Determine age, region, source of leaked credentials using RadioCarbon

RadioCarbon is an interesting tool developed by Florian Roth, focused on checking age and origin of a credential leak:

Typically you get leaked credentials in form of list of email addresses or user names, cleartext passwords or password hashes, and you have no idea how relevant they are and who to inform about the leak: for example, usually you don’t have information about the origin of the leaked credential, and these data could be obsolete.


Things to watch: NOTHING TO HIDE – The documentary about surveillance and you

NOTHING TO HIDE  is an independent documentary dealing with surveillance and its acceptance by the general public through the “I have nothing to hide” argument.

The documentary is written, produced and directed by two journalists living in Berlin, Marc Meillassoux and Mihaela Gladovic that launched this project in response to what they think is the keystone of modern surveillance: its acceptance by the general public through the Nothing to Hide statement.

The “Nothing to Hide” logic

We generally all agree that surveillance regimes are inherently dangerous and authoritarian; at the same time we use an increasing number of free online services and apps, giving up our privacy rights and building our Big Data. As E. Snowden’s revelations showed, this private & “friendly” surveillance provides the raw material for the state surveillance. In the actual context of terrorism, many of us also agree to give up privacy rights for the promise of increased security. To justify our compliance, most of us usually repeat: “Anyway, I don’t interest anyone” and finally “I don’t really care, I have Nothing to Hide”.
We have tried to understand what this logic implies for us individuals, but also for our societies. Is what we do online really irrelevant? Does mass surveillance help fighting terrorism? Do we really have Nothing to Hide? We found this fundamental question had not yet been addressed. Its answer, though, involves a real choice for society.

The Documentary




What is Canvas Fingerprinting and how the companies use it to track you online

Recently Mozilla planned to display permission prompts if a website attempt to use HTML5 Canvas Image Data in the Firefox web browser: in fact, this HTML5 element is often used to tracking users with a technique called “Canvas Fingerprinting”

What is “Canvas Fingerprinting”?

Canvas fingerprinting is a type of “browser fingerprinting” techniques of tracking online users that allow websites to uniquely identify and track visitors using HTML5 canvas element instead of browser cookies or other similar means.

A “fingerprint” is primarily based on browser, operating system, and installed graphics hardware, so not sufficient to uniquely identify users by itself: therefore, this fingerprint could be combined with other sources of entropy to provide a unique identifier.

Canvas fingerprinting works by exploiting the HTML5 canvas element: when a user visits a website their browser is instructed to “draw” a hidden line of text or 3D graphic that is then rendered into a single digital token, a potentially unique identifier to track users without any actual identifier persistence on the machine.

Variations on installed GPU model, operating system and overall system performances cause the variations in the rendered digital token.

Generated token can be stored and shared with advertising partners to identify users when they visit affiliated website and can be used to create a profile in order to customize the advertising.

The fingerprinting technology emerged about two years ago: the site Browserleaks has created a fingerprinting demonstration that you can run in your browser, provided that it supports HTML5 Canvas and that JavaScript is enabled on the site.


For more technical information about this technique, you can read this paper by Keaton Mowery and Hovav ShachamPixel Perfect: Fingerprinting Canvas in HTML5

We have demonstrated that the behavior of <canvas> text and WebGL scene rendering on modern browsers forms a new system fingerprint.
The new fingerprint is consistent, high-entropy, orthogonal to other fingerprints, transparent to the user, and readily obtainable.

Keaton Mowery has also published a framework for collecting and viewing graphical browser fingerprints, freely available on github:

If you need a full-features library for browser fingerprinting, tou can take a look at Fingerprintjs2:

List of fingerprinting sources

  1. UserAgent
  2. Language
  3. Color Depth
  4. Screen Resolution
  5. Timezone
  6. Has session storage or not
  7. Has local storage or not
  8. Has indexed DB
  9. Has IE specific ‘AddBehavior’
  10. Has open DB
  11. CPU class
  12. Platform
  13. DoNotTrack or not
  14. Full list of installed fonts (maintaining their order, which increases the entropy), implemented with Flash.
  15. A list of installed fonts, detected with JS/CSS (side-channel technique) – can detect up to 500 installed fonts without flash
  16. Canvas fingerprinting
  17. WebGL fingerprinting
  18. Plugins (IE included)
  19. Is AdBlock installed or not
  20. Has the user tampered with its languages
  21. Has the user tampered with its screen resolution
  22. Has the user tampered with its OS
  23. Has the user tampered with its browser
  24. Touch screen detection and capabilities
  25. Pixel Ratio
  26. System’s total number of logical processors available to the user agent.

How the companies use this information?

I suggest you to read this article by

Like other tracking tools, canvas fingerprints are used to build profiles of users based on the websites they visit — profiles that shape which ads, news articles, or other types of content are displayed to them.

But fingerprints are unusually hard to block: They can’t be prevented by using standard Web browser privacy settings or using anti-tracking tools such as AdBlock Plus.

The researchers found canvas fingerprinting computer code, primarily written by a company called AddThis, on 5 percent of the top 100,000 websites. Most of the code was on websites that use AddThis’ social media sharing tools. Other fingerprinters include the German digital marketer Ligatus and the Canadian dating site Plentyoffish.

A list of all the websites on which researchers found the code is here.

How I can avoid the tracking?

Currently there is no native option available to turn off the Canvas functionality in Firefox, add-ons are available that block sites from using Canvas.
These add-ons (CanvasBlocker and Canvas Defender) displays notifications and blocks requests depending on how they are configured.

Mozilla plans to integrate a permissions prompt natively in the Firefox web browser.

Otherwise, you can use TorBrowser that already has this feature:

“In Tor Browser, we have opted to have the canvas return white image data until the user has accepted a doorhanger UI that flips a site permission to either enable or permanently block canvas access from that site,”

developers wrote. Now that feature comes to Firefox, Mozilla said.