> These fake “going out of business ads” have been around for a few years,
There was an extremely funny and interesting Canadaland podcast about these, wherein Canadaland's founder Jesse Brown bought an "elegant men's cardigan" from a fake Toronto clothing store that was "going out of business" due to its ersatz owners’ retirement.
> I would highly recommend anyone into bicycles to try building their own wheel using his article.
Hear, hear. It's an incredible resource.
I got into building and fixing bikes around 2004, and built a couple of fixed-gear bikes on a shoestring budget using parts from Nashbar.com, and Sheldon Brown's wheelbuilding guide.
Can you clear up the confusion as to whether or not the earlier user named 'gyrovague' is operated by you as well? (There was some suspicion on the earlier thread that it might not be you.)
I haven't followed what she's been working on recently.
But, yeah, at some point in the 90s, Massachusetts decided to release some "anonymized" health records for research purposes (I think just state employees). One was governor William Weld who obviously had a lot of public information widely available. As I recall, Sweeney wrote the governor's office a bit later basically saying "I have your medical records."
I used this as a slide or two in some AI presentations in the mid-2000s or so pre-LLMs when I had some peripheral involvement with some of the privacy-preserving research going on (differential privacy, multiparty computation, fully homomorphic encryption). Haven't really followed most of this for a while.
Add this to the infinite list of reasons why I don't put company-issued spyware on my personal devices. If Slack/Teams/Outlook/whatever wants to "administer" my personal device in any way, it's a hard no for me.
Iran has a huge black market. Many things from refrigerator to small things are being smuggled to Iran, mostly from the mountains on Iraq border (also from Turkey border and from other Gulf countries. The government is not peaky about smuggling since Iran is under heavy sanctions and it's hard for the government to provide USD to legit traders on official channels.
This is a 21st-century equivalent of leaving short words ("of", "the", "in") out of telegrams because telegraph operators charged by the word. That caused plenty of problems in comprehension… this is probably much worse because it's being applied to extremely complex and highly structured messages.
It seems like a short-sighted solution to a problem that is either transient or negligible in the long run. "Make code nearly unreadable to deal with inefficient tokenization and/or a weird cost model for LLMs."
I strongly question the idea that code can be effectively audited by humans if it can't be read by humans.
> I expect it won't be long until someone deploys the first proxy service that handles the initial CONNECT payload in the kernel before offloading packet forwarding to an eBPF script that will proxy packets between hosts at layer 3, making this fingerprinting technique obsolete.
https://github.com/sshuttle/sshuttle basically works like this. I've used it for many years. I don't think it'll be possible to detect using this technique.
like its similar to connect or socks proxy except it is using SSH as a transport layer instead of TCP as a transport layer and its doing it transparently without having applications to be written to use the proxy. but if you are just converting TCP packets into a datastream and then sending them somewhere else where you convert them back to TCP packets then this is what this TCP RTT strategy is fundamentally meant to detect. i suspect the TCP only RTT thing works because of the delayed ack behaviour of most operating systems and this will still happen with sshuttle unless you are explicitly using quick-ack. also, quick-ack just works around the TCP-RTT issue and not the differences in timing between TCP and TLS or other higher protocols. i think if you are testing for other RTT differences then quick-ack would make them more obvious.
also, if you have an sshuttle proxy this site cannot detect it may be due to how close the server is to the client. i have a CONNECT based proxy it is able to detect around 5% of the time (maybe only that often due to a bug) but this is because there is probably less than 10ms latency between the proxy and the client and probably around 50ms latency between the proxy and the server for some reason (?).
Came here to ask the same thing. Why do I _care_ if connections to my server come from a TCP proxy? Particularly when a VPN is _not_ observable in a similar way?
Is there some class of bad actors who extensively use TCP proxies and not only _don't_ use VPNs, but would incur large costs in switching to them?
Web scrapers maybe aren't "bad actors", but many sites dont want them. They'll use tons of TCP proxies which route them through a rotating pool of end user devices (mobiles, routers, etc...). Its not really possible to block these IPs as you'd also be blocking legitimate customers so other ways to detect and block are required.
Can't/won't these scrapers just switch to using VPNs or sshuttle or basically anything else that doesn't leak timing info about termination of TCP vs HTTP?
Not really. You can have 100,000 IPs from proxies or use VPNs and have only 5 egress IPs.
Anybody who wants to stop the scraper could get browser fingerprints, cross reference similar ones with those IPs and quite safely ban them as its highly likely theyre not a legitimate customer.
Its a lot harder to do it for the 100k IPs because those IPs will also have legitimate customer traffic on them and its a lot more likely the browser fingerprint could just be legitimate.
The risk of false postives (blocking real people) is usually higher than just allowing the scrapers and the incetives of a lot of sites arent aligned with stopping scrapers anyway. Think eccommerce, do they _really_ care if the product is being sold to scalpers or real customers? If anything, that behaviour can raise perception of their brand, increase demand, increase prices.
This tool should have less false positives than most, so maybe it will see more adoption than others (TCP fingerprinting for example) but I dont think this is going to affect anyone doing scraping seriously/at scale.
I don't mean that you can't do it, just that there is no company offering it so right now those are the only two options.
It's something we're experimenting with currently. the other commenter is right about apple products, but on android, desktop, etc... it's pretty easy.
for phones its a bit difficult because i don't think you can egress out ip traffic without root or jailbreak on iphone and iOS. but i guess on desktop this should be possible
There was an extremely funny and interesting Canadaland podcast about these, wherein Canadaland's founder Jesse Brown bought an "elegant men's cardigan" from a fake Toronto clothing store that was "going out of business" due to its ersatz owners’ retirement.
https://www.canadaland.com/podcast/1176-mens-elegant-cardiga...
reply