That is pretty horrifying, what was also scary was how you showed that certain settings used to prevent tracking...can be used as fingerprinting information.
@unocualqu1era2 жыл бұрын
It'd be nicer if a very large amount of people used the exact same anti-tracking techniques. If you're the only person with X Y and Z settings turned on for privacy, you're gonna stand out a lot and ironically hurt your privacy, but if browsers come with X Y and Z turned on by default, there's going to be far too many people doing the same thing and websites will have a harder time telling which computer is which. Everyone would benefit from proper default settings.
@vgamesx12 жыл бұрын
Yeah, you could significantly narrow down one individual based on just a few small factors, based on the data here enabling "Do Not Track" puts you in a group of around 30% of users or only 12% of users have completely disabled cookies or you can detect the use of adblockers to around 7-20% of users and other such details. If you look on that site, they offer another test which apparently can even detect and make someone standout just by identifying out what filters your adblocker is using, interestingly however, it seemingly cannot detect filters that are blocked via DNS such as a pi-hole, nor automatic filtering via privacy badger, so that's a neat workaround.
@geroffmilan33282 жыл бұрын
It's like if you say Google doesn't know your SSN because you never gave them it: they know everyone else's, yours is just the gap.
@robertpaulson87902 жыл бұрын
If you use brave it has most of the security features out of the box, hard to track somebody with stock settings
@vgamesx12 жыл бұрын
@@robertpaulson8790 Have you tried that tool? Brave actually makes it easier to uniquely identify your browser, the good thing about brave though is that it changes its finger print often and sends random information for a lot of meta data for example the plugins you use will return something highly unique like "SJECBgw" or "PDF viewer" which would be a bit of a problem if it never changed.
@ovalwingnut2 жыл бұрын
Quote: "Two Fries that Aren't the Same.."... I finally get it!!!! Thanks so much!
@jt_hopp2 жыл бұрын
The chips differ
@window.location2 жыл бұрын
@@jt_hopp only one of them is cheap (this year to be specific)
@Crimin4L2 жыл бұрын
Brave Browser has a feature to block fingerprinting, hopefully it will be updated to include this new "Drawn Apart" method.
@e2rqey2 жыл бұрын
Sounds like you can pretty easily make a script to vary your GPU voltage by extremely small amounts every 10 to 15 mins in order to beat this. But with the number of different fingerprinting metrics out there it's a death by a thousand cuts scenario.
@hoangtran4736 Жыл бұрын
Alternatively, if you do not have access to GPU voltage controls (laptops or phones usually have overclocking locked down) or do not want to (like for stability reasons), Then it may be more feasible to make a little script that taxes a tiny, random, and variable amount of GPU and CPU load in the background.
@realryleu2 жыл бұрын
LibreWolf disables WebGL by default to mitigate this.
@NightTerror02 жыл бұрын
LibreWolf gang
@ryanb65032 жыл бұрын
I imagine that someone will come up with a way to "smudge" their GPU fingerprint so that it has a slightly random variability each time
@rxblackpill2 жыл бұрын
there is a web browser extension called trace - tracking protection. In the extension you can add a list of webGL vendors to randomize your reported GPU. This method might see past it though based on the render test.
@TadR12 жыл бұрын
Just made a comment about the same thing and then found this comment this sounds like a good idea but could be taxing on the load times of sites?
@rxblackpill2 жыл бұрын
@@TadR1 in my experience no, because it only spoofs the reported gpu, not performance. but if a site employs a render benchmark, using this to spoof a gpu but having a hugely different resulted score might expose your real gpu. so I guess the workaround would be making a custom list of gpus with very similar performance in webGL as yours. all in all, the more people who use spoofing will help create a larger pool of obfuscated data for people to be able to be reasonably protected from any real fingerprinting though.
@TadR12 жыл бұрын
@@rxblackpill Thank you for the response, enlightened me on how the bypass actually works and some issues with it.
@SuperSohaizai2 жыл бұрын
@@rxblackpill what about unvolting or overclocking to limit/increase the performance though? Tbh I'm still having difficulty grasping the concept in the video so I'm not sure what I said is relevant
@rxblackpill2 жыл бұрын
@@SuperSohaizai so as said in the video, one method of potentially thwarting a gpu fingerprinting attempt could be to overclock, underclock, or increase or decrease voltage to your gpu. I haven't personally tried this but think of how that would affect a normal PC benchmark. obviously it would affect your gpu score and although in something like 3DMark, the program would know what gpu you have, the overclock or underclock would affect your score, and depending on how drastic said modification is, the reported score could be wildly different from the majority of other user reported scores. so if a host decided to implement a webGL benchmark in their site to track you along with a webGL vendor request, they could identify you based on the reported GPU and its score. all chips in the same gpu or cpu family will not perform exactly equivalently (silicon lottery) meaning that a host could potentially pick your gpu out from a 100 or even 1000 of the exact same model with good accuracy based on the reported score of the benchmark that you unwittingly ran in the browser. underclocking or overclocking might make you score out of the percentile of your reported gpu, meaning that web hosts fingerprinting using ONLY a benchmark might not be able to identify your gpu. however, 99% of hosts fingerprinting this way would also send a webGL vendor request as well, meaning that doing an OC alone might not mitigate this entirely, same with a webGL vendor request spoofer being used alone as well. combining an overclock or underclock, and a spoofer might be the way to go though, as both data points would be inaccurate for a definitive identification. to be honest, i'm not a cybersec. expert or an overclocking expert, but this is kinda what i'm getting from the entire thing. to be sure, i would definitely research the topic a lot more. but if you want something surface level to check your fingerprints, use something like browserleaks or panopticlick.
@LudwigTheGhost2 жыл бұрын
Okay Seytonic, lets go ahead and assume that we have 3080s in our machines. /s But seriously, thank you so much for the information you provide to us consistently.
@TotesCray2 жыл бұрын
What if we have a 3090?
@susansucks94722 жыл бұрын
@@TotesCray 3080 TI 😖
@geroffmilan33282 жыл бұрын
I wonder how using a virtualised GPU in a VM affects the fingerprinting: though to date the vGPU isn't something which features many controls, varying some of its parameters at each session start would likely help reduce fidelity.
@destroyonload34442 жыл бұрын
You'll do better to harden your browser. You don't need HTML5 canvases to transact daily business. There's still better ways to fingerprint someone.
@geroffmilan33282 жыл бұрын
@@destroyonload3444 I prefer to use multiple distinct "device + connectivity chain" combos for differing activities. HTML5 is fine when I'm just doing entertainment or official business on my Mr Normal smartphone; the setup is different when I'm doing OSINT research, or IG phases of a penetration test, which is my day job. No cross-pollination permitted. Never had Facebook/Instagram/whatever so I don't need to worry about profiling correlated to an entrenched identity of that type.
@bananajoe99512 жыл бұрын
Remember why we are being tracked online? "To better serve you ads"
@tommyb66112 жыл бұрын
This is not clever or something to be enthusiastic about and talk with such a light tone. This is bad and infringes on all privacy rights.
@FoxBlocksHere2 жыл бұрын
Hey Seytonic, I think you should retract your suggestion to install the Russian language on computers to protect from Russian cyberattacks, as well as issue a warning for people who have already done this. node-ipc now includes code that wipes files on computers detected to be Russian. I don't know for certain if installed languages is one of its detection methods, and feel free to correct me if it isn't, but it's better to be safe than sorry. Also, other software developers could put similar code in their programs, potentially _with_ languages as a detection method. (I will not spam this message. This is the last time I will post it.)
@DaPanda192 жыл бұрын
Out of curiosity, how many times have you mentioned it?
@FoxBlocksHere2 жыл бұрын
@@DaPanda19 Only twice, including now. I'm just clarifying that I don't intend to spam so Seytonic doesn't assume so and ban me for it.
@VitalTechnology_2 жыл бұрын
Interesting. What is your source?
@suncat5302 жыл бұрын
node-ipc used to have such a code for one version, but AFAIK when ppl found out it was removed in later version
@DaPanda192 жыл бұрын
@@FoxBlocksHere that's fair, can't imagine you getting banned for giving valid information though
@VitalTechnology_2 жыл бұрын
Meta data is all around us 💀
@irwainnornossa46052 жыл бұрын
Yaaaay! This is exactly what we needed. More ways how to track people online. Like there weren't too many of them already.
@nigmane2 жыл бұрын
Yeeeaaaah true… been looking at some http requests recently… some sites logged my graphics card.
@idlevandal692 жыл бұрын
Problem solved, I've just removed my GPU. Can someone check my spelling, I can't see anything...
@SamarthCat2 жыл бұрын
The thing is, my GPU will perform worse at a high temperature because of thermal throttling. So that means my fingerprint will be different when my GPU is at a high temp from when it is not.
@ProjectPhysX2 жыл бұрын
This technique breaks down wherever you have something else running on the GPU at the same time. And it isn't very accurate to begin with. So I wouldn't bother.
@SkylarsTerribleMemes2 жыл бұрын
damn, is there really no way to escape tracking? wonder if virtualized gpu could help
@--..__2 жыл бұрын
Of course there is but it is inconvenient, many websites break, and many sites make you solve captcha for appearing "suspicious"
@JustMe-ui9bv2 жыл бұрын
There are ways, but as stated, if you run JavaScript it does not matter if WebGL is on or off as JS provides sufficient techniques to identify you even better. The answer to that is NoScript extention. Admittedly, it breaks a lot of websites and you will have to allow it for some websites anyways in order to use them, allowing them to track you. But all in all NoScript with AddBlock, a canvas blocker, and turned off WebGL in a privacy respecting browser like FireFox and a privacy respecting system like Linux for PC or GraphineOS for phones is you best bet. The problem is that NoScript takes aways convenience and you will have to learn Linux. That is also why we put up with this, most people just do not care enough or are lazy to do all this for their privacy.
@matty1234a12 жыл бұрын
So screwing with your gpu clocks, and/or throttling webgl at random will throw the measurements
@_Miner2 жыл бұрын
Would other activity that the GPU / CPU are doing at the same time not effect the fingerprint therefore not be as accurate as tests done under controlled tests?
@Ramog10002 жыл бұрын
I thought so too, tempreture both outdoor and gpu temp itself will probably also effect it.
@marc-andreservant2012 жыл бұрын
It's unlikely. The GPU's load and temperature should not affect the result of compute operations, but they will affect the speed (and WebGL does allow the website to see your FPS). As for context leakage between processes or between webpages, it's possible in regular apps (Palinopsia vulnerability) but not in WebGL because it explicitly clears buffers before handing them to unsafe javascript.
@marc-andreservant2012 жыл бұрын
I forgot one point: applying a load to the GPU will slow down all tasks by a certain amount. If the number of performance dimensions measured by the tracker is higher than the number of different GPU load parameters you randomise, linear algebra can be used to figure out your randomisation parameters and correct for them.
@geroffmilan33282 жыл бұрын
Use a VM - but find one which will let you adjust the parameters of the vGPU, to ensure differences in actual performance.
@pumpkinjutsu12492 жыл бұрын
This is old. uBlock Origin has had an option to block WebRTC and WebGL for years now and I think Firefox has that already in ETP.
@jeffbrownstain2 жыл бұрын
The accuracy of the fingerprinting is the problem, and what's new here.
@overlisted2 жыл бұрын
I thought canvas fingerprinting has existed for a while now?
@Yezpahr2 жыл бұрын
They can also just track you with your up-time, which can be triggered to get sent to anybody who asks for it. If you regularly reboot your device then it's not a viable tracker but if you leave it on through different browsing sessions, be it through Tor or regular browser, they can just read out that up-time counter on random packages you send and make a time-line.
@nigmane2 жыл бұрын
Smart
@dedr4m2 жыл бұрын
Well, I'd need to figure out how and if Linux exports the iGPU clock speed (The "Gaming laptop"'s dGPU is essentially a headless co-processor dangling off a PCIe bus and thus Linux refuses to acknowledge it (or rather my distro won't). If I can change the speeds on-the-fly, I could write a driver that'd essentially change the GPU clock(s) at random using the random number generator and thus give variability that'd reduce or thwart such fingerprinting. Also, the algorithm could be set as such to keep performance at a high average and if the GPU supports granular clock-tweaking, then the "random clock jitter noise generator" code could be tightened up to allow over 99% performance while being too random for this fingerprinting to work. IDK if I have the time for such an endeavour, so I'll put this into the wild in case it inspires someone.
@Krewz2 жыл бұрын
Deletes windows and installs proxmox…. I think I’ll have the last laugh 😆😂
@Redacted912 жыл бұрын
Does it bypass Brave's built-in anti fingerprinting?
@SP-df1nm2 жыл бұрын
yes
@arandomfox9992 жыл бұрын
I wouldn't be that difficult to dynamically scramble your voltages after a set period of time or after each reboot. Plenty of software can achieve such a thing. Simply set the tolerance margins and now you can blame your Opsec for lag.
@GP-qb9hi2 жыл бұрын
Even the same GPU won't perform benchmarks exactly the same run after run. This is BS....
@midimusicforever2 жыл бұрын
Shit's fucked!
@keithberjeron7632 жыл бұрын
:: sees title:: Sure, I haven't been paranoid in a moment or two [click] ::5 minutes later...:: *Crackhead level paranoia unlocked*
@Crazy--Clown2 жыл бұрын
Lol Roboform no questions asked on refunds..... I went through hell dealing with them...
@ililli28sa2 жыл бұрын
Noooo 😭😂 I've been using that to track scammer that create alt account on my e-commerce website 😂 Now that you made that video I hope it will not blow up too much 😅😂
@trueriver19502 жыл бұрын
Several comments seem to be assuming that this is a timing thing--that it is the length of time a given fingerprint task takes that constitutes the fingerprint. As I undetstood it, and I would be glad to be shown to be wrong, the issue is rather that the fingerprinting relies on subtle divetgencies between the calculated results on different cards
@NEPTUNE7002 жыл бұрын
Please get the gold pcb rulers back in stock on the Maltronics store!!! I loved mine so much and someone stole it from me. 😫
@foxtailedcritter2 жыл бұрын
It's almost impossible to be Truley anonymous nowdays in the government surveillance state.
@iyeetsecurity9222 жыл бұрын
*SOLUTION:* _Put a glove on your GPU!_ You're welcome!!!
@Ghozer2 жыл бұрын
Silly, as what when you sell your GPU on the used market? Does that then mean that new user will be offered ads based on your pervious browsing habits? I can see great abuse!!
@scoobertmcruppert29152 жыл бұрын
What if you OC your GPU to random settings every time you fire up the computer? Wouldn’t that easily combat this method?
@PhunkBustA2 жыл бұрын
i wont be surprised if this has something to do with why so many people think they have dead gpu's but they dont, some people replace gpu's like i replace the oil in my car LMFAO
@ejonesss2 жыл бұрын
is there a standard call or statement that websites can use to run the tracking? can we just block it in an ad blocker? for example we can block canvas by setting a rule to change every occurrence of the word "canvas" in the html to something like "zddfbyugyyu" and the page wont be able to call canvas
@transgrl2 жыл бұрын
Underclock your gpu by random offsets before you visit each next page, easy
@mu11668B2 жыл бұрын
Another good reason to use multiple separated VMs with different VPN setup for different tasks.
@SalihBeratYe2 жыл бұрын
Tails?, Tor? Are they including about that tracking method?
@TheRfmodulator2 жыл бұрын
My goal isn't always 100% anonymity, which is a fingerprint in its own right... I'll usually settle for reasonable doubt.
@PhantomZtryker2 жыл бұрын
Is this really news? webgl's many potential vulnerabilities including this one has been warned against for a while I feel.
@gameteindifference23502 жыл бұрын
I wonder if having a Bitcoin miner running small loads on your GPU in the background all the time would introduce enough variation to make that type of fingerprinting unreliable.
@vuufke43272 жыл бұрын
You can write a script to randomize you clock speed on the fly within a reasonable interval, or just disable Js
@bostash84422 жыл бұрын
i hate it here
@Stealth13372 жыл бұрын
Does that mean that you can fool it by down grading your GPU speeds?
@cats81292 жыл бұрын
IIRC Akamai has been using this in their bot-prevention for 2 years now.
@--..__2 жыл бұрын
Make your browser use onboard graphics. Or disabled webgl
@msthalamus21722 жыл бұрын
I mean, to be fair, there are only like five 3080s in existence, right? :D
@nielsbishere2 жыл бұрын
How would this work if you're rendering multiple things or mining at the same time? Won't that make the timings a lot less accurate as you'll have different loads at different times and so the browser gets varying fingerprints?
@faded.09132 жыл бұрын
Got it. Change overclock slightly between illegal sessions
@AWESOMEANCHOVIES2 жыл бұрын
Oh goodie, more ways companies can sell our browsing history
@Maksimillionn2 жыл бұрын
I spent 6 minutes watching this to be told "ah its fine anyway" waste of precious time
@quackersna2 жыл бұрын
First off, this is horrifying from a privacy perspective. Aside from that, I'm a gamer. My GPU is already taxed heavily. It would be irresponsible for a website to add to that load just for a tracking cookie when less intrusive methods already exist. This is clearly designed to target individuals who have masked their MAC address, so it's clearly targeting people that want to be private. Fk that.
@TheRealASN2 жыл бұрын
Hey Malcolm I just saw Vice is using your video in its latest release
@ottergauze2 жыл бұрын
Fuck it we're going back to dumb terminals
@hixe2 жыл бұрын
We have been using this practice since 2016
@CDizzzle4Rizzle2 жыл бұрын
Maybe set a cron job to change the voltage by a random amount 0.01 - 0.08mv periodically.
@gearfriedtheswmas2 жыл бұрын
Librewolf is not susceptible to this by default.
@IamwhoIam3332 жыл бұрын
Bank of America wants you to sign up for this.
@SpaYco2 жыл бұрын
browsers use hardware acceleration, so i'm not sure if this fingerprinting will output the same result everytime for people that use the PC normally, and not just use it for a single page that they visit everyday.
@sloatch53612 жыл бұрын
Mac address bro. Every device has one ... easy to track
@MrYossarianuk2 жыл бұрын
Accessing a site within a vm. Would fix this
@juniorjr.2 жыл бұрын
Thank god for that Nvidia Leak the other day, maybe someone can use it to an advantage to keep GPUs anonymous if it’s possible.
@SP-df1nm2 жыл бұрын
it's not limited to nvidia. there's nothing you can do about it.
@Akab2 жыл бұрын
wow my phone got fingerprinted as unuque multiple times through this website... scary... 😅
@CaptainKremmen2 жыл бұрын
I'm watching this on a machine that was manufactured before WebGL existed.
@bomberfish772 жыл бұрын
Honestly, I'm not surprised. Having a 3090 automatically puts you in the 1% of people who could actually get one.
@thangchanh29322 жыл бұрын
what about virtual graphic processor?
@icefireobsidian74902 жыл бұрын
Wonder if you could create a vm gpu to counter this
@CZghost2 жыл бұрын
As for GPU fingerprinting - do you reckon is will penetrate a virtual machine? Like I might want to use a virtual machine with Tails running in it, which essentially leaves no trace on the machine, or Kali Linux, so if I even enable javascript, the javascript will only be able to tell generic fingerprints. Tor Browser is essentially Firefox, so the User-Agent will tell I'm using Mozilla Firefox, which so happens to be one of the major browsers used worldwide. OS is Tails, which is built on Arch Linux as far as I'm aware, but it was designed to work entirely off a Live CD (which doesn't even need to be CD at all, you can use USB stick as a Live CD bootable medium), and it leaves no traces on the host system. But how is the OS presented? Simply Linux. Generic answer, nothing really special. It is designed with privacy in mind. WebGL might be somewhat problematic, but that's what I was asking for: If I use a virtual machine, will the tracking script be able to penetrate the virtual machine environment that virtualizes all the hardware (including graphics)?
@isheanesunigelmisi84002 жыл бұрын
So you setup alerts for a new GPU, finally snag it and get tracked? The Matrix sucks sometimes
@mindlessmrawesome2 жыл бұрын
Seems like someone could probably make a pretty simple workaround program that just varies the voltage of your gpu slightly every time you boot up the operating system.
@IlluminatiBG2 жыл бұрын
As far as I can see, all matching is probabilistic, and while some goes a little beyond
@Brian_Tabor2 жыл бұрын
This has been common knowledge for awhile and it's not about certain gpus. They've been able to gpu ban people from games for like 10 years. Meaning they could identify it atleast that long. The problem being the person could just resell it. Also hiding code in images and running those codes into your computers. When your gpu renders them. Also the wifi thing in the batman movie is something they have.
@grandtheftautoexpert20402 жыл бұрын
There’s an extension that obfuscates your webgl fingerprint instead of disabling it, effecfively not breaking anything except the tracking
@xfox3602 жыл бұрын
But what if external factors such as temperature change? Also, the same GPU can be used by other processes, making it slower for the fingerprinting process
@wadch27682 жыл бұрын
Where’s the interview with pro ukrain
@NazarockNazaRock2 жыл бұрын
GPU fingerprinting sounds like it's a calculation that always yields the same result. Hence the GPU can be identified. However you did not mention that. Also there is no one chip that can always perform the same every time you run a calculation on it. I mean the mathematical calculation result is always the same but the time spent on it is not. That's why any benchmark tool always shows different number of points every time you run it. So is this fingerprinting really a reliable thing? Or is there something else that attributes to that chip uniqueness?
@SP-df1nm2 жыл бұрын
that's not what you should take away from the video. they are tracking you from everything. either you disable fingerprinting or using most tools available that in itself is a fingerprint to better pinpoint you.
@JD-env12 жыл бұрын
What about within a Virtual Machine?
@l1l1l12 жыл бұрын
This can be used to ban a gpu from an online videogame if the user is caugth cheating?
@amosimo28702 жыл бұрын
i don't think so, the fingerprinting isn't accurate enough
@notJafar2 жыл бұрын
Is there any breakdown on why our information is tracked? And who is doing the tracking?
@zachb17062 жыл бұрын
It’s pretty simple. Money and power. They sell the data to advertisers, governments, and businesses.
@goldengold85682 жыл бұрын
How exciting the future is going to be.
@MissFoxification2 жыл бұрын
I have been using a browser addon to alter the WebGL fingerprinting for a while, with every reload it provides different data so most of the fingerprint changes. It was a better solution to disabling it.
@morgan36252 жыл бұрын
If I disable webgl in firefox am i all good?
@waffleshardware2 жыл бұрын
Ahhh hell naw, deleting cookies now means buying a new GPU? Out you go ethernet cable!
@originalradman94912 жыл бұрын
I wonder how well tracking works if you use a VM with rotating external IP address and random mac addresses. 🤔
@grease2532 жыл бұрын
So if you change performance, it's a different print. Xvga program does it.
@psihuntr2 жыл бұрын
Laughs in unsupported graphics drivers Cries in no graphics drivers
@m4rt_2 жыл бұрын
Why do people make this?
@uniqueprogressive99082 жыл бұрын
This is why i have webgl disabled
@rokyo401 Жыл бұрын
Would running graphically intense loads at all times prevent GPU fingerprinting? If it is timing based, I would assume that running OpenGL spinning teapot on a secondary monitor all the time would influence the timing? Or could a browser sandbox be developed which limits the browser running in it to a specific amount of GPU cores or something like that? Kinda like running browsers at a wide-spread resolution like 1080p or 1366x768 and default fonts installed to circumvent those two fingerprinting variables?
@Shotzcf2 жыл бұрын
so I can just overclock to get a different fingerprint every time?
@R1ch4rd2 жыл бұрын
“just” “every time”
@Wacypro2 жыл бұрын
WebGL disabled, Cookies disabled, addons hidden, spoofed screen resolution, and spoofed userAgent is the only way to browse safely in the current year
@isaach.11352 жыл бұрын
No script for the win. Either that or disable all the things and randomize everything else from time to time. Problem is, the more you try to change and secure your browser, the more unique you are.
@elbowsout63012 жыл бұрын
Fascinating stuff!
@tobi-b2 жыл бұрын
I don't get why people are so scared of some websites tracking & collecting data on you. Like what bad does it actually do you?
@zachb17062 жыл бұрын
I don’t care if a business stores some of my data when I use their service. I care when they start selling that data to governments and third parties. I also dislike when they don’t tell you that they are taking data.
@tobi-b2 жыл бұрын
@@zachb1706 Ah right, I get that
@audioz10062 жыл бұрын
yeah but is the rendering time consistent ? if not it will not benefit trackers imo