[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [WEB SECURITY] MachineID fingerprinting

From: Mario Contestabile <marioc@xxxxxxxxxxxx>
Subject: RE: [WEB SECURITY] MachineID fingerprinting
Date: Wed, 08 Aug 2007 14:33:16 -0400

There's a problem I've had the misfortune of having to solve.

At one point, I tried a freeware called diskid32
(http://www.winsim.com/diskid32/diskid32.html) to read the HD serial number,
but it failed on various drive types.

I switched to using a MAC, a much simpler solution which is easy to debug,
and support. Windows has a "getmac" command which will display this value,
which of course is easily accessible via the UuidCreateSequential() API.



marioc@xxxxxxxxxxxx
http://securitymario.spaces.live.com/blog/ 
 

-----Original Message-----
From: robert@xxxxxxxxxxxxx [mailto:robert@xxxxxxxxxxxxx] 
Sent: Wednesday, August 08, 2007 1:42 PM
To: websecurity@xxxxxxxxxxxxx
Cc: robert@xxxxxxxxxxxxx
Subject: Re: [WEB SECURITY] MachineID fingerprinting

> One way to do this would be via MAC address, though I don't think the 
> client exposes that to the network it connects to.=20

This is the sort of thing I'm talking about however using more system
checkpoints such as browser utilized, username, patchlevels (although there
are specific challenges here when updates happen), etc...


> In theory (haven't done it and may not be qualified to comment) it 
> might be possible to write a client application the user downloads (in 
> .net) that they would need to run before connecting. That application 
> would look up the mac address and write it to an encrypted cookie that 
> the server could then read for comparison against a database.=20

There are companies that do this sort of thing and I'm looking at how
effective they are or have been for people on this list. 

> Can I write such a client? Nope. Should I have even commented? It's 
> only
> 2 cents, you get what you pay for...


:)



----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

References:
- Re: [WEB SECURITY] MachineID fingerprinting
  - From: robert

Prev by Date: Re: [WEB SECURITY] MachineID fingerprinting
Next by Date: RE: [WEB SECURITY] MachineID fingerprinting
Previous by thread: Re: [WEB SECURITY] MachineID fingerprinting
Next by thread: Re: [WEB SECURITY] MachineID fingerprinting
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site