Tweet
[/SIZE][/FONT] [FONT=Times New Roman][SIZE=3]
[/SIZE][/FONT] [FONT=Times New Roman][SIZE=3]Something that I've learned here was that anonymity is quite low as long you're not know what you are doing, [I]even[/I] on proxies/anonymizers. Most users, that really wants to be anonymous, probably run on the [URL="http://tor.eff.org"]TOR-network[/URL] today, since that service gives you [U]almost[/U] 100% anonymity. Again - [B]if[/B] you're trying hard enough and know what you are doing. Many experts today says that tracing such proxying will still be possible unless everything (java, flash, etc) but the regular html-reading-abilities is disabled. They are of course right, even if [I]good proxys[/I] at least makes it possible to a user to deny knowledge about it. Google and other ad-services may also reveal some secrets here, since they are using cookie-tracking as a part as they are doing [I]"customer tracking"[/I] for their targeted product announcing (that is also includes geolocations - tracking users locations by IP). Most of those trackers are probably quite easy and harmless built - I say "probably" since I've never investigated the source, but the technique of tracing users that way… is kind of interesting and, in wrong hands, both effective, bad, dangerous and annoying.
[/SIZE][/FONT] [FONT=Times New Roman][SIZE=3]
[/SIZE][/FONT] [FONT=Times New Roman][SIZE=3]First - [I][B]why[/B][/I] was this tracker built from the start? The simple answer is that it was impossible to ban those idiots. Every time when an IP or a user was banned, they came back with a new IP and a new username. In the ending point, a tracking system to find out how many of them that was the same person was developed. And the same reason as above (they stopped by exhaustion!) the development also, finally was ended.
[/SIZE][/FONT] [FONT=Times New Roman][SIZE=3]
[/SIZE][/FONT] [FONT=Times New Roman][SIZE=3][I]How was it built?[/I]
[/SIZE][/FONT] [FONT=Times New Roman][SIZE=3]
[/SIZE][/FONT] [FONT=Times New Roman][SIZE=3]The first tracker that was built to trace [I]"bad people"[/I] (as in [I]abusers[/I], that probably was born only to annoy others), was considered [I]"unconventional"[/I] (by the attackers of course), [I]unexpected[/I] (meaning that adding the tracker to the forums was a [I]surprise[/I] to them) and extremely inefficient on high loaded servers, since it always made reverse lookups on all hosts entered the server. It also was quite depending on that the user was logging in. Only after 500000 hits from different hosts and users, the database and the webserver crashed, since all lookups took more time to do than the registration itself, when a unique (or not) user visited the webpage. It also logged other browser-tags (like [I][B]HTTP_VIA[/B][/I] and [I][B]FORWARDED_FOR[/B][/I], that is commonly used by some more un-anonymous proxies) and comparing different strings like this made everything slower. Indexing the entries was no help at all, due to all comparisons made on fly. A better method was later developed – afterwards and almost too late, and was based on silent logging - entries saved independent on each other, and when needed, each entry could be compared to each other.
[/SIZE][/FONT] [FONT=Times New Roman][SIZE=3]
[/SIZE][/FONT] [FONT=Times New Roman][SIZE=3]After a short look at the code of the first tracker I really don't know exactly what the script did, except from sometimes succeeding to match important hosts and users to each other (look at [URL="http://forum.tornevall.net/showthread.php?t=102799"]this thread[/URL] and you will see what I mean, or even better, the [URL="http://forum.tornevall.net/attachment.php?attachmentid=5104&d=1151750512"]only copy of the script that still exists[/URL], the others are put into a [URL="http://www.vbulletin.org/forum/showthread.php?t=119695"]graveyard at vbulletin.org[/URL]). To illustrate, let's make a scheme of how the script finally was built.
[/SIZE][/FONT] [FONT=Times New Roman][SIZE=3]
[/SIZE][/FONT] [FONT=Times New Roman][SIZE=3][IMG]http://www.tornevall.net/img/crazytracker.gif[/IMG]
[/SIZE][/FONT] [FONT=Times New Roman][SIZE=3]
[/SIZE][/FONT] [FONT=Times New Roman][SIZE=3]The image does not show you an exact image of how the tracker was working, but if you look at it, you probably get sick after a few minutes. It was certainly not this I had in mind when I first developed it. The script actually does nothing except for keeps track of a few users (on the time when it [I]was[/I] used it [I]surprisingly[/I] was fully functional) - as long as they were logged in - and of course in some cases it scared some abusers to death. But nothing more than this. The script also generated a lot of false positives as soon as someone started to use a NAT-firewall, like a big office, a library or a school. The script killed itself - and the server. The only thing I can admit it was good on, was - for a human eye [I]only[/I] - to calculate which users that was actually fake and how many users that was related to each other. But even there it was unreliable. When user's changed IP's due to DHCP's etc, it became inefficient again. The conclusions of making a script, that actually works, this far, is that only a idiot, or someone that [I]really [U]have[/U][/I] problems with abuse, tries to hunt down abusers like this.
[/SIZE][/FONT] [FONT=Times New Roman][SIZE=3]
[/SIZE][/FONT] [FONT=Times New Roman][SIZE=3]There's no easy solution to make this and succeed, but there are solutions that at least takes you halfway. I still haven't developed such thing myself, due to the lack of time and nowadays interest, but I have some ideas on how to do it. Some day... One of them are based on the above thought about the "customer tracking", made with cookies, as in the [I]incomplete[/I] scheme below.
[/SIZE][/FONT] [FONT=Times New Roman][SIZE=3]
[/SIZE][/FONT] [FONT=Times New Roman][SIZE=3][IMG]http://www.tornevall.net/img/cookietracking.gif[/IMG]
[/SIZE][/FONT] [FONT=Times New Roman][SIZE=3]
[/SIZE][/FONT] [FONT=Times New Roman][SIZE=3]Cookie-based tracking is, at least for me, the most effective method to make a solid movement-pattern and may solve many problems. Of course, also this one has it's dark sides and it's actually totally dependent on how smart the user on the other side is, since the easiest way to solve the problem with [I]being[/I] traced like this, is to hide the footsteps, by easily wipe them out (remove cookies from time to time). The method above is however one step closer to the solving on [I]that[/I] problem also, as it is registering the user's movement locally also, not only remotely. Even if a cookie is removed, the storing method of a user will remember it until next arrival. But the hardest thing to solve may be the case if a user is behind a NAT and the cookie vs the IP's age.
[/SIZE][/FONT] [FONT=Times New Roman][SIZE=3]
[/SIZE][/FONT] [FONT=Times New Roman][SIZE=3]Another question to ask before using a cookietracker is "do you actually [I]need[/I] it?" - is it worth it? Remember that you are a big threat to your own and others personal integrity by doing this kind of tracking and in some countries it's actually illegal if the user is not informed about it.
[/SIZE][/FONT] [FONT=Times New Roman][SIZE=3]
[/SIZE][/FONT] [FONT=Times New Roman][SIZE=3]You should also remember the fact that a user that [I]really[/I] wants to hide [I]will[/I] hide, no matter what solution you are trying to add, to hunt with.
[/SIZE][/FONT] [FONT=Times New Roman][SIZE=3]
[/SIZE][/FONT] [FONT=Times New Roman][SIZE=3][I]So the end of this story - and also the birth of dnsbl.tornevall.org begins here.[/I]
[/SIZE][/FONT] [FONT=Times New Roman][SIZE=3]
[/SIZE][/FONT] [FONT=Times New Roman][SIZE=3]The last idea's in this text has never released in full (only the first tracker that also got buried after several crashes). Instead it has caused the opening of [URL="http://dnsbl.tornevall.org"]dnsbl.tornevall.org[/URL]. By blocking proxies instead of the abuse-hosts, the users and the forum could keep track of itself, in other ways that made the abusers much more cautios than from the beginning. By forcing users to use as much as their own addresses instead of proxys and [I]"borrowed"[/I] hosts, it wasn't funny to abuse anymore.
[/SIZE][/FONT] [FONT=Times New Roman][SIZE=3]
[/SIZE][/FONT] [FONT=Times New Roman][SIZE=3]The result of this development-story can be [URL="http://dnsbl.tornevall.org/?do=stats"]viewed here[/URL][/SIZE][/FONT][FONT=Times New Roman][SIZE=3]. Today, the idea has grown to something bigger, more global and very appreciated.[/SIZE][/FONT]