alt Hacker NewsWebsites have a new way to spy on visitors: analyzing their SSD activity
Comments
> Even Meta and Yandex were recently caught joining in the privacy-invasive free-for-all.
Damn, even Meta have joined the dark side?
I’m skeptical of these side channel attacks that rely on training a neural network on specific controlled scenarios on controlled hardware. I believe that with enough time and effort and the perfect circumstances where the user is only visiting their website and doing one other thing that the network was trained on it can match.
It does not seem useful as a general purpose side channel vector.
I'm surprised their 1GB file wasn't cached entirely in RAM during the attack, eliminating the SSD from any timing. Do people keep their machines that heavily loaded that a file being constantly read from doesn't stay in the cache?
It should be fairly easy to mitigate no? Simply add random access times. Localstorage doesn't need to be that fast. More generally I find it very annoying how much browsers allow by default (javascript, localstorage, gpu access etc.) - there's only a very limited amount of websites I want to be able to run gpu accelerated shaders.
Why would it be a new way? Tracking via timing have always existed, you can also know browsing history of someone with some DNS trick, nothing really new, article is misleading with "new way", it's literally possible since a decade.
I was interested in this so i created a proof of concept: https://github.com/brammittendorff/opfs-ssd-timing
I laugh at your spying attempts from my HD-equipped laptop, ...
That's it, I'm turning off JavaScript for everything non essential from here on out.
For a more technical read: https://news.ycombinator.com/item?id=48345822
I wonder if mozilla's container tabs blocks this type of tracking?
Still don't really understand how it works - I put the reddit logo into your local storage and it only took 20ms to take it out again instead of 50ms so therefore you have reddit open in another tab?
Why don't SSDs trust websites anymore?
Because every time they open up, the site gives them the F̶R̶O̶S̶T̶ cold shoulder.
It's really not surprising that letting websites run arbitrary code on your machine, even in a sandbox, would lead to things like this.
I think what would be more interesting is using this as a side channel for communication between different sandboxed contexts.
correction, websites have a way to spy on visitors: Javascript.
Ahhh Arstechnica, I wonder if the technical article is by Dan Goodin. (It is)
I enjoyed his C Programming books for dummies series.
Maybe don’t let Google decide what its browser can and can’t do on my computer…
Why do browsers need to do this? Feels like an edge case need, at best, that was likely just a cover for some power Google wanted to exploit.
sounds like nonsense. i guess this works on some test environment but not in real life. you would never know that I am running tetris, for example
[dead]
{first.last}@tugraz.at
Wait, wait, wait: browsers allow websites to store junk on my drive? They take up gigabytes of memory and still write to disk on top of this? Without even asking whether the site can use local storage?
Years and years back when laptops still had HDDs, I had a script to put the Firefox profile &c on a ramdisk and sync it on reboots so that it didn't spin up the drive constantly. I guess I should have kept doing it.
It's a sad day when Arch users are right (again) https://wiki.archlinux.org/title/Firefox/Profile_on_RAM