In article <37508fcfd2063c80087a57b70960d99e@dizum.com>, Nomen Nescio wrote:
> this and other info that you have not obtained explicit permission to
> gather is none of your business.

We'll have permission. The terms of service for the chat and message
services will say something that covers that. I'll see if I can also put a
reminder of this in the login dialog, so people can't "forget" it.

(Yes, we could now argue over whether something in a TOS or EULA counts as
permission...)

> fortunately the security aware can either block your attempts to gather
> info or feed you false data with ease

How? No firewall can block this. Perhaps you missed it...this is for an
online chat and message service. It is impossible to use the service
without a TCP connection to our servers, so simply blocking connections to
the server would also stop the user from using the service.

To feed false info would require intercepting numerous Windows system calls
and diddling them--not something anyone can do "with ease". Feeding false
data by diddling the TCP stream won't work, because the login information
(and the machine indentification information would be in the login
information) is encrypted using strong public key cryptography. So, to feed
false information that way, someone would have to reverse engineer the
encryption code to see what system we use and get the public key and figure
out the details (padding, checksuming, etc.), and be able to diddle the TCP
stream. Again, not a "with ease" thing.

(Hmmm....multiple virtual machines under VMWare? Nah...I know how to detect
that).

So...any ideas? To state the problem in a different form: we have users
using an online chat and message service. Users sometimes do things that
make us want to ban them from the service, perhaps for a short time to cool
off, perhaps forever. The service allows free, essentially anonymous,
users, so we can't just ban by account--that only works for people who have
bought our full service. A simple chat/message ID number doesn't work,
because people have already figured out that they can go to the registry and
change that. So, we need to identify a machine sufficiently to be able to
say "Hey! This machine that appears to be logging in as a free user for the
first time is really the same machine as this other one that was given a one
week ban yesterday!".

--
Evidence Eliminator is worthless: www.evidence-eliminator-sucks.com
--Tim Smith