listis. cis.

Re: Computer Identity and Internet Spying?

Now, this is interesting. I was going through my Hard Drive again to
see if there was ANYTHING else I could throw out to make more space and
found this:

"Cache Out X is a utility for Mac OS X that specializes in deleting the
caches files of the System and of Internet navigators. Additionally it
can delete virtual memory file(s), erase system history files, as well
as cookies and Internet-related navigation/download history files. Its
Auto-Cleaner function cleans caches at log in or as scheduled by the
user thanks to iCal support; its secure deletion of Internet archives
makes its use especially suitable to public access computers."

Of course, I'm not enough of a computer whiz to know if it was there
because I "had" installed it on my Hard Drive or because I was "going
to" install it on my Hard Drive, so I went ahead and installed it and
it said it was installed successfully. I noticed there was a little
less space on my Hard Drive after doing this than before.

Anyone else use this? Now that it's installed, will it get rid of all
those nasty cookies on a periodic basis for me? What does it mean "at
log in or as scheduled by the user"? Is there some setting I'm
supposed to make on it and haven't 'cause I can't find it? Even if
not, I'll probably end up trying many of the other suggestions given
and with all of them, at least some should work.

Cori

Re: Computer Identity and Internet Spying?

cmashieldscapting@hotmail.com writes:

> one other teeny question. Does his former IP address and the record
> the unscrupulous moderator no doubt has of it allow the moderator to
> spy on ALL my friend's online activities?

Nah. To spy on all of the friend's online activities, he'd need
software on the computer, or to have a piece of hardware in the
network at his location. Both are rather unlikely for the person to
have.

> Will it look suspicious if there was a whole bunch of activity on
> that IP up to a point and then suddenly none?

Probably. But then again you want the guy to wonder "where the hell'd
he go?"

> My friend is thinking of maybe waiting six months after changing OSs
> and IPs before trying to join the message board, to further throw
> them off the trail.

Not a bad idea at all.

--
Todd H.
http://www.toddh.net/

Re: Computer Identity and Internet Spying?

Volker Birk wrote:
> cmashieldscapting@hotmail.com wrote:
> > Thanks for your answers, Todd! I had NO IDEA Macintoshes were so
> > unique, let alone that they could be disguised!
>
> Every web browser can be disguised, if it's not lying. And usually there
> is no harm from this.

That's just so great to know, I agree no harm, it is my Mac and I will
use it only for good, and I will certainly look into the options given
here!

> > How should Hard Drive
> > material be saved to back up and reinstall after the Hard Drive is
> > wiped clean? On a CD or by some other means?
>
> Why do you want to flatten and rebuild your Mac?
>
> Yours,
> VB.

I don't at all if it can be avoided, which Todd and others agree it
should be if these other precautions are followed.

Cori