That was a great article.

I love the idea of the heartbeat feature. Is that a real feature of the iwatch?

You can share your heartbeat with others with the apple watch, yes.

You'd think, but most consumer equipment is abandonware and the firmware isn't updated once a newer model is out.

Forgive me if I'm wrong, but it looks like if you could install a system font on a computer then you could create a unique fingerprint for that computer that is detectable by any website?

I am uniquely identifiable out of the 3.7 million samples because of my system fonts.

Also the funny thing is you cannot be tracked by this, because whenever you install a new font, update a plugin, install a plugin etc, you change your unique data.

Their paper [1] mentions this, and suggests that ~37% of individuals who returned for repeat testing had differing fingerprints (they assessed this via a control cookie, placed by the site). Although this seems high, this was over the entire life of the experiment, with some users returning after weeks or months.

Importantly, we can assume that the fingerprint will change incrementally, and remain mostly constant (eg., upgrade plugin OR install new fonts, but probably not everything at once). Therefore, closely-spaced repeat visits could be algorithmically matched, even if the fingerprint changes. This could be especially effective when including other "unstable" (short term) information, such as IP or geolocation, something the authors did not attempt (because these are generally unstable).

From the paper (page 13):

"We ran our algorithm over the set of users whose cookies indicated that they were returning to the site 1-2 hours or more after their first visit, and who now had a divergent fingerprint. Excluding users whose fingerprints changed because they disabled javascript (a common case in response to visiting panopticlick. eff.org, but perhaps not so common in the real world), our heuristic made a correct guess in 65% of cases, an incorrect guess in 0.56% of cases, and no guess in 35% of cases. 99.1% of guesses were correct, while the false positive rate was 0.86%. Our algorithm was clearly very crude, and no doubt could be signifcantly improved with effort."

[1] https://panopticlick.eff.org/browser-uniqueness.pdf

I'm not sure how your conclusion follows from your premise. You are still trackable until you install a new font, update a plugin, install a plugin, etc. This may not happen for some time.

Even when you do make a change, you could still easily be tracked in many cases. If I see a new signature that I have never seen before that differs from an existing signature only by the version of a plugin, I can probably safely assume it's the same person, especially if I see that the plugin was updated between the last time I saw the existing signature and now.

I have a feeling that web developers are extra vulnerable to this type of tracking because we tend to install several useful developer extensions, and many of us have our own unique combination of extensions.

> Even when you do make a change . . .

On top of that, if you use a resource that had only previously been used by your previous fingerprint, your identity can probably be smeared that way too. This is only measuring client-side entropy, but there is also server-side entropy that can be used to make inferences about clients.

If I upgrade my browser - which is something that happens quite often, my fingerprint would change.

If the only factor they're ever tracking you with is your fonts, then yes, you're correct.

But what if you have the same IP address, user-agent, and plugins for a week, and midway through the week your font fingerprint changed? Then they just go and tie both fingerprints, or repalce the old one with the new one.

In reality this is not going to be a problem for any web service that seriously attempts to track users, and there are multiple such companies that are doing so and don't let this stop them. Usually only one fingerprint will change at a time, which makes it easy for them to account for it.

The only good solution is to prevent them from capturing that information in the first place, and the only way to prevent it is to block Javascript and Flash, which is most easily done with NoScript.

I don't think the majority of those who track you (e.g. retargeting advertisers) would need to track you for more than a month, that is, unless you are setting up your system or tweaking your IDE, it is very unlikely that you will change your set of fonts within that time.

Also, they aren't particularly picky about keeping you, the trackee, forever uniquely-identifiable.

Consider this: when was the last time you (the non-average) or your grandmother (the average) installed a font?

However, an unusual rare font could easily make someone detectable. It could even be a common font, but a rare variant of it namewise.

That's not exactly true, but there is no public research that shows the contrary. I worked on a research project at INRIA earlier this year that focuses on that topic: http://stopfingerprinting.inria.fr/

AFAIK the project it's still active, but no definitive conclusion has been obtained.

Given that now ISPs give you an IP address that doesn't change for months, isn't it much easier to track someone via IP+OS+ScreenSize?

At my office, everyone uses the same model laptop. Thus, everyone has the same ip, os and screen size.

I have a boxee and I'd been thinking about how to implement this for a while.

It seems like it should be possible to have a box act as a web server proxy where it mirrors a web page to several displays.

It would be pretty slick if you could get a simple http proxy to support screen mirroring like this, because then it wouldn't matter what combination of set top box / phone / tablet you have... you could mirror anything.

except for the fact that you couldn't tell up from down in the dark because it was symetrical.

It was really annoying when you went to pause, and instead turned netflix on.

That is very true. I would like to see a remote like that with a slight bump on 'up'. Outside of the symmetrical design, I love the idea of a small keyboard on the bottom.

do you have Netflix working on that setup?

I would like to find out but i'm in a country that has no netflix :(

xbox 360 media player was never able to handle mkv files (unless there's been an update in the 2 years that I've had my 360 powered down)

There was also that xbox 360 dashboard update that downgraded the playback quality of avi files.

"There also seems to be some performance problems arising. But nobody has been pushing any updates to fix that. So you need to reboot the device every now and then."

I've been having the same problem. I've configured it to stop scanning my Windows PC network shared and that seems to have fixed the "endlessly rebooting every 30 seconds" problem I was having... but I'm still having a problem where if I leave it on for over a day then it will lock up or lose internet connectivity.

My other big gripe is that when I use the menu to shutdown it just locks up the box instead of shutting down.

I've be consider giving the hacked boxeeplus firmware a try, but I haven't bothered because I know it's not supported either.

I was happy that they included the "you should change your password on all other websites if it is the same" line.

I find that's the biggest hurdle that average users can't grasp, it's not about one website getting hacked.. it's that if your ubisoft password is the same as your email address password then they can now log into your email address, which means they can probably take over every online account you have.