This hosts file is updated regularly to help prevent accidentally stumbling upon (shock|malicious|etc) style sites: http://someonewhocares.org/hosts/hosts
Been using it for a few months now and have found it invaluable.
Wait what? How can a webpage play a sound if my speakers are muted? How do they bypass the little sound notification on my tabs?
>If the Tor user has his phone somewhere nearby and if certain types of apps are on his phone, then his mobile device will ping back one or more advertisers with details about his device, so the advertiser can build an advertising profile on the user, linking his computer with his phone.
Are you sure? I would guess that a huge amount of perfectly mainstream and popular apps have a ton of advertising SDKs bundled with them, and you never know what the fuck those SDKs are going to be doing half the time.
> How can a webpage play a sound if my speakers are muted?
Well it can't obviously, but lots of people (although maybe not the types of people who use tor) browse the internet with their speakers on and active. Most people don't unmute their speakers just before they're about to listen to something.
> How do they bypass the little sound notification on my tabs?
Admittedly they probably can't, but are you sure you're going to notice a flicker as a short sound is played and then stops?
I think the most contrived part is your mobile being always-on/always listening, given that you're likely to notice this due to reduced battery life. But given that certain hardware now has support for always-on keyword detection, you can see a future when this could happen.
FWIW, there was a BBC article about always-on audio detector apps. Describing an Android proof-of-concept app: "The battery drain during our experiments was minimal and, using wi-fi, there was no data plan spike."
They don't give much information on what "minimal" battery drain means. I'm skeptical. Keeping an app running in the background and keeping a stream of audio data piped into it to be processed on the CPU is not cheap. Google has a dedicated DSP on phones to do hotword detection (among other things), and IIRC that's not exposed to unprivileged apps. Hell, even iOS needs to be charging to get "hey siri" support (not sure about now; it was like this in previous versions, though).
Either way, it doesn't sound like that's what the article describes: they're talking about collecting and sending all audio wholesale. Sending that much audio data over 3g or LTE would be expensive (transcoding it to decrease payload would be expensive, too), and would surely be noticeable looking at data usage charts.
> using wi-fi, there was no data plan spike
Uh, yeah. Because it's using wifi. Phones are on wifi far less often than you'd imagine.
It's certainly possible, but it's just not plausible.
You're right, the article is talking about seems to be talking about sending the audio wholesale, which would be cheaper from a CPU perspective, but sending the data would probably be noticeable both from a data use and battery perspective.
Having said that, quite a few people have their phones connected to wifi at home, which could mitigate these issues due to both less conspicuous data and power usage.
Adblock that! This is pretty alarming actually - that advertisers are willing to go to such lengths, perhaps excuse my naïveté. The receiver could be someone else's device eg next door. Sure it has implications for an activist in London using tor but what about the rest of us? How can I easily tell whether a page is listening? Feedback maybe?
It's also pretty exceptional to think that there are apps constantly listening for ultrasonic cues, even when not being actively used. This would be a huge battery drain, so I can't imagine any manufacturer bundling such a thing with a device.
Even if it was the case, I can't imagine such apps would give granular enough information to be enormously useful. You'd get one, maybe two people to actually get their computers to play the audio and have it picked up by a device that's actually listening for it. What then? How many advertising companies with legitimate marketing businesses actually sell the user identities? You'd get what, a UUID, maybe some aggregate demographic information, and a rough location. It seems unlikely that such a platform would actually give out specific PII for individuals.
> It's also pretty exceptional to think that there are apps constantly listening for ultrasonic cues, even when not being actively used.
It would not need to be constantly listening for it to be useful. If the point is identification, why would you leave it on after you have reasonably identified the person?
I mean, we're under the assumption here that the app that's listening isn't owned by the attacker. If it was, you already know the person's identity (and location, and probably a lot more) because you control the app on their device. It would be a lot of work to target and infect someone's phone with malware just so you could confirm that they did in fact visit a page on Tor. Probably the same amount of work to just infect their computer with malware and take a screenshot.
If we assume it's a third-party ad network, which is the only plausible explanation for why there's an app listening for ultrasonic cues on a user's device, it would need to be listening all the time. That is what the article describes.
I read about a lot of you security people talking about the difference between a physical switch turning off your wifi vs a software switch, does anything like that apply to this?
A physical switch is for surety and peace of mind, whereas a software switch you have to be careful, because I don't trust my machine's OS to keep the speakers muted, no matter how much the chain of trust has not been compromised, there's always a weak link somewhere. Physical switches or death.
> A physical switch is for surety and peace of mind
Theoretically, there's no reason to trust a physical switch more than a software switch, unless you've opened the computer and verified that the physical switch breaks all circuits to all wifi radios. The physical switch could merely control software, or it might control one connection to one radio but not others.
Yes, our governments have found new way to "scare" and limit internet!
When you have spotify, ms word and rest of the rootkits, its pointless to even have talk about anonymity.
We are reaching everyday closer to government's agenda. Big thanks to CIA/NSA, facebook, google and rest of the mainstream Media outlets. These corps have really ghettoised our life and freedom.
TorBrowser has Javascript disabled by default, doesn't that mean you have to first 'trick' targets into visiting the webpage, and then trick them into turning on js?
Do you mean messages sent over infrasound (less than ~20 Hz)? That would typically not work, because most speakers cannot produce infrasound and most microphones don't pick up frequencies that low
Yes it's possible, but it leaves a red band on top (like the blue band of hotspot active. You can see it with Shazam (or equivalent) after you quit it for a few moment (just before the system kills it).
Any device that is listening all the time can be storing and sending anything you said. How would you know if it's encrypted?
There has GOT TO BE a better way. Such as a filter made by independent manufacturers that opens the sound channel only when you say a specific phrase such as "OK Google" and closes it when you press a button or stop speaking. And an indicator would be visible when it's actually listening.
The question is, how to prevent collusion with the independent filter companies? There has to be SOME WAY to open source hardware and prevent companies from essentially performing their own interdiction on it:
If outbound traffic levels are the same when you're using it as when you're not, it's probably bugging you? Of course a smarter arrangement would reschedule traffic to coincide with use...
I can think of plausible use-cases: e.g. wireless data communication with devices that aren't networked.
I've got scuba-diving computers that need special cables to sync with my PC: if they could sync with nothing more than a webpage and speakers, that would be pretty neat.
From a technical standpoint there's no difference from javascript playing sound that the user wants and a "malicious" sound. Ultrasound only differs from "audible" sound in our ears, from the browser perspective both are just bits sent to your audio DAC.
What frequency are these apps using? I haven't looked it up but I doubt most computer speakers go above 15Khz (why would they?) A young person should be able to hear really high but audible tones and an adult would rapidly lose the ability. If this is not the case it would make sense to set a limit on the tones such a device can send and receive.
On the other hand there might be legitimate uses for such tech so maybe better to have it as a security option to send and receive ultrasound per individual, i.e. if I can't hear above 10khz maybe I can set my audio to not send or receive above that without app specific permission
From some quick digging I did in a Github repo attempting to reverse-engineer the 'audio beacons', the frequencies used by at least one startup using the technique are in the 18kHz range[1].
Things like Apple TV/Chromecast are serving ads and are hooked up to audio systems that are usually quite capable. And this could easily just shift to being done within the range of computer speaker production/human hearing and it would sound like a glitch at best (if audible at all).
It's not exactly that straightforward. In general any modern audio equipment will run up to 20kHz since that's generally accepted as the range of human hearing. From what I can tell, the lowpass filters built in to equipment (eg antialiasing on ADC/DAC) attenuates starting at 19 or 20 kHz. But these are realized as low order physical filters, meaning they roll off slowly, so you'd have to start attenuating at something much lower to truly remove the 18-20 range. That would introduce distortion where the rolloff starts, which you probably don't want.
This is mostly an awareness article that summarizes previously deployed techniques, and illustrates a situation where those techniques can cause maximum harm.
For background, a HN submission a year ago about these kinds of ads linking to phones, from Ars Technica [1], which some choice comments being one naming such an ad company [2] while a different subthread explores another [3][4].
Prior art in this space includes the work of Boris Smus [5], who then went on to develop the guest pairing mode for Chromecast using this technique. There have been other efforts over the years, some before, but certainly after, and of course the use of sound to transmit digital information is an old trick that makes modems possible, but in those days the lines didn't have the bandwidth to carry ultrasound.
Do you mean something that simply listens for sound in those frequencies or decodes known signals as well? The latter would be pretty interesting to walk around dense urban and shopping centers with.
Look for realtime analysis software (RTA) or spectrum analyzer software, typically used for setting up audio systems or analyzing noise sources. One example is RoomEQ wizard. Audacity can do it in non-realtime.
If you're interested in trying a little data passing in ultrasonic in your browser, try my creation https://quiet.github.io/quiet-js/
This generally doesn't work in mobile, though, or at least reception doean't. Also, neither desktop nor mobile Safari can do mic access, and firefox's mic won't pick up ultrasonic. So try desktop Chrome :)
Enhance your products by integrating with Chirp™
- the world’s most trusted data-over-audio technology
used by the leading brands in more than 90 countries
Absolutely. 20kHz, from an electrical engineering perspective, isn't really a wide bandwidth. You might get some fairly strong distortion but almost always it will still work, unless we're talking about something like a piezo.
66 comments
[ 0.16 ms ] story [ 154 ms ] thread[1]: https://en.wikipedia.org/wiki/Shock_site
Been using it for a few months now and have found it invaluable.
I don't believe so but my change in the Linux resolver daemon does honor the hosts file for all .onion entries.
>If the Tor user has his phone somewhere nearby and if certain types of apps are on his phone, then his mobile device will ping back one or more advertisers with details about his device, so the advertiser can build an advertising profile on the user, linking his computer with his phone.
This is pretty contrived...
Well it can't obviously, but lots of people (although maybe not the types of people who use tor) browse the internet with their speakers on and active. Most people don't unmute their speakers just before they're about to listen to something.
> How do they bypass the little sound notification on my tabs?
Admittedly they probably can't, but are you sure you're going to notice a flicker as a short sound is played and then stops?
I think the most contrived part is your mobile being always-on/always listening, given that you're likely to notice this due to reduced battery life. But given that certain hardware now has support for always-on keyword detection, you can see a future when this could happen.
http://www.bbc.com/news/technology-35639549
Either way, it doesn't sound like that's what the article describes: they're talking about collecting and sending all audio wholesale. Sending that much audio data over 3g or LTE would be expensive (transcoding it to decrease payload would be expensive, too), and would surely be noticeable looking at data usage charts.
> using wi-fi, there was no data plan spike
Uh, yeah. Because it's using wifi. Phones are on wifi far less often than you'd imagine.
It's certainly possible, but it's just not plausible.
Having said that, quite a few people have their phones connected to wifi at home, which could mitigate these issues due to both less conspicuous data and power usage.
Even if it was the case, I can't imagine such apps would give granular enough information to be enormously useful. You'd get one, maybe two people to actually get their computers to play the audio and have it picked up by a device that's actually listening for it. What then? How many advertising companies with legitimate marketing businesses actually sell the user identities? You'd get what, a UUID, maybe some aggregate demographic information, and a rough location. It seems unlikely that such a platform would actually give out specific PII for individuals.
It would not need to be constantly listening for it to be useful. If the point is identification, why would you leave it on after you have reasonably identified the person?
If we assume it's a third-party ad network, which is the only plausible explanation for why there's an app listening for ultrasonic cues on a user's device, it would need to be listening all the time. That is what the article describes.
Theoretically, there's no reason to trust a physical switch more than a software switch, unless you've opened the computer and verified that the physical switch breaks all circuits to all wifi radios. The physical switch could merely control software, or it might control one connection to one radio but not others.
When you have spotify, ms word and rest of the rootkits, its pointless to even have talk about anonymity.
We are reaching everyday closer to government's agenda. Big thanks to CIA/NSA, facebook, google and rest of the mainstream Media outlets. These corps have really ghettoised our life and freedom.
from: https://tails.boum.org/doc/anonymous_internet/Tor_Browser/#i...
To allow more control over JavaScript, for example to disable JavaScript completely on some websites, Tor Browser includes the NoScript extension.
By default, NoScript is disabled and some JavaScript is allowed by the Torbutton extension as explained above.
So, "Yes", this is reckless and would compromise Tor Browser from the outset.
Maybe so, but I think the GP is correct. At least, it was true a year or so ago.
It's IE-specific, though, so won't work in a Tor browser.
[1]: https://developer.mozilla.org/en-US/docs/Web/HTML/Element/bg...
The first thing one should do after installing the Tor Browser Bundle is open up about:config, search for javascript.enabled, and set it to false.
If an onion site doesn't work without JS, you probably don't want to be on it anyway.
If there's any monkey business going on with my audio, I want it in the range where I can hear it!
Surely the user would have had to approve microphone access for the app first, and it'd better have a good excuse.
Even then, does e.g. iOS allow backgrounded apps to listen in on the microphone ? Pretty sure only Siri has that level of privilege.
Has this whole ultrasound beacon thing taken off in the ad world ? Seems to (thankfully) require quite active user involvement to be able to work.
There has GOT TO BE a better way. Such as a filter made by independent manufacturers that opens the sound channel only when you say a specific phrase such as "OK Google" and closes it when you press a button or stop speaking. And an indicator would be visible when it's actually listening.
The question is, how to prevent collusion with the independent filter companies? There has to be SOME WAY to open source hardware and prevent companies from essentially performing their own interdiction on it:
https://www.google.com/amp/www.theverge.com/platform/amp/201...
If outbound traffic levels are the same when you're using it as when you're not, it's probably bugging you? Of course a smarter arrangement would reschedule traffic to coincide with use...
Does it? Aren't people generally in the habit of signing off on any access if they want what an app offers?
In what world is that ever a sane thing to do?
I've got scuba-diving computers that need special cables to sync with my PC: if they could sync with nothing more than a webpage and speakers, that would be pretty neat.
On the other hand there might be legitimate uses for such tech so maybe better to have it as a security option to send and receive ultrasound per individual, i.e. if I can't hear above 10khz maybe I can set my audio to not send or receive above that without app specific permission
https://github.com/MAVProxyUser/SilverPushUnmasked/commit/bc...
For background, a HN submission a year ago about these kinds of ads linking to phones, from Ars Technica [1], which some choice comments being one naming such an ad company [2] while a different subthread explores another [3][4].
Prior art in this space includes the work of Boris Smus [5], who then went on to develop the guest pairing mode for Chromecast using this technique. There have been other efforts over the years, some before, but certainly after, and of course the use of sound to transmit digital information is an old trick that makes modems possible, but in those days the lines didn't have the bandwidth to carry ultrasound.
[1] https://news.ycombinator.com/item?id=10562207 [2] https://news.ycombinator.com/item?id=10563384 [3] https://news.ycombinator.com/item?id=10563369 [4] https://news.ycombinator.com/item?id=10563031 [5] https://news.ycombinator.com/item?id=10562787
https://addons.mozilla.org/en-us/firefox/addon/mute-tab/
All tabs default to muted, and you can selectively un-mute tabs or whitelist sites as needed.
I've certainly appreciated the default state of pages being muted.
This generally doesn't work in mobile, though, or at least reception doean't. Also, neither desktop nor mobile Safari can do mic access, and firefox's mic won't pick up ultrasonic. So try desktop Chrome :)
https://www.chirp.io/