[liberationtech] Trackography

Thu Jan 8 04:50:08 PST 2015

On Thu, Jan 8, 2015 at 12:55 PM, Aymeric Vitte <vitteaymeric at gmail.com>
wrote:

>  Obvious question maybe: how do we interpret the results (% of what?)
>

Suppose to have 20 media in a specific country (the media kept in account
are the [national] and [local] section in these files
https://github.com/vecna/trackmap/tree/master/verified_media ),

suppose 18 media includes google, and you've Google 90% in this
visualisation: https://trackography.org/rich.html

The other page, instead, if more focused on infrastructure ownership.

If one media include automatically X third-party content, your browser is
performing X+1 connection (in the main map, https://trackography.org, are
called "unintended connection"), those connection are passing through
foreign infrastructure. Which company (and therefore, which country) owns
these infrastructure ? is enough that one connection between the X+1 touch
a specific country, to be considered in the percentage.

by theory, if you are connected to a media in your nation, and this media
is not including third party, you'll see 100% only on your country. This
depends also on the agreement between Internet Carrier, and is the reason
why I report the first Autonomous System lookup in the traceroutes. (and is
the reason why, per country, you may have different percentage with tests
ran from different ISP).

One connection is enough to leak the referrer of your HTTP connection, and
then, an hypothetical eavesdropper can profile your navigation (also if you
are changing website) or man-in-the-middle and inject some kind of flash 0
day exploit or such.

just hypothesis, we don't know if someone is doing, but evaluate how much
the citizen are exposed and to whom, is one of the goal of the project.

>
> For each given site, how can you be sure that phantomjs catches all the
> links?
>

yes, I guess, I admin I've to experiment other techniques, but at the
moment the script in the repository is a modified version of
https://code.google.com/p/phantomjs/source/browse/examples/netlog.js and
what matter for me is catch the third party inclusion chained (you'll see
when, with NoScript, you enable a specific resource, and this resource
cause the loading of other blocked scripts, etc. in a default without
blocking, all those are automatically download and executed.)

> (with proxy settings set to yours) so all connections attempts are catched
> by the proxy?
>

I'm thinking on implement this proxy solution (or use node.js + jsdom
https://github.com/tmpvar/jsdom ), because I want collect the content of
html+css+js, and apparently with phantomjs I can't. (Or just I've not yet
figure out "how do that" :) ).

Bye,
C
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20150108/18458506/attachment.html>