[HN Gopher] TeamViewer installs suspicious font only useful for ...
___________________________________________________________________
TeamViewer installs suspicious font only useful for web
fingerprinting
Author : kevincox
Score : 650 points
Date : 2022-07-20 10:58 UTC (12 hours ago)
(HTM) web link (www.ctrl.blog)
(TXT) w3m dump (www.ctrl.blog)
| smeej wrote:
| Companies that routinely deal with remote access scams (I'm
| thinking especially of crypto exchanges) could check for this
| font and display specific warnings only to people who had
| TeamViewer installed on their Windows machine (probably
| disproportionately represented among scam victims).
|
| TeamViewer is a long way from the only software being used for
| this, but it's kind of a cool opportunity.
| Flimm wrote:
| My proposal:
|
| 1. Browsers should ship with a set of fonts used just in the web
| browser that web designers can count on. Right now, there isn't a
| font I can count on finding in Chrome on all platforms. This
| especially matters for non-English languages, where a different
| system font can lead to a website that looks very different.
|
| 2. Browsers should not load fonts installed in the operating
| system. It's a fingerprinting vulnerability. And it also causes
| issues where the system-installed font is unexpectedly different
| from platform to platform. For example, Arial is different across
| platforms, especially once you consider non-English languages.
| adrian_b wrote:
| When for displaying Web pages a browser uses beautiful locally
| installed fonts instead of ugly widely available fonts, such as
| Arial, that is not a fingerprinting vulnerability.
|
| It becomes a fingerprinting vulnerability only after the
| browser (or a script with the permission of the browser) sends
| information to a 3rd party about which fonts are used on your
| computer to display text.
|
| The efforts to prevent vulnerabilities must focus on preventing
| undesirable communication between browsers/scripts and other
| parties, and not on how the Web pages are displayed, which
| should be done according to the user preferences.
| jonnycomputer wrote:
| Unpopular opinion: Arial is fine.
| d2wa wrote:
| Arial Nova, not installed by default, is better. Free
| download in the Microsoft Store. Like Helvetica Neue, it's
| slightly more readable by increasing the size of some
| punctuation marks, lengthening horizontal strokes (e.g. t),
| and greatly improving kerning.
| justsomehnguy wrote:
| I never had a problem reading a text on a web-page in the
| default fonts. Web-pages with some ultra-uber-kewl-modern
| font? Yep, I had.
| NikolaNovak wrote:
| I think I could happily live with say half a dozen fonts on
| the web (plus variations of bold/italic, if we want to
| count those as multipliers) for the rest of my life. Sarif,
| SansSarif, Mono, Weird - that's really my ability or care
| to tell fonts apart, when I'm there for the interesting
| article or funny video.
|
| But it's that tension:
|
| I, as a consumer, am happy with simplicity
|
| They, as producers, want branding and differentiation (not
| to mention tracking and all sorts of other things)
|
| Ultimately, and we mustn't forget this, they the producers
| are the ones investing effort they need a return on; and we
| the consumers are lousy when it comes to voting with our
| feet, dollars, scrolling thumbs and back buttons.
| jerf wrote:
| We're talking about system fonts here, not webfonts, so
| they can differentiate as much as they like with
| webfonts. Webfonts would still be available. Although
| they'd also have to go into the per-site cache to prevent
| sites from fingerprinting by whether or not you already
| had the font loaded via some other site.
|
| (Web fonts can be quite space-effective, if the site can
| serve a trimmed-down version that doesn't have the whole
| unicode space in them. CSS even has support for breaking
| the font into pieces so if a bit of unicode does slip
| through on some page you can still go get "the rest" of
| the font.)
| lelandfe wrote:
| > support for breaking the font into pieces
|
| And in the future, Incremental Font Transfer will make
| this even easier: https://www.w3.org/TR/IFT/
| weberer wrote:
| Arial fails the Il test. If you can't tell the difference
| between these two characters, then the font sucks.
| rpadovani wrote:
| > The efforts to prevent vulnerabilities must focus on
| preventing undesirable communication between browsers/scripts
| and other parties, and not on how the Web pages are
| displayed, which should be done according to the user
| preferences.
|
| And how would you do so? Probably I lack in fantasy, but I
| really don't see a way to distinguish _necessary_ traffic
| from traffic that is useful only for exfiltrating data.
| ocdtrekkie wrote:
| The problem is you have to be willing to define a scope for
| what a web page should and shouldn't do. The largest
| developer of web browsers though happens to be obsessed
| with injecting support for crud like MIDI devices and
| serial ports to the web platform though, which makes it
| hard to define a good boundary for behavior.
| viraptor wrote:
| And how do you define if something is undesirable? Is sending
| the width of an element ok? Then you can encode any message
| you want by putting text into an element and sending its
| size. Is lazy-loaded image ok? Then you can construct a font
| with different heights so that displaying a letter will /
| won't put the following image in the visible area.
|
| You can't derive the intention from the page behaviour.
| [deleted]
| Waterluvian wrote:
| It's amazing how fingerprinting is making the browser worse on
| every possible front and the best we can do is propose making
| it even worse.
| chii wrote:
| fingerprinting is a vulnerability that didn't exist
| previously (when browsers were designed).
|
| it's now difficult to remove that capability without
| affecting sites (display-wise, not fingerprinting-wise).
| reality sucks.
| account42 wrote:
| The "vulnerability" has always existed, it was just not as
| widely exploited (or at least not known to be).
|
| As for how to fix it: When the cost for technical measures
| to ensure security gets too high we need legal measures to
| ensure a higher-trust society where such technical measures
| are not needed. We don't all live in locked down fortresses
| with bullet proof windows and filtered air and water
| supplies either even though technically that makes us more
| vulnerable.
| lelandfe wrote:
| > Browsers should not load fonts installed in the operating
| system
|
| Already in the works, and some browsers don't today (eg
| Safari). They permit the default system fonts (eg Helvetica)
| but nothing more from user space.
|
| In the future it will be a permission you grant a site:
| https://wicg.github.io/local-font-access/
|
| It's a great move. The benefits of local fonts are negligible
| and the downsides are clearly enormous
| dingleberry420 wrote:
| I don't understand why they don't just ship a huge set of
| fonts by default. I'm probably missing some licensing
| bullshit, but look at Google Fonts and all the amazing fonts
| there. They're called open source fonts. Is there anything
| stopping firefox et al from just bundling them, or at least
| downloading them on-demand from a trusted server (not
| google)?
|
| It would be lovely if all web developers could just assume
| that the entirety of google fonts is at their disposal in a
| native way without having to resort to webfonts and the
| overhead that brings.
| pbhjpbhj wrote:
| I'd be happy to have many more resources this way, use a
| hash and some sort of frecency -- but we've moved away from
| sharing resources across sites, unfortunately.
| layer8 wrote:
| The problem is not shipping alternative fonts, but blocking
| access to the system fonts. For compatibility reasons,
| there needs to be a mechanism to still allow access for
| specific websites. That's what the planned feature linked
| by the parent is for.
| d2wa wrote:
| > I don't understand why they don't just ship a huge set of
| fonts by default.
|
| It takes a lot of work to draw a reasonable large set of
| all the Unicode characters for a given language. Time is
| money and fonts are ridiculously expensive.
|
| That being said, Firefox has funded a few fonts over the
| years but they don't bundle them with the browser. Google
| has a huge collection but doesn't bundle them either. It
| makes more sense with Google as it can collect user data
| from its WebFont as a service system.
| dingleberry420 wrote:
| Right, but the Google Fonts are open source so the work
| has already been done.
| https://developers.google.com/fonts/faq
| jonnycomputer wrote:
| Crazy, in a way, that it wasn't already this way from the
| beginning.
| layer8 wrote:
| There weren't any good permissibly-licenced fonts available
| back then, and browser fingerprinting only became a thing a
| decade or so later.
| gfaster wrote:
| imo it's more crazy that people thought of tracking users
| by using a font in the first place. The level of human
| ingenuity that has gone into spying on people is
| staggering.
| greyhair wrote:
| Follow the money. It is always about the money. I was at
| a corporate security conference where one of the speakers
| stated that organized crime groups hire the top
| mathematicians and computer scientists from the top
| universities every year. They provide them with
| laboratories that you wish your company could afford.
| regentbowerbird wrote:
| Did the speaker have a source for that claim beyond their
| own word?
|
| Surely there would be issues with such a scheme.
| lelandfe wrote:
| WebKit/Safari gets dunked on a lot for being slow to
| implement features (sometimes rightfully so), but for many
| features, this is exactly why. Check out this long list of
| APIs they're purposefully dragging their feet on out of
| privacy concerns: https://webkit.org/tracking-
| prevention/#table-of-contents-to...
| SahAssar wrote:
| Many of those are gated behind permissions in the
| browsers that have implemented them, and safari could
| gate the rest too. Or they could collaborate with the
| working groups to reduce the fingerprinting hazard.
|
| Many other features that safari has been late with have
| basically no fingerprinting usefulness like web push.
| enkrs wrote:
| The web and ideas back then were different. It was so cool
| to choose wingdings as a font, and make it <blink>. The web
| would not have evolved the way it is now if we hadn't had
| the freedom back then.
| bagpuss wrote:
| many years ago, too many fonts would cripple an average
| Windows install.
| danuker wrote:
| Google pushes Noto, which is a requirement on Arch for Firefox.
|
| I ignore its updates, because they're large and quite frequent.
|
| https://github.com/archlinux/svntogit-packages/commits/packa...
| btdmaster wrote:
| It is not a requirement. Packages that depend on it, like
| firefox, only depend on the virtual package ttf-font, which
| happens to be satisfied by noto-fonts:
| https://archlinux.org/packages/extra/x86_64/firefox/.
|
| This means that you get to choose from ttf-liberation, ttf-
| bitstream-vera, ttf-droid, gnu-free-fonts, noto-fonts, ttf-
| croscore, ttf-ibm-plex, ttf-dejavu or even all the stuff in
| the AUR.
| danuker wrote:
| Wow, thanks. I was wrong. I will check out the other TTF
| fonts.
| p4bl0 wrote:
| Noto is also the default KDE font family.
| p4bl0 wrote:
| Agreed.
|
| In the meantime, there is a Firefox addon called Font
| Fingerprinting Defender that attempt to mitigate this attack:
| https://mybrowseraddon.com/font-defender.html
| josefx wrote:
| > I can count on finding in Chrome
|
| Not like they have any ulterior motives to ensure your users
| have to ping Googles font service every time they open a page.
| None at all.
| pbhjpbhj wrote:
| The page should provide a hash, no need to ping a server,
| just a local cache lookup (like per-site cache schemes now)
| then a user-selected choice of downloading from the first-
| party, or an ordered list of third-parties.
| d2wa wrote:
| Browsers are all moving towards origin-isolation. So, even
| when you download a font from fonts.example.com from
| example.net; that downloaded font won't be available to
| example.org.
|
| The local cache is, unfortunately, also an unintended
| source of fingerprinting and cross-origin communication.
| bgro wrote:
| On this point, I would like to put some of the major libraries
| (like jQuery) just wrapped into the browser and developers have
| to deal with it. Common graphics like the loading spinner could
| be included as well. Do we really need to be constantly
| redownloading all of this? It seems like a waste.
| alophawen wrote:
| The file in question is TeamViewer15.odf
|
| As usual on HN, people is speculating and guessing rather than
| studying the subject.
|
| https://file.io/8EeNRguzVgpj
| thejosh wrote:
| Except for the fact that it's incredibly gross to do so. Why
| the hostility?
| jeffhuys wrote:
| File is deleted.
| alophawen wrote:
| Welp. Let me put it somewhere else.
|
| https://easyupload.io/88vq7v
| pnw wrote:
| This is a pretty common hack for shortcut launching, something
| which browsers have restricted over the years.
| stormdennis wrote:
| 30 days before your subscription expires, teamviewer send you a
| friendly email to remind you to that your subscription expires in
| 30 days and to be sure to renew before then in order to not lose
| service.
|
| What that email does not tell you is that unless you cancel your
| subscription at least 30 days (ie on that very day) before your
| sub expires they will renew you automatically and demand a full
| year's subscription under threat of legal proceedings.
|
| Personally I believe that the purpose of this email is to lull
| you into a false sense of security that you can just let your
| subscription lapse instead of renewing when that is far from the
| case.
| timmb wrote:
| Had a similar experience with AnyDesk, who quietly decreed that
| they need 3 months notice before the end of the year otherwise
| you're tied into another year. And there are zero options to
| make contact with them.
|
| It's a shame because I occasionally need something with that
| functionality and would otherwise have happily renewed when I
| need it.
| inversetelecine wrote:
| Yes. AnyDesk is often touted as a TeamViewer replacement but
| they're just as bad and shady.
|
| Both subreddits are full of users helping grandma only to get
| banned for commercial use, for example.
|
| I gave RustDesk (FOSS) a try and it was nice but slow and I
| don't currently have the time or resources to self host near
| me to see if that makes a difference.
|
| There is a need in this space for a good home use Remote
| Desktop that's easy to use and if touted as free for non-
| commercial use, doesn't end up banning you later without hard
| evidence (or just limit free users to 1 session, etc).
|
| Right now they all seem to be chasing medium/large/enterprise
| money which makes sense I suppose due to the current state of
| remote work.
| ssheth wrote:
| Try MeshCentral .. free and open-source but you can use the
| "Public Server" to give you a quick and easy remote desktop
| access to another device you setup the agent on.
|
| https://meshcentral.com/info/
| lotsofpulp wrote:
| Why is Apple able and willing to offer free, easy to use
| Remote Desktop capability for both macOS and iOS, but
| Microsoft does not?
|
| Same with Apple offering an awesome PDF manipulating
| program with Preview and print to PDF, and Microsoft taking
| many more years to come up with just print to PDF.
| bzxcvbn wrote:
| Except Microsoft does, it's called QuickAssist and it's
| installed by default. Calling it up is as easy as
| pressing Win+Ctrl+Q. (Or the normal way in the app list,
| obviously.) At this point, using TeamViewer is just
| inertia.
| lotsofpulp wrote:
| That is news to me! I've been using chrome Remote Desktop
| for the longest time. Maybe I can drop it now.
| sireat wrote:
| Sadly QuickAssist seems to be moving backwards..
| https://www.bleepingcomputer.com/news/microsoft/windows-
| admi...
|
| The big advantage TeamViewer and AnyDesk offers is the
| ease of installation for non-technical users.
| bzxcvbn wrote:
| If someone is able to download an exe and install a
| program, they're able to click on a link to the store and
| install the program...
|
| Besides, that article is outdated. As far as I can tell,
| every complaint has been fixed.
| sireat wrote:
| Everone knows how to use a browser to some extent.
|
| Windows Store adds one extra step(either a complicated
| link or search in store)
|
| Yes it is a trivial step for most users but those needing
| the help most will struggle.
|
| https://apps.microsoft.com/store/detail/quick-assist is
| not exactly shining with positive reviews.
|
| That said I will evaluate QuickAssist and see if it
| actually meets my needs.
| y-c-o-m-b wrote:
| FWIW I've been using AnyDesk for _free_ for connecting to
| my work laptops (located at home, but they 're on my work
| VPN) from my home PC for at least 3 years now with zero
| issues. I've been waiting for the day that they finally
| pull the plug, but it's yet to happen (knock on wood).
| inversetelecine wrote:
| I used it fine up until lockdowns and work from home
| stuff. Account was flagged sometime early 21 along with a
| flood of other users who were initially ignored and then
| told to fill out a form and hope to get allowed back on.
|
| My AD use was three home computers to either view them
| (LAN) or to assist my parents with various questions
| occasionally. Never any server OS used or on the network.
| No domain controllers, no email servers, heck at the time
| I didn't even have any Linux or BSD machines.. physical
| or virtual. It was baffling and forever soured my view of
| AD.
| sireat wrote:
| Supposedly AnyDesk was started by ex-TeamViewer employees.
|
| Personally I've been very happy with AnyDesk after
| migrating 3 years ago from Teamviewer. Seems a bit more
| performant too.
|
| I've had no commercial nagging from AnyDesk despite using
| it on about 20 computers. (15 of my own + tech support for
| friends and family)
|
| TeamViewer got nasty quite quickly.
|
| RDP is nice when it is available but surprisingly less
| performant on more intensive graphics.
|
| There are a variety of open source VNC solutions but they
| suffer from the lack of firewall punch through and setup
| issues.
| inversetelecine wrote:
| The performance was good (TeamViewer was still slightly
| better imho) I just took issue with the commercial
| detection problems and then having to go to a webpage to
| beg for them to unban you.
|
| I agree given the two options I'd choose and recommend
| AnyDesk first.
|
| Over a 50/50 commercial wireless link RDP over wireguard
| was best for most users that I had test. AD/TV a close
| second and VNC was so perceptually laggy that it was a no
| go from the start.
| onphonenow wrote:
| Same with any desk - horrible if you have a larger business
| account!!
|
| Of course FTC is going after apple for their 'terrible' App
| Store policies
| inversetelecine wrote:
| Worse actually. I was lucky enough to read the fine print
| and canceled just a month in. They called to figure out why
| I canceled so fast and when I pointed out the user hostile
| terms they said "oh ok thanks have a nice day."
| tut-urut-utut wrote:
| Team Viewer is a German company. In Germany, it's pretty common
| to have a contract automatically extend for a year if you don't
| cancel one to three months in advance. Most of the German users
| actually expect that behaviour, so it's not a surprise to them.
|
| It's user hostile, and only recent legislation is trying to fix
| this.
| xen2xen1 wrote:
| Privacy.com is my goto now to fix problems like this. Not
| private.com, that's VERY different. Made that mistake once.
| _jal wrote:
| Example #354 of why the shift to subscriptions and cloudified
| everything has resulted in me using more open-source for
| consumer-style apps.
|
| It turns out that, if you refuse to simply let me throw money
| at you in exchange for software and instead demand an ongoing
| relationship, I'm almost certain to just nope out and find a
| different way to fix my problem.
|
| Intentionally baking a bad offboarding experience gives the
| game away - companies who do this think you're a chump and will
| happily fuck with you for another nickel rather than build a
| better product.
| markdown wrote:
| lol why do people put up with these scams? I want to sign up
| just so I can tell them to fuck off when they try that with me.
| throwk8s wrote:
| If they said you would "lose service", and you did not lose
| service, wouldn't that count as making a false representation?
| tartoran wrote:
| That is a classical dark pattern already.
| user3939382 wrote:
| Where is Congress, the FTC, state Attorney General, and DOJ on
| this kind of stuff?
|
| I bet you if one of these tricks was a problem for the donors
| that run our government it would be taken care of.
| slackfan wrote:
| Trusting bureaucracy to handle anything except its own
| preservation?
| hattar wrote:
| If our representatives weren't all so old, they might have a
| concept of these types of issues. Unfortunately without age
| limits we're stuck with candidates so old that most lack an
| awareness of the most common issues of living and working
| with the internet.
| [deleted]
| DrewADesign wrote:
| Blatantly ageist. Even if legislators entirely relied on
| their own understanding of technology to make policy
| decisions, it would not apply here-- replace that _e-mail_
| with a letter, phone call, telegram, or any other sort of
| communication and you've got the same exact problem. Unfair
| sales tactics and shady long-term contractual obligations
| aren't exactly a _new problem._ When you get a few more
| years under your belt, you'll realize that the advantages
| afforded by a young person's perspective can be valuable
| but are more ephemeral and superficial than those brought
| by experience and wisdom.
| brycewray wrote:
| It's not about age (nearing 67 here, so I bristle at such
| mentions). Probably even the youngest members of Congress
| wouldn't have a clue about some of these items. It comes
| down to things like what their staff knows and what they've
| actually experienced themselves. One doesn't generally
| reach public office and/or the staff of an office-holder
| through a path even remotely like what a typical HN
| commenter has followed.
| greyhair wrote:
| The ageism in the reply makes me bristle as well. A
| little past 65 here. Currently employed at my third
| startup gig in my thirty eight year embedded systems
| career. Ignorance spans all age levels.
| Stratoscope wrote:
| 70 here, and working on an automated order taker for
| restaurant drive-thrus.
|
| My role is part Developer Experience Engineer (making
| sure our developers are happy and productive), part
| Roving Troubleshooter, and part whatever else needs to
| get done.
|
| One of our most important metrics is obviously how many
| orders we complete on our own without crew intervention.
| So I spend a lot of time looking at our chat logs from
| the stores to figure out why we had to escalate to the
| crew - or why they decided to take over the order.
|
| "Welcome to McDonald's. What can I get for you?"
|
| The running joke on our team as that most of us don't eat
| at McDonald's that often. But there is one sandwich I
| really like, you just have to customize it a bit.
|
| "I'd like a fish filet, no cheese, with lettuce and
| pickles"
|
| They use real fish in this, wild caught Alaskan pollock.
|
| "Got it. Anything else?"
|
| "A guava pie and that's it."
|
| The guava cream cheese pie is really nice. A friend
| suggested we try it, and I was skeptical. But I would
| order it again any time. Not overly sweetened like I
| feared, and good flavor.
|
| Disclosure: I work for IBM on this and currently our
| exclusive customer is McDonald's. (And it should be
| obvious that I don't get paid extra when you order one of
| my recommendations.)
| wpietri wrote:
| Your theory is that legislators mainly write legislation
| themselves about problems they have personally experienced?
| Because my understanding is that legislators are just the
| most visible person on a team, with much of the work being
| done by staff, who range widely in age. Based, of course,
| on input from constituents, lobbyists, civil society
| organizations, and government agencies.
|
| I think it's pretty weird to jump right to "the olds know
| nothing" when the problem is a niche and relatively new
| scam. Scammers are always finding new scams. Would I like
| the lag time between scam creation and scam elimination to
| be faster? Sure. But I'd guess that legislator age is well
| down the list of factors causing that.
| inkeddeveloper wrote:
| And by staff you mean lobbyists.
| jerf wrote:
| That's not an "internet" issue, that's a contract issue.
| The vast bulk of our representatives are fully credentialed
| with some credential that says they understand that, and
| the remaining few that don't can't have failed to pick up
| the super basic level of understanding it takes to
| understand that. Moreover, I'm sure quite a lot of them
| have been personally screwed at some point by a contract.
| Old they may be, but they're nowhere _near_ as old as this
| sort of trick.
|
| Give the nature of their previous work and their
| credentials, a good number of them have probably _written_
| contracts that have one variant or another of this trick in
| them.
| tyingq wrote:
| >I haven't examined archived versions of the TeamViewer website;
| it might have used the font in the past.
|
| That seems the most likely explanation. That it was once used
| somewhere in TeamViewer, no longer is, but is still packaged. I
| don't think there's a real conspiracy involved.
| rawoke083600 wrote:
| Lol that is horrible and kinda clever ! Still horrible - Lol
| Linus (Linus Tech Tips) are renowned for hating them and their
| sales tactics.
| jes wrote:
| I had a TeamViewer subscription for a few years. Getting it
| cancelled when I elected not to renew it was tedious and
| difficult.
|
| I don't recommend TeamViewer anymore. My opinion is that they are
| janky as hell.
| joenathanone wrote:
| I paid for a lifetime license, who knew that a lifetime was
| less than 10 years? My lifetime license was revoked and I have
| to buy the latest version I want to continue using. No thank
| you.
| AndyJames wrote:
| I think Linus from Linus Tech Tips had the same issue. It's
| worth watching this on YT
| HanClinto wrote:
| This was hilarious, thank you for the tip!
|
| Here's the ref in case anyone else wants to watch it also:
|
| https://www.youtube.com/watch?v=SCRzaGUKEFA
|
| https://www.youtube.com/watch?v=mBC5BqRNkas
| m-p-3 wrote:
| One thing I understood a while ago is that any service
| claiming a lifetime license is it's either the lifetime of
| the product or the company, not the customer.
|
| I tend to avoid it unless I'm fairly certain the product /
| company will last for longer than it would cost me per year
| of a subscription (to make sure my "investment" is worth it),
| and that I'll use it extensively.
|
| Nothing is truely forever, and moreso in the world of
| software.
| TheFreim wrote:
| What's the best alternative you've found? I personally use
| anydesk from time to time when helping family with tech issues
| remotely, but I haven't looked too much at other software.
| seanw444 wrote:
| Unless I'm misunderstanding what you're looking for, TightVNC
| has served all the purposes I needed for remote desktop.
| nazgulsenpai wrote:
| Zoho Assist works pretty well. I use at work but it also has
| a good free tier.
| sllewe wrote:
| Screenconnect and Splashtop come to mind. Yes - both have
| their flaws, but are much more palatable then TV.
| m-p-3 wrote:
| I use Chrome Remote Desktop for personal use, works well
| enough for me.
| degenerate wrote:
| NoMachine is the closest 1:1 experience to Teamviewer I've
| found. It uses the same video capture method and offers a lot
| of the same features such as drag-and drop file copying and
| aspect ratio controls. The downside is the UI is very odd and
| difficult to maneuver, but once you get used to it, you'll
| ditch TeamViewer.
|
| You will also need to connect to hosts with IPs and open your
| ports; it doesn't have the ability to punch through firewalls
| like TeamViewer can.
| cabirum wrote:
| I skimmed the article and looks like they didn't try to compare
| the font from two different PCs. I think it may be a uniquely
| generated/procedural font, identifying a specific installation.
| d2wa wrote:
| It is not unique per system. As mentioned in the article, the
| font only changes version number between TeamViewer updates.
| turtleman1338 wrote:
| How do you know? The font number does not matter as the
| website wont see that. To check uniqueness of the fonts you
| would need to actually compare the content of installed font,
| not only the name. It would be totally possible that the
| installer is packed with the font, but dynamically alters it
| before actually installing it.
| alophawen wrote:
| Instead of spreading ridiculous claims, why won't you just
| confirm your hypothesis?
|
| All it takes is 2 ip:s and two downloads of their installer and
| compare checksums.
|
| https://download.teamviewer.com/download/TeamViewer_Setup.ex...
|
| 4440facac7b7bf11478a0368ce448adc732d97ae TeamViewer_Setup.exe
| [deleted]
| cabirum wrote:
| The font can be generated _after_ installation.
|
| I don't have Windows near me to rub tests myself.
| alophawen wrote:
| It's not. It is embedded in the installer with a sha1 of
| 692a2bd8cce1c4ac62f7cd505907aa8e21ab3b69, which you would
| have known had you actually studied the suspicious file at
| hand, rather than just go with the narrative posted in the
| blog.
| jonnycomputer wrote:
| You might be right, but your comments fail the "common
| decency" standard.
| alophawen wrote:
| dymk wrote:
| Well, they're right, and they did the work to verify they
| were right, as opposed to the other people in this thread
| blindly making assumptions. They care more about the
| truth than the other posters.
|
| Makes them more decent than the others, in my book.
| tiagod wrote:
| They didn't, really.
|
| Sure, the installer ships a font file, and sure, the most
| obvious answer is that it's just installed as is.
|
| But my app also ships a bunch of templates, and it
| doesn't mean users will always see the same thing when
| they're loaded. The font binary could have some magic
| number that's replaced with a fingerprint ID.
|
| Most likely it isn't, but the work to verify would
| actually involve installing TV in two different machines,
| and comparing the installed files.
| dymk wrote:
| They did, really.
|
| If you think they're going through the hassle to ship a
| font file but sleight-of-hand install a different font,
| then why do you think they wouldn't also go through the
| hassle of further hide what they're doing? For instance,
| replace a preexisting font you wouldn't think to look at?
|
| If you think it's honest-to-god malware, then provide
| evidence that it's malware. Installing a font does not
| make software malware. Checking for the presence of an
| installed font is not malware.
| bzxcvbn wrote:
| Have you checked that the installer does not alter the
| file during installation?
| asojfdowgh wrote:
| its a comment section / blog post, not a paper that needs
| violent peer review
| dingleberry420 wrote:
| I appreciate someone actually checking things for
| themselves, instead of just joining the rage party.
| thepill wrote:
| TeamViewer - not Teamspeak...
| alophawen wrote:
| Thanks, updated.
| monkeydust wrote:
| For what possible intention though?
| pjerem wrote:
| You render this font in a web canvas that your js can
| interpret. Boom, fingerprinted. That's amoral but that's
| really clever.
| umeshunni wrote:
| but why?
| sschueller wrote:
| If they are so hell bent of forcing users to pay stop offering
| a free version.
| squarefoot wrote:
| That would equal to fishing without a bait on the hook:)
| huhtenberg wrote:
| Ha, excellent point.
|
| You could potentially leak any small piece of information by
| encoding it in glyph shapes. Should be enough capacity for
| something like MachineGUID.
| hereme888 wrote:
| Brave browser randomizes default installed language and fonts to
| resist that sort of fingerprinting.
|
| Just a shill for Brave.
|
| *Edit: well, I didn't know randomization or the plain use of
| Brave itself is a useful fingerprint point.
| paulryanrogers wrote:
| Wait doesn't randomizing make one more easily fingerprinted?
| Unless every check returns different results. And even that
| behavior could be a strong signal to distinguish Brave from
| other browsers.
| hoistbypetard wrote:
| Unfortunately, if a site can detect that a visitor is using
| Brave, that is a very useful datapoint for fingerprinting.
| d2wa wrote:
| navigator.brave.isBrave()
| hoistbypetard wrote:
| Right. I'm saying that, on the only site I run where I look
| at this kind of thing, when I review the stats, "uses
| Brave" puts a visitor into a pool of 2 people. Preventing
| me from enumerating their fonts is a valiant effort,
| though.
| password4321 wrote:
| Does anyone know where to get Palida Narrow, the font installed
| by the Gauss malware?
|
| https://arstechnica.com/information-technology/2013/03/the-w...
| mwcampbell wrote:
| I choose to assume there's a benign explanation for this.
| Nobody's perfect; nobody can be expected to do everything in the
| optimal, least suspicious way; sometimes developers just have to
| come up with a good-enough solution for something and ship it. So
| let's look for the most charitable explanation of this. It's how
| we'd want online randos to approach our own work, right?
| 4ggr0 wrote:
| I'm currently using TeamViewer on a single PC, but I'm searching
| for an alternative. Big plus if the alternative is OSS + self-
| hosted, but I'm open to other solutions.
|
| My current workflow is -> Connect to HomeVPN -> Turn on Gaming PC
| with WakeOnLAN -> Connect with TeamViewer to start Steam -> Start
| gaming with Steam RemotePlay. I did not find a way for Steam to
| autostart without logging into Window, that's the only reason I
| currently use TeamViewer, essentially to login and start Steam.
| justsomehnguy wrote:
| If you already connect through the VPN then just use the built-
| in RDP (not available in Home SKU, AFAIR).
|
| You can replace it with NoMachine NX or just with some variant
| of VNC.
| 4ggr0 wrote:
| > not available in Home SKU
|
| That's exactly my issue :)
| Kaze404 wrote:
| If you enable auto login on Windows as well as tell Steam to
| open on login, it should cut out those steps from your
| workflow.
|
| Edit: here's a link that tells you how to do that. It's a bit
| involved since you have to mess with Registry keys, but it
| should be possible https://www.alphr.com/how-to-enable-auto-
| login-in-windows-10...
| 4ggr0 wrote:
| That would indeed be a possibility, but I'm absolutely not a
| fan of not requiring any authentication to power-on and use
| my PC :D
| Kaze404 wrote:
| Fair enough. Since you mentioned it's a Gaming PC
| specifically, I assume this is a machine that's only used
| for that. In that case I personally wouldn't mind leaving
| it unprotected, but I can understand why someone else
| would.
| maxloh wrote:
| Try RustDesk. They have a open source server for self-hosting.
| 4ggr0 wrote:
| This looks very promising after checking out their website
| and github for a couple of minutes. Thanks for the tip!
| seized wrote:
| Chrome Remote Desktop is honestly not a bad option for
| something like this. It has an unattended mode and you can set
| long passphrases in addition to 2FA/etc.
| 4ggr0 wrote:
| I've used this a couple of years ago, did work well, yes. But
| these days I try to avoid Google, which disqualifies this
| solution. But thanks for the recommendation anyways!
| thegeomaster wrote:
| Have you tried Parsec?
| 4ggr0 wrote:
| No, but it looks very interesting. So this would replace
| TeamViewer and Steam RemotePlay at the same time, not bad.
| Just not that big of a fan about the pricing. $100 per year
| just so that my SO can play on their PC at their home, while
| I'm not at my home, seems a bit steep.
|
| Yeah, my use-case is very specific, I know. I don't even game
| remote myself, but if I'm on holidays or at work and my
| partner wants to game from their home, I need a way to be
| able to power on my PC and everything necessary for it to
| work. A complete niche, first-world problem :)
| thegeomaster wrote:
| I myself use the free tier, didn't miss any of the paid
| features. It's easily the best, lowest-latency, most no-
| hassle remote desktop tool I've ever used. Once they add
| Linux hosting I won't mind shelling out some cash either.
| yamazakiwi wrote:
| My desktop machine is not in my living room but I like to
| watch shows on my large TV while gaming from the couch.
|
| I use Parsec and remote to my desktop from my shitty
| laptop and get much better performance than I would just
| gaming with an integrated chipset and it's portable.
| Also, plugging in a usb controller into my laptop
| automatically controls the desktop without any setup.
|
| Only bad thing I can say is that they got bought by Unity
| last year and Unity is now merging with IronSource :/
| maxloh wrote:
| jabroni_salad wrote:
| Guacamole and MeshCentral are both pretty good and can play
| with windows computers.
| 4ggr0 wrote:
| Guacamole looks interesting because I could access my PC via
| HTTP, which would be handy. Just have to check if it works
| well with no-login autostarts.
|
| MeshCentral looks promising, but RustDeck, which another
| comment recommended, seems to do the same thing in a more
| attractive way.
|
| Thanks!
| seized wrote:
| Guacamole is a slightly different use case, it depends on a
| server in the middle. You connect to Guacamole, it
| RDPs/VNCs/etc to the target.
| DonHopkins wrote:
| I would love to have a nice scalable TrueType font of the
| fingerprints of famous serial killers and criminals and
| insurrectionists like Donald Trump. That would be so cool! You
| could scatter them all over your documents to make them look
| incriminating.
| Kukumber wrote:
| Nice discovery, indeed that is very suspicious, i wish Microsoft
| would have sorted out permissions for Windows..
|
| This would help notice things like that earlier
|
| I use this: https://processhacker.sourceforge.io/ gives me
| notifications whenever a process create/delete services, also has
| a nice CPU graph in the system tray, thanks to that i noticed
| Windows will eat your CPU/DISKs whenever you AFK, some
| telemetry/update thing running in the background.. even when you
| just idle watching a video.. inefficient telemetry software..
| sweet.. what a time to be alive
| rejectfinite wrote:
| > some telemetry/update thing
|
| Could be automatic maintenence
| https://www.tenforums.com/tutorials/40119-enable-disable-aut...
| , updates to programs, the windows store updates or windows
| update service...
|
| What says it is Telemetry?
| Kukumber wrote:
| I forgot the name, i'll try to note that down whenever i'm on
| my windows partition
| dingleberry420 wrote:
| Also just disk indexing which exists to make your user
| experience better. Not everything is malicious.
| Kaze404 wrote:
| If they're indexing your disk 24/7 for a better user
| experience and searching for something still barely works
| half the time, I'd be less embarrassed if it was attributed
| to malice.
| MaxikCZ wrote:
| Indexing is running all the time yet when I search for
| something it takes ages to find anyways.
|
| Yet "Everything" indexes my disk in a minute and spits out
| results instantly.
|
| Even if windows indexing aint malicious, it certainly behaves
| as if it is.
| d2wa wrote:
| > Even if windows indexing aint malicious, it certainly
| behaves as if it is.
|
| The problem is that closing files takes a lot of time on
| Windows. https://www.youtube.com/watch?v=qbKGw8MQ0i8
| kaetemi wrote:
| Is that the Microsoft Store related process (wsappx) that has a
| habit of spinning the CPU for hours?
| mdp2021 wrote:
| The configuration in Firefox
| privacy.resistFingerprinting
|
| should impede it (<<Not all fonts installed on your computer are
| available to webpages>>), but I am not sure, as I do not know the
| exact "which fonts to expose" rule.
|
| Edit: in theory, it should allow only "<<base>>" fonts and not
| user installed. In practice, more details would be useful.
| Ansil849 wrote:
| > In practice, more details would be useful.
|
| More details (the lists of whitelisted fonts per OS) are here:
| https://bugzilla.mozilla.org/show_bug.cgi?id=1336208
| midislack wrote:
| Why would you even use TeamViewer? It just seems shady.
| stevewatson301 wrote:
| This is a very charitable interpretation of corporate behavior,
| but perhaps one reason this could have been implemented is to
| enable support teams to detect if it's installed on a system.
|
| As with anything though, it could be abused by tech support
| scammers. Overall, I wish such things weren't implemented.
| squarefoot wrote:
| I used TeamViewer less than twice a month for a few elderly
| relatives who needed help when I wasn't visiting. One of them
| sadly passed away recently, and another stopped using computers,
| so my usage went almost to zero. What angers me is that the fine
| folks/algorithm at TeamWiever kept killing my connections because
| they thought I was a professional abusing their free service.
| Screw them: Now I'll either find an alternative or nothing.
| Ansil849 wrote:
| To lessen font enumeration attacks in Firefox, you can go to
| _about:config_ and make sure _privacy.resistFingerprinting_ is
| set to _True_.
| orbital-decay wrote:
| RFP is great but it also heavily interferes with addons. It
| disables Ctrl and Alt key combinations for them, breaks
| scrolling and timer-based behavior, and generally renders many
| of the addons unusable in various ways.
| d2wa wrote:
| That setting can cause weird rendering issues in PDFs.
| Ansil849 wrote:
| You can create a separate Firefox profile to effectively use
| as your PDF reader application.
| gruez wrote:
| That's probably due to canvas fingerprinting protections,
| which can be turned off by clicking on the canvas icon in the
| address bar.
| p4bl0 wrote:
| I cannot use this because it always resets the custom zoom
| level for web site. For example I cannot browse HN with the
| default font size, so I set Firefox to zoom 120% for
| news.ycombinator.com, and I don't want to have to do that each
| time I come back to the site.
| Ansil849 wrote:
| Yes, this is by design:
| https://bugzilla.mozilla.org/show_bug.cgi?id=1369357
|
| Privacy is at odds with usability, sometimes.
| p4bl0 wrote:
| Yes yes I understand that :). I'm just warning that
| enabling it can lead to important usability issues.
| 6f wrote:
| The font is used by the teamviewer website. When inviting a
| partner to a teamviewer session, one can do so by sharing the
| invitation url.
|
| The invitation url looks like this (where XXXXXXXX is the session
| code).
| https://get.teamviewer.com/v15/en/sXXXXXXXX
|
| The website will check if a teamviewer font is installed (using
| javascript). If the font is found, the web site assumes that
| teamviewer is installed. The teamviewer installer also registers
| a protocol handler in the operating system. The website
| (javascript code) will thus try to launch teamviewer directly
| using a url like the following:
| teamviewer8://instantsupport/?sid=XXXXXXXX
|
| Otherwise, if the font is not found, it will prompt the user to
| download and install the teamviewer application.
|
| Source: Font detection routine:
| https://get.teamviewer.com/get/res/scripts/fontdetect.js
|
| Connect routine:
| https://get.teamviewer.com/get/res/scripts/connect.js
| Illniyar wrote:
| Oh! That's clever.
| btilly wrote:
| Why, then, do they only install the font on Windows? Why not do
| the same thing on OS X or Linux?
| cuteboy19 wrote:
| Not worth the effort presumably.
| scosman wrote:
| Good find. Disproves the "only useful for web fingerprinting".
| It's also useful to their users for a fairly common flow.
|
| Don't assume malice, but do consider side effects of your
| decisions.
|
| This does add an extra bit to web-fingerprinting, it's only 1
| bit. Someone intentionally trying to add fingerprinting could
| do much more malicious things. Unique font names or uniquely
| generated font w varying letter widths could completely de-
| anonymize a user. This seems scoped to identifying team-viewer
| users, not identifying/fingerprinting individuals.
| takeda wrote:
| > This does add an extra bit to web-fingerprinting, it's only
| 1 bit.
|
| Every single bit doubles the value so 1 bit could still be a
| lot.
| TehCorwiz wrote:
| It's more than that. The font encodes the version of Zoom
| that is installed.
| vel0city wrote:
| Its technically more than one bit, as it has a different
| version of the font for each major version of Teamviewer. So
| there are several different fonts Teamviewer may have
| installed depending on when you installed it.
| jacquesm wrote:
| 1 bit is pretty good when you only need 33 (soon 34).
| norwalkbear wrote:
| I wouldn't assume malice if this was a small startup of 4-5
| Richard Stallmans or maybe 20 years ago.
|
| In this case, I think it IS malice. The font encodes way more
| data that you'd expect.
|
| Assuming malice from corporations should be the default in
| today's society.
| Agamus wrote:
| Precisely my thoughts, though I think this is more
| problematic than simple, nefarious malice.
|
| Sometimes it is the case that no one behind the decisions
| is being malicious - e.g., perhaps just trying to
| accomplish a task at hand on a tight timeline.
|
| As such, the default in today's society, where we are more
| or less 'on our own' on this issue, should be to assume
| that even while that vehicle over there is indeed about to
| plow into the crowd, there is often no one behind the
| wheel.
|
| We should default to an even more suspicious approach.
| neodypsis wrote:
| What can a user do to protect him/herself against malicious
| fingerprinting using web fonts?
| electroly wrote:
| This is still web fingerprinting. They are using this,
| specifically, for fingerprinting. They don't care about the
| font; they care about being able to spot TeamViewer users in
| a crowd. The only difference here is it's being done for a
| beneficial purpose. "TeamViewer installs font only useful for
| web fingerprinting" is absolutely true; only the word
| "suspicious" is untrue because now we know what it's for.
| throwaway290 wrote:
| Fingerprinting requires there to be a purpose of
| identifying an individual device, and is done by collecting
| multiple data points that _in aggregate_ are a unique
| combination.
|
| Just knowing you have a font or TeamViewer, like just
| knowing your IP or viewport size, isn't fingerprinting your
| device.
| cyanydeez wrote:
| Any unique data point can be used in building a finger
| print.
|
| The forest for the tree here
| dymk wrote:
| They may not be baking a cake, but they have all the
| ingredients to bake a cake. They also give everybody else
| who is currently baking a cake an additional ingredient.
| throwaway290 wrote:
| You don't get to call a thing something it isn't simply
| because you don't like that thing.
|
| The action of taking your fingerprint to identify you is
| fingerprinting. Providing you a handrail without a
| purpose of identifying you, even though it happens to
| take your fingerprint for anyone else, is not
| fingerprinting. Changing your fingerprint is not
| fingerprinting.
|
| This is an abuse of a technology with more harm then
| benefit if you ask me. Calling it "fingerprinting" is
| still a category error.
| kaetemi wrote:
| And according to the Internet, everything is cake.
| merely-unlikely wrote:
| the cake is a lie
| EGreg wrote:
| That's why this attempt to stay anonymous -- or even more
| ambitiously, prevent metadata from being aggregated to
| reveal mass patterns among many users - is useless.
|
| Eventually, everything will be collected using an actual
| use case -- contacts, photos etc. -- and the AI will
| process it and make deepfakes of anything.
|
| We won't be able to trust any video evidence. The future
| is about watermarking and signing stuff using your own
| private keys. And even then, someone can just announce
| their private keys somewhere and have plausible
| deniability after that. Too many such renunciations
| though would be suspicious.
|
| The world is going to be as unfamiliar to us, breaking
| enough of our assumptions, as when people didn't know
| about gramophones and televisions and instant
| communication, assuming that it would take time for a
| messenger to get a message out. Today we expect a ton of
| info to flow over always-on connections. Similarly our
| assumptions about identity and privacy and democracy are
| going to be totally smashed by AI and bots soon.
|
| Swarms of bots using GPT-4 and deepfakes will be able to
| drown out the vanishingly tiny amount of information that
| all the humans writing online produce, and adversarial
| networks will make them far more effective at convincing
| a crowd of humans thay X event happened or to support Y
| policy, or even rewrite history and science. The sams way
| that AlphaZero defeated AlphaGo which defeated human
| players, because it had far more combinations than all
| humanity combined did, and then downloaded the learnings
| to each node (Leela and others do the same).
|
| All that is missing is decentralized swarms of bots, that
| have no single point of failure, and can update their
| weights autonomously.
|
| I will go even further and say that CAPTCHAs will become
| irrelevant. Humans won't be the primary economic actor
| for online services, because botnets will control far
| more capital and everyone will do some work for a botnet,
| such as being a caretaker etc. No one will even know or
| care who is giving the assignment or writing to them
| anymore.
|
| The sad part about this is that botnets based on GPT3 and
| deepfakes are simply bullshittes that don't understand
| things like Cyc -- they literally throw bullshit at a
| wall and see what sticks. It's sad but this will
| collectively outperform collective human reasoning at
| convincing humans because ALL our systems are vulnerable
| to be subverted that way.
| sofan wrote:
| I'd rather we try for change than stagnate in the current
| state of the world. Have a little faith in humanity.
| jonatron wrote:
| A side effect is that it allows anyone running a website to
| build a database of TeamViewer installs behind IP addresses.
| If there was a TeamViewer security issue, that database could
| be useful.
| ST2084 wrote:
| This was my first reaction.
| [deleted]
| stuckinhell wrote:
| They days of not assuming malice are long past. We have many
| documented cases of malice from corporations and world
| governments.
|
| We must assume malice and push back on the invasion of our
| rights.
| mwcampbell wrote:
| The fact that some corporations and governments are guilty
| doesn't mean they all are. And the fact that they're guilty
| of some things doesn't mean we should assume they're guilty
| of others. It's no different than with people; corporations
| and governments are made of people, after all.
|
| Besides, the constant negativity is just exhausting for all
| involved. I'm glad intellectual curiosity won out on this
| thread, at least for now.
| robertlagrant wrote:
| That's true, but as soon as you allow something, you're
| probably allowing it for all time for all future
| governments.
| [deleted]
| midislack wrote:
| In todays world, ALWAYS assume malice.
| mwcampbell wrote:
| The world is, to some extent, what we make it. If we're
| going to make it better, we can't give up so completely; we
| have to have hope that the world can be made better, and
| that we're not alone in trying to do so. That's why I
| choose to assume that the TeamViewer developers are merely
| trying to make the best of the constraints they're working
| in, i.e. no proper way for a website to determine whether
| the custom protocol handler is already installed. In their
| situation, I would probably be forced to do the same thing,
| and I wouldn't appreciate such negativity. I assume you
| wouldn't either.
| midislack wrote:
| In short "bend over, we're coming in, but SMILE while we
| do" eh? This isn't working any more. You did this.
| mwcampbell wrote:
| This is the benign explanation I was looking for. It's a clever
| hack for providing a good user experience for the person who's
| receiving remote support, who can't be assumed to be computer-
| savvy.
|
| Of course, it would be better still if there was a standard way
| of setting up specific URL patterns under specific domains to
| automatically launch an associated desktop app if that app is
| installed. iOS can already do this through the "/.well-
| known/apple-app-site-association" URL on the domain. It's why
| Zoom and Teams links, when opened on an iOS device, always go
| straight into the native app once that app is installed.
|
| Edit to add: BTW, the file at the well-known Apple path also
| gives me a way of detecting a Zoom invite URL in one of my own
| products, even though Zoom URLs can have custom domains.
| WorldMaker wrote:
| > Of course, it would be better still if there was a standard
| way of setting up specific URL patterns under specific
| domains to automatically launch an associated desktop app if
| that app is installed.
|
| The "PWA" standard for "/.well-known/apple-app-site-
| association" is "related_applications" [0] in the Web App
| Manifest standard and specifically here where
| "prefer_related_applications" [1] is set to true.
|
| [0] https://developer.mozilla.org/en-
| US/docs/Web/Manifest/relate...
|
| [1] https://developer.mozilla.org/en-
| US/docs/Web/Manifest/prefer...
| ayewo wrote:
| Interesting. Based on your comment, I did a quick check and
| only Zoom gives a valid response. The parent domain for
| Microsoft Teams don't seem to respect the convention.
|
| https://zoom.us/.well-known/apple-app-site-association - 200
| OK
|
| https://www.microsoft.com/.well-known/apple-app-site-
| associa... - 404 Not Found
| acous wrote:
| https://teams.microsoft.com/.well-known/apple-app-site-
| assoc...
| vel0city wrote:
| www.microsoft.com is a pretty generic page. Microsoft makes
| a lot of applications _other_ than Teams. Should it open
| Onedrive? Excel? OneNote? Xbox?
|
| If you go to the actual Teams site, it does have the apple-
| app-site-association link.
|
| https://teams.microsoft.com/.well-known/apple-app-site-
| assoc...
| ayewo wrote:
| Heh, I've never used teams before so when I did a few
| searches I got sent to www.microsoft.com and office.com.
| None of the links on page 1 and 2 of the SERP led to
| teams.microsoft.com.
| mwcampbell wrote:
| Not surprising; teams.microsoft.com goes straight to a
| login page, so you wouldn't know that's the domain unless
| you use the product.
| EGreg wrote:
| That used to be cool but now browsers support this check for an
| app natively. Does TeamViewer do it to support much older
| browsers?
| throw03172019 wrote:
| Great findings! Great little workaround they developed - super
| useful.
| userbinator wrote:
| It seems like giving _only_ TeamViewer 's site the ability to
| see this font would solve the fingerprinting problem and let it
| work as designed.
|
| Per-site font lists don't seem to be a common feature in
| browsers nor extensions, however.
| system2 wrote:
| I assume you are working for TeamViewer from the newly created
| account and only response from it. Please let your sales team
| know that are awful.
| hedora wrote:
| So it's a cookie. Do they ask for permission to set it in the
| EU?
| GrumpyNl wrote:
| That is a great idea, generate a font on the fly with the
| info you need and you have your alternative cookie. Question
| is, do you have to treat it as a cookie?
| hatware wrote:
| Are you being pedantic?
| Griffinsauce wrote:
| Are EU laws specifically about cookies or do they have
| broader wording?
| detaro wrote:
| The 2009 ePrivacy directive, also known as "Cookie law",
| speaks of "the storing of information, or the gaining of
| access to information already stored, in the terminal
| equipment of a subscriber or user".
|
| GDPR is concerned with all personal data processing, cookie
| or not is even more irrelevant to it applying.
| kevincox wrote:
| This could very easily be justified as a functional cookie.
|
| Honestly if this could only be detected from a TeamViewer-
| owned domains it would be basically a non-issue. The more
| concerning bit is that this can be used to build a cross-site
| fingerprint.
| turtleman1338 wrote:
| It would be totally sufficient to use the protocol handler. You
| also can not be sure teamviewer is not installed, just because
| the font is missing. The user could use an older version that
| does not include the font, or could have removed the font
| manually.
| mwcampbell wrote:
| But can JavaScript check whether the protocol handler is
| installed? Or can it only attempt to use the protocol
| handler, then give the user if-then-else instructions to
| manually handle the case where it's not installed? Remember,
| a remote support product has to assume that the user
| receiving support doesn't have the knowledge or energy to go
| through a complex setup process, which is presumably a
| digression from whatever problem they were having in the
| first place.
| alex_suzuki wrote:
| It cannot. Enumerating protocol handlers is actually an
| excellent fingerprinting technique. That's why platforms
| like iOS for instance forbid it, or you have to explicitly
| specify which ones you'll query (see: https://developer.app
| le.com/documentation/uikit/uiapplicatio...).
| tiagod wrote:
| > The user could use an older version that does not include
| the font
|
| Teamviewer versions are not backwards-compatible
|
| > It would be totally sufficient to use the protocol handler
|
| The error when it's not installed could be confusing to the
| user. Remember this is a remote support product, you must the
| assume the user is not tech literate. You must also assume
| the user is on IE5 or something.
| shikoba wrote:
| Ad soon as you bow to proprietary softwares you implicitly accept
| those kind of behaviors.
___________________________________________________________________
(page generated 2022-07-20 23:01 UTC)