You know it never ceases to amaze me now naive some people are. Some people think that doing some thing as simple as browsing a web page is anonymous, that they can use built-in features of things like Firefox to hide all information about themselves, and how little they know about the technical side of the Internet. That said if you are just using Facebook if you use usual ‘safe’ rules to your interaction like refusing all application invites etc, you will stay fairly anonymous… and if you’re really worried you’d use something like ‘ToR’ to hide where you’re coming from etc..
Of course if you access something where the person you are trying to hide from actually controls, without doing anything illegal you can easily be found, tracked, traced and watched. For example.. I own this blog, the server I administer, I set the logging and access controls… From that alone I can without any special equipment or tracking tools I can locate and watch someone following my blog. I can see when they change IP addresses and in some cases even tell when they are accessing the blog from their partners house/internet connection. With a little more information, like the logs of a secured login, I can even tell when they are using a smart phone, or internet dongle, proxy server, ToR service or boyfriends computer to access it…
Even without this information sometimes it is even possible to track the person down to a hotel, pub, cafe, or even their street (depending on how well the internet service at their location is setup, the better the setup the easier it is.) I have been asked a few times about whether I can teach this information to people, well the simple answer is “yes I can”, but but it takes years to really teach it. (I might add the same tracing can be applied to addresses found in headers of emails – which is how I learnt how to do it, and where I most often get asked to teach the skill.)
So very simply, to give an example..
A single log line from my blog…
114.77.xx.xx – – [15/May/2011:14:37:08 -0400] “GET /voodoolulu/banner-ad-75h.jpg HTTP/1.1” 200 30354
(xx.xx replaced to aid privacy as I don’t want to expose anyone)
So what can we know .. well immediately we can perform a “whois” lookup.. which returns…
inetnum: 114.76.0.0 – 114.77.255.255
netname: OPTUSINTERNET-AU
descr: OPTUS INTERNET – RETAIL
descr: INTERNET SERVICES
descr: 1 Lyonpark Road, Macquarie Park, NSW – 2113
country: AU
admin-c: OI3-AP
tech-c: OI3-AP
mnt-by: APNIC-HM
mnt-lower: MAINT-AU-OPTUSINTERNET
status: ALLOCATED PORTABLE
remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+
remarks: This object can only be updated by APNIC hostmasters.
remarks: To update this object, please contact APNIC
remarks: hostmasters and include your organisation’s account
remarks: name in the subject line.
remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+
changed: hm-changed@apnic.net 20080514
source: APNIC
… now first thing… for get the “1 Lyonpark Road, Macquarie Park, NSW – 2113” this is the address of the range owner and means nothing in this case, so as the more localised information is not available, trace it and we get…
traceroute to 114.77.xx.x (114.77.xx.xx), 64 hops max, 52 byte packets
1 * * *
2 212.56.128.1 (212.56.128.1) 10.116 ms 28.361 ms 9.733 ms
3 g200-south02.csr01.melita.com (212.56.129.100) 10.069 ms 13.749 ms 11.962 ms
4 151.5.142.1 (151.5.142.1) 29.503 ms 18.506 ms 26.223 ms
5 pavb-b01-ge2-0.70.wind.it (151.6.125.194) 18.882 ms 24.529 ms 18.001 ms
6 rmas-t02-gepa-b01-po01.wind.it (151.6.5.13) 39.284 ms 36.969 ms 35.689 ms
7 151.6.3.10 (151.6.3.10) 48.129 ms 49.374 ms 33.130 ms
8 so-7-0-3.mil19.ip4.tinet.net (77.67.66.5) 57.627 ms 46.685 ms 44.753 ms
9 xe-4-1-0.sjc12.ip4.tinet.net (89.149.186.205) 235.392 ms
xe-2-0-0.sjc12.ip4.tinet.net (89.149.183.85) 291.282 ms
xe-4-1-0.sjc12.ip4.tinet.net (89.149.186.205) 237.674 ms
10 singtel-gw.ip4.tinet.net (77.67.79.6) 217.624 ms 226.524 ms 220.423 ms
11 203.208.191.74 (203.208.191.74) 373.297 ms 374.333 ms 374.550 ms
12 sbr5-ge4-0.gw.optusnet.com.au (211.29.126.10) 393.471 ms 389.727 ms 386.396 ms
13 mas2-ge10-1-0-901.gw.optusnet.com.au (211.29.125.17) 406.025 ms 406.293 ms 394.495 ms
14 rdl2-ge5-0-0-904.gw.optusnet.com.au (211.29.125.137) 393.149 ms 391.939 ms 396.495 ms
15 fitzg3-ge3-0-1.cm.optusnet.com.au (198.142.192.118) 389.859 ms 402.673 ms 390.419 ms
16 * * *
17 * * *
18 * * *
19 * * *
20 * * *
At this point either the host is offline, or more likely the trace is being blocked.. well there is a nice feature of the TCP/IP protocol for traces.. Just change the packet type and using the same trace method and we get…
traceroute to 114.77.xx.xx (114.77.xx.xx), 64 hops max, 72 byte packets
1 * * *
2 212.56.128.1 (212.56.128.1) 12.228 ms 9.862 ms 7.976 ms
3 g200-south02.csr01.melita.com (212.56.129.100) 8.878 ms 10.389 ms 9.747 ms
4 151.5.142.1 (151.5.142.1) 17.765 ms 17.769 ms 18.752 ms
5 pavb-b01-ge2-0.70.wind.it (151.6.125.194) 19.743 ms 18.830 ms 17.517 ms
6 rmas-t02-gepa-b01-po01.wind.it (151.6.5.13) 46.316 ms 37.276 ms 36.122 ms
7 151.6.3.162 (151.6.3.162) 37.250 ms 52.920 ms 35.174 ms
8 so-7-0-3.mil19.ip4.tinet.net (77.67.66.5) 50.062 ms 50.338 ms 43.967 ms
9 xe-2-0-0.sjc12.ip4.tinet.net (89.149.183.85) 223.130 ms 221.214 ms 220.005 ms
10 singtel-gw.ip4.tinet.net (77.67.79.6) 217.295 ms 222.547 ms 216.105 ms
11 203.208.191.74 (203.208.191.74) 380.631 ms 373.394 ms 370.138 ms
12 sbr5-ge4-0.gw.optusnet.com.au (211.29.126.10) 388.697 ms 388.686 ms 387.816 ms
13 mas2-ge10-1-0-901.gw.optusnet.com.au (211.29.125.17) 394.667 ms 395.060 ms 393.294 ms
14 rdl2-ge5-0-0-904.gw.optusnet.com.au (211.29.125.137) 392.353 ms 391.459 ms 390.155 ms
15 fitzg3-ge3-0-1.cm.optusnet.com.au (198.142.192.118) 389.976 ms 390.313 ms 387.935 ms
16 c114-77-xx-xx.fitzg3.qld.optusnet.com.au (114.77.xx.xx) 426.482 ms 400.787 ms 401.850 ms
$
So what has this told us… well basically that the host is still online, and the end point is reachable. It’s also a Queensland Australia service, and with a little extra knowledge (take your guess, if you can’t spot it, then you’ll never get it) it is a host via the Fitzgerald routing point.
So based on the fact I live in Malta, my blog is hosted in the USA, suddenly I know what country, region and very close location to where the person browsed from…
Now if you have access (as I do) to an accurate Geo-Location service (eg