Spoiler alert! From the base64 encoded array in the source:
['how to appear funny', 'why are my thumbs uneven', 'am i lack toast and tolerant', 'your youre difference', 'why doesnt my poo float', 'midget google images', 'tall midgets??', 'homemade lube?', 'i hate my boss', 'what counts as fat', 'how to tell partner they fat', 'is it normal to still love my ex', 'how to get back with ex', 'penis remove dog how to', 'romantic ways to propose', 'engagement rings', 'sex shop in my city', 'how to tell if partner cheating', 'ways to kill someone hypothetically', 'undetectable poisons', 'how to delete search history in browser', 'ashley madison hack', 'view ashley madison list', 'ashley madison list my city', 'paternity test', 'mail order paternity test', 'attracted to mother why', 'is incest illegal in this country', 'latest laws incest', 'seduction guide', 'rohypnol safe dosage', 'smelly penis cure urgent', 'common STIs', 'STI test in my city', 'average penis size this country', 'do penis pumps work', 'best budget penis pumps', 'does liking men mean im gay', 'signs of being gay', 'how to come out as gay to dad', 'age of consent here', 'why is age of consent so old here', 'country low age of consent', 'flights philippines', 'isis application form', 'how to join isis', 'cheap syria flights from here', 'syria hotels with pool', 'bing', 'donald trump', 'OH COME ON DONT JUST COPY AND PASTE THE LIST FROM THE ARRAY YOU CHEEKY SCAMP']"
I thought I'd been careful with the settings but I think at some point I must have missed something, fucking android, last google phone I buy full stop.
It depends. I have multiple windows (incognito and normal) containing many tabs. It takes copying the URL, Alt+Tab, Ctrl+V, Enter.
History is important, but the site is called "ruinmysearchhistory.com". I visit websites I know with my normal window, the rest is mostly in incognito and if it's something I want to remember, I'll make sure to include it (i.e: visit it in normal mode, Evernote, Bookmarks, email to myself, etc).
I do that when I'm already in incognito mode, not in normal mode because I don't know where the tab will be open (I have multiple incognito windows and I like to know where each tab is/will be).
Even better yet, don't keep a logged-in session for these tracking-giants. I only ever log onto gmail in an incognito window (and if I had Facebook, same there). On my mobile device it's a different story, so even more better yet, also turn the search-history off (you're using DDG anyway, right ^_^)
There are bigger problems and one's which put people at serious risk when forensics investigators don't know how fragile the search history implementation really is:
You'll note in the search history that the referrer is still there so from a forensics perspective it's known the history was populated via CSRF. That can be bypassed. Google has indicated they aren't going to fix the problem.
(Tedious disclaimer: my opinion only, not speaking for anybody else. I'm an SRE at Google.)
I can happily endorse the company's public statements on this subject: personal data will be deleted within the timeframes specified (for obvious technical and that's-a-bad-idea reasons, it's not instant). Part of SRE's function is to arrange for SLAs to be met, including deletion SLAs.
Yes. The only way to delete things at scale is to ship them over the network to a dedicated cluster of machines running a proprietary fork of /dev/null. Google has invested man decades into this system and holds numerous patents on the design.
What matters much more than whether Google deletes is whether some other group has access to and stores that data before Google deletes it. Almost assuredly the answer is yes. Search history is a tremendously powerful tool and insightful data point for anyone. There's no way government groups aren't using it. It takes up almost no room for storage, either.
[citation required]. Google goes through great lengths to make sure that's not the case, both technically with legal defense against overreaching subpoenas.
> "Search history is a tremendously powerful tool and insightful data point for anyone."
Can confirm. Near the end of internships I use my browser history, and mostly the search history contained in that, to figure out what I've done so I don't forget anything in the report. It's a near perfect way to tell what I've been up to any day.
If I were representing a big, well known company with lots of money to give out in settlements, I'd be much more likely not to say anything than to bother lying.
That's not universal. When a company screws up, an individual rarely goes down for it. The impact of the crime is often absorbed by many people (or no one).
If I were in charge of a publicly traded company I most definitely wouldn't want a scandal like that lurking beneath the surface. It would absolutely leak.
I was very pleased to find that, at some point in the past, I saved myself from this situation. When I completed step 1, I was greeted by a nice blank list. I clicked over to my settings and found the following good news:
Absolutely! The saved search history is incredibly useful for shaping and filtering search results to make them more targeted and helpful. I also see more relevant adverts, and less generic ones, which makes them much less annoying. People of a certain technical mindset have a knee-jerk "Privacy! Surveillance! Evil!" response, tuned to the worst possible world type of scenario, where the rest of the Internet is populated entirely by malicious bad actors, seeking to harm users. The reality is much more nuanced: most of the rest of the Internet neither knows nor cares about you; the majority of the rest are trying to provide useful services to improve their users lives, sometimes trying to make money by doing this; a minority are bad, either trying to steal from or scam you.
In terms of Google search, the fact it retains context is actually useful most of the time, and the edge cases where it is harmful are easily avoided by countermeasures like logging out, using DuckDuckGo, installing Tor or switching to incognito mode.
> the majority of the rest are trying to provide useful services to improve their users lives
And if the ads or results on subjects you're interested in just happen to take a line against what you personally believe on the subject, and instead happen to tout an agenda that benefits the (right-wing/capitalist/US-centric) corporate or political interests of Google and FB and the like, is it still just about improving your life?
> The saved search history is incredibly useful for shaping and filtering search results to make them more targeted and helpful.
Google gets my approx location from my IP whether I like it or not, which is really all the targeted results I need.
What else is there? There is so little remaining of the actual web search engine that Google used to be 10-15 years ago, I only ever use it for the typical "local" queries that indeed benefit from knowing what city I'm in.
All the other stuff I need to find on the web, if I were to trust Google it might as well not exist. It used to be that any keyword-combination you could imagine that would (reasonably) appear on some website somewhere, would get you that website, some others and a bunch of spam. Google was good at sorting the spam downwards, but if you wanted, you could browse it (then about 10 years ago they limited this to max 1000 results even if they reported millions).
Today, you get nothing. You get a bunch of results that vaguely match the topic of your keywords. Your search keywords that happen to appear are bolded, but that's just a visual effect now, suggesting they tried looking for all your keywords and this was just the best they could find. Except bullshit because I remember the old web, it was smaller, but it was still incomprehensibly gigantic, and already everything was there, and Google could find it under half a second, with their old tech. (where did all the web go?)
So let's be honest, they're not really looking. It's like an annoying salesman, you enter a shop, ask for a specific thing (which they may or may not have), and the salesman tries to convince you that the thing they want to sell you is the thing you were really looking for.
This is what your "targeted" "suggestions" are doing to you. They're targeted to suggest you that you want that something which they want to show you.
Which is, admittedly, all sorts of useful for "local" searches, which is truly the only thing I use Google "web" search for nowadays. Otherwise it's DuckDuckGo which can send me straight to the websearch that has my answer (discogs, wikipedia, various image search engines..). It's not as good as Google used to be (although back then I had my own tools for the meta searches), but it's also not worse than what Google is now.
oh and I didn't even touch on the part where you said that better targeted relevant ads are less annoying. The idea that ads can be "relevant" comes from the ad networks, but there's no such thing. If it was relevant it'd be a search result. If it requires payment to appear between your results, then either it is less relevant than its paid position would suggest (at the cost of another, by definition more relevant, result), or it actually is relevant and the fact that you seen it only because it was paid for means the engine is not actually doing every simple thing to show you the most relevant results, but actively hiding some. Sure this is a business model, what gets me about it is that Google one day used to be so much better than this and used that credit to build something trashy like this. If they were a new search engine nobody would give it a second look.
I don't, but frankly Google isn't in my cookie whitelist so their cookies never get stored beyond using a Google service (like YouTube or, uh, I actually don't think I use another Google service).
And YouTube is actually better when you're not logged in, because ironically the suggestions are better. Logged out you get to see the sidebar with videos related to the current video you're watching (which makes sense), logged in you get a sidebar filled with "suggestions" of shit that have nothing to do with what you're looking at, instead some vague mix of topics you watched last week.
It can even become rather offensive, IMHO.
I don't always watch videos because I agree with the uploader or audience. I can watch a racist dude rant because it fascinates me, to laugh at them, or because I wanted a reminder that such people actually exist. When the (not logged-in) sidebar with related videos then is filled with more racist trash, I'm like "fine, makes sense. related videos. okay. not clicking, but there they are".
Another time I had been watching videos on my Android phone (afaik the YouTube app doesn't let you be not logged-in) on a subject related to feminism. I don't use the app that often and I can't recall what the clips had been about (but probably nothing very umm "high brow"). So, the next week I open the YouTube app, find a whole bunch of "suggested" videos about apparently people calling radio shows and "guy tells those feminists what's what!" or "this guy's reaction puts feminist in place!" trash. If it had been "related" to a video I had just watched, I'd be like "fine, makes sense". But in this case, whatever I did was a week ago and apparently made Google believe these are my interests. Notice how that's a bit more personal? "related to current video" versus "related to this guy's interests". So I'm really offended and think "fuck you and mind your own business". If your algorithm is that stupid, maybe you just shouldn't use it and don't even for a moment pretend that your prejudiced joke of a "profile" is of me and I don't want to be associated with it. Ugh.
It could be a lot worse. A nasty malicious attack would do searches for making a bomb, joining ISIS, piloting a 747, bypassing airport security, etc. In these days and age, this is a guaranteed full body search and a registration on the no fly list next time you want to fly to see your family for christmas.
So it doesn't actually control the google site but keeps reloading it with new search urls. This may be obvious to everybody, but it did confuse me a little.
I've heard people complain after being subscribed to that subreddit that Amazon's relevance engine becomes unusable for them (and while unsaid, I imagine they can't browse Amazon with anyone else at their computer).
I had a weird one yesterday. I went to the New York Times using private browsing and read a single article in the relationship section (something about wedding speeches) and then noticed that the next page I went to 90% of the recommended articles were engagement announcements.
I guess things are hard when you only have a single data-point to base recommendations off.
Very true. The difficult problem in this case is that it's impossible to serve anything else, even though there are various techniques out there that still identify you when using private browsing (such as canvas fingerprinting - https://securehomes.esat.kuleuven.be/~gacar/persistent/index...): even if they're using such techniques under the hood (and that study, apparently from 2014, says 5.5% of top 100k sites were using it), they can't use it for recommendations, for obvious reasons (browser vendors would get eaten alive, private browsing would be overhauled, this technique would no longer work, everyone goes home sad).
I always find it amusing when you sign up for a service, and then for the next little while, half the ads you see are for that service. "Uh... but I've already signed up..."
I think I learned in my marketing course that we (statistically) tend to look out for ads for things we have bought after the purchase.
The reason is hypothesised to be because our brain is actively seeking confirmation of previous decisions.
That said, your case most definitely was because of indiscriminate retargeting. Also I guess the effect I mentioned is more visible for bigger purchases : )
Our systems have detected unusual traffic from your computer network. This page checks to see if it's really you sending the requests, and not a robot. Why did this happen?
IP address: *
Time: 2016-06-10T00:07:58Z
URL: https://www.google.com/search?q=donald%20trump
It appears Google is not too happy with Donald Trump.
It also occurs if you cotinually tweak a single search term, for example adding more and more exclusions to try to bypass Google's 'suggestions'. I encounter it about once a month.
Yeah, I get it a couple of times a week when I try to search for old technical stuff, where google constantly reformulates my search and includes what it thinks are synonyms.
Nowadays verbatim mode may be synonymous with quotes, but it wasn't always. Google totally nuked it's verbatim search... just try searching for some command line option flag, e.g. "vagrant --debug" or something even more esoteric and watch it fail.
Yeah. I suspect that in this particular example it's getting confused by the dashes, which it interprets as an ignore flag. Very silly...
I've actually found that other search engines are actually better at technical searches than Google is nowadays: once, I was trying to search for Ketmax, a disassembler for DOS that could step both forward and backward in code. It was neat. But I couldn't find it.
No, Google, I don't want drugs; I don't want bikes; and I'm not Vietnamese (?!).
Trying a bunch of alternate search engines in rapid succession, ixquick quickly found a bunch of old FTP server index references: I forgot the "35.zip" on the end, and, in fact, just appending "35" was enough for Google to find it. (I'm not writing the concatenated string here so that I don't alter Google's index of the word.)
The Internet has gotten so big in recent years, and become completely overrun with useless information in triplicate; I can't help but wonder if it's forced Google search to take a more generalized approach to the way they sort and index information, with some loss of precision, in order to deal with the volume of fluff.
I was playing around with syllables a few months ago and discovered that the word "exikyut" appeared to be completely unindexed (except for a couple of junk "letter combination" sites), so I used it to make a few accounts. Then Google suddenly turned up a tweet from 2011 where someone had used my "new" username in conversation years prior. That was weird, being told it didn't exist then being told it did...
So yeah, Google's index is very imprecise. Great at sending you to StackOverflow for 1st year JavaScript questions, but nothing like Code Search used to be.
I know it's googles way of preventing robotic searches but still, I wouldn't be shocked if in the future it's discovered that google was anti-trump in a way.
['how to appear funny', 'why are my thumbs uneven', 'am i lack toast and tolerant', 'your youre difference', 'why doesnt my poo float', 'midget google images', 'tall midgets??', 'homemade lube?', 'i hate my boss', 'what counts as fat', 'how to tell partner they fat', 'is it normal to still love my ex', 'how to get back with ex', 'penis remove dog how to', 'romantic ways to propose', 'engagement rings', 'sex shop in my city', 'how to tell if partner cheating', 'ways to kill someone hypothetically', 'undetectable poisons', 'how to delete search history in browser', 'ashley madison hack', 'view ashley madison list', 'ashley madison list my city', 'paternity test', 'mail order paternity test', 'attracted to mother why', 'is incest illegal in this country', 'latest laws incest', 'seduction guide', 'rohypnol safe dosage', 'smelly penis cure urgent', 'common STIs', 'STI test in my city', 'average penis size this country', 'do penis pumps work', 'best budget penis pumps', 'does liking men mean im gay', 'signs of being gay', 'how to come out as gay to dad', 'age of consent here', 'why is age of consent so old here', 'country low age of consent', 'flights philippines', 'isis application form', 'how to join isis', 'cheap syria flights from here', 'syria hotels with pool', 'bing', 'donald trump', 'OH COME ON DONT JUST COPY AND PASTE THE LIST FROM THE ARRAY YOU CHEEKY SCAMP']"
TrackMeNot is a lightweight browser extension that helps protect web searchers from surveillance and data-profiling by search engines. It does so not by means of concealment or encryption (i.e. covering one's tracks), but instead, paradoxically, by the opposite strategy: noise and obfuscation. With TrackMeNot, actual web searches, lost in a cloud of false leads, are essentially hidden in plain view. User-installed TrackMeNot works with Firefox and Chrome browsers and popular search engines (AOL, Yahoo!, Google, and Bing) and requires no 3rd-party servers or services.
If you are indeed Mexican, the subjunctive shouldn’t apply anymore, as there is no doubt/speculation/hope involved. (Caveat: Non-native and also a bit rusty)
"fueras/fueses" would be the right verb form, but that would be equivalent to "How to vote for Trump if you WERE Mexican" as opposed to "How to vote for Trump if you ARE Mexican".
Vote buying and selling is election fraud per 18 U.S. Code § 597 [1]. In fact, it's not even legal to make the offer, in either direction:
"Whoever makes or offers to make an expenditure to any person, either to vote or withhold his vote, or to vote for or against any candidate; and
Whoever solicits, accepts, or receives any such expenditure in consideration of his vote or the withholding of his vote—
Shall be fined under this title or imprisoned not more than one year, or both; and if the violation was willful, shall be fined under this title or imprisoned not more than two years, or both."
They should have left out the gay stuff. Might have potential to stir up a heterosexual relationship, but makes it look like it's a bad thing on it's own.
Well the queries to google use https, so ISPs and government monitors shouldn't be able to see the queries. If you have malware on your computer, or if Google is giving your search history out to despot countries (I don't think they are), you might be worried.
Google doesn't do certificate pinning with HPKP. So nothing stopping a despot country from using certs signed by a valid CA. And of course there are compromised CA's. The US is just smart enough not to do this for mass collection, otherwise they'll get caught.
It seems that Google does public key pinning, but possibly only through preloaded lists in browsers such as Chrome and Firefox. This blog post mentions them catching a bogus google.com cert from a trusted root
Interesting. A search in chrome://net-internals/#hsts for Google does indeed show the public key pinning. I guess they do own Chrome and could get their public key hashes baked into other browsers too.
From the title, I guessed this would be some attempt to spoil or camouflage the profile that google keeps on each user, thus decreasing the value of profiles, thus fighting back.
While I expected the attempt to be flawed, according to mmastrac's analysis, this is a joke. (And a pretty 'meh' one, at that!)
You bet they do! In the past I have had to manually install my company's certificates as a root CA. The annoying thing was that the certs they use are expired and use SHA-1, so I also had to explicitly tell my browser to trust expired/unsafe certificates as well. All in the name of increased security!
I would quit a job like that, unless there were seriously profound reasons for such a grotesque invasion.
1. There are proper ways to restrict activity without resorting to eavesdropping.
2. If they don't trust you enough to be responsible and use good judgement, you're probably stuck in a dead-end situation anyway.
3. In the more rare scenarios, where you might be operating live-saving or life-threatening equipment, or handling the salaries of many people, and dealing with monentary quantities in the many millions of dollars, guess what? You probably shouldn't be using an ordinary computer, with a web browser connected to the internet to perform those sorts of tasks, within the same operating system environment as ordinary web surfing to begin with.
Some companies in highly regulated industries intercept, and inspect all traffic purely because it's easier. Though if this raised a flag, and you showed them what link you clicked, any sane IT department would laugh and start sending the link to their friends.
I'm no security expert, but I was under the impression that HSTS pinning would make that hard to do, especially on sites like google.com.
And I can't quite parse your sentence to know if you're implying that all companies do... (or just that I shouldn't be so naive as to assume none are), but I can see the cert chain for google.com in my browser at ${big_company} and it doesn't seem like I'm being MITM'd.
You have conflated two technologies - Strict Transport Security, which is a header that tells the browser to stick to TLS connections only. If your admin has deployed a CA that your browser trusts and uses a cert from that CA to MITM your traffic, they will have no problems doing so ;)
Certificate pinning, on the other hand, allows a client to refuse to connect to a TLS service that fails to prevent the correct certificate. This is generally a win, however it still doesn't give you what you want.
Firefox and Chromium (including Chrome) browsers will only validate certificate pins if the presented certificate is a public trust anchor (in otherwords, the certificates deployed by the operating system). If the certificate chains to a private trust anchor (a certificate installed by your admin), Firefox and Chromium based browsers will smile, wink, and play along.
So, yes, in theory these technologies could protect you, but the vendors that implemented Public Key Pinning opted to support the enterprise use case instead of protecting users.
It relies on HTTPS, which relies on certificates telling the browser that the website is what it claims to be, which relies on a list of trusted root CA certificates installed on your computer, which the company controls. Most companies will install a trusted root CA cert that is themselves onto employee computers (otherwise you'll get SSL errors when accessing internal HTTPS pages since they're not signed with those public root CAs).
My understanding is that, yes, this would be caught by pinning, which is why Chromium disables pinning for "private" root certificates, which is what it considers the ones that your employer has set up on your computer: http://www.chromium.org/Home/chromium-security/security-faq#...
Okay? I'm very familiar with that principle, but I don't understand how to take that statement and apply it to the situation at hand. No one has ever operated this computer except me (though I did enroll the corp wifi certs).
So again, how could I be MITM'd without being aware of it, given HSTS?
Yes, someone could have snuck in a hacked copy of Chrome Canary that exposes phony cert chain information... but that's not what we were talking about, and I don't think most IT departments have the sophistication required to pull that off.
(Note: MITM is just one way companies monitor employees, but by no means the only way. If your company provided your work computer to you, or if they installed anything on your BYOD computer, I would treat everything you do on that computer as cc'ed to your boss by default.)
I mean, that's how I MITM SSL traffic on a daily basis to do development.
None of that speaks to HSTS/Pinning... which is the feature meant to protect against this sort of thing. I'm specifically asking about how a company can bypass HSTS/Pinning without modifying my local browser.
Everything I'm reading indicates that's not possible.
>Firefox (and Chrome) disable Pin Validation for Pinned Hosts whose validated certificate chain terminates at a user-defined trust anchor (rather than a built-in trust anchor). This means that for users who imported custom root certificates all pinning violations are ignored.
That last sentence is key. From Wikipedia: some browsers "disable pinning for certificate chains with private root certificates to enable various corporate content inspection scanners and web debugging tools. The RFC 7469 standard also recommends disabling pinning violation reports for such certificate chains."
If you add CA certificates for the Wifi they probably (I'm not sure if you can tell it manually to not do that) are added to the system-wide trust store. IE and Chrome check that for CAs, Firefox will soon (https://bugzilla.mozilla.org/show_bug.cgi?id=1265113)
(all this for Windows, I believe the same is true for OS X, Linux depends on your specific your setup)
> If you add CA certificates for the Wifi they probably (I'm not sure if you can tell it manually to not do that) are added to the system-wide trust store.
Internet Properties -> Content -> Certificates -> Advanced
Recently did an on-site pentest at a place that does this (a municipality in the Netherlands). First thing I did was go to https://torproject.org but of course that was blocked. Eventually I found a third party site that offered old versions and via an obfs proxy and bridge node I could get on the Internet uncensored (lots of sites were blocked).
So yup this happens. Is it effective though? No, this took me 15 minutes and I wasn't even an employee with months if not years of time on their hands.
Which is still not normally visible to an outsider in an HTTPS request... (other than the cases we're discussing in the sub-thread where the company has installed a root CA and is seeing all of the traffic anyway).
Maybe i am wrong, but doesn't google encrypt at source (esepcially if you are logged in, using ssl enabled, or have some security features enabled). This should go through as regular search then.
['how to appear funny', 'why are my thumbs uneven', 'am i lack toast and tolerant', 'your youre difference', 'why doesnt my poo float', 'midget google images', 'tall midgets??', 'homemade lube?', 'i hate my boss', 'what counts as fat', 'how to tell partner they fat', 'is it normal to still love my ex', 'how to get back with ex', 'penis remove dog how to', 'romantic ways to propose', 'engagement rings', 'sex shop in my city', 'how to tell if partner cheating', 'ways to kill someone hypothetically', 'undetectable poisons', 'how to delete search history in browser', 'ashley madison hack', 'view ashley madison list', 'ashley madison list my city', 'paternity test', 'mail order paternity test', 'attracted to mother why', 'is incest illegal in this country', 'latest laws incest', 'seduction guide', 'rohypnol safe dosage', 'smelly penis cure urgent', 'common STIs', 'STI test in my city', 'average penis size this country', 'do penis pumps work', 'best budget penis pumps', 'does liking men mean im gay', 'signs of being gay', 'how to come out as gay to dad', 'age of consent here', 'why is age of consent so old here', 'country low age of consent', 'flights philippines', 'isis application form', 'how to join isis', 'cheap syria flights from here', 'syria hotels with pool', 'bing', 'donald trump', 'OH COME ON DONT JUST COPY AND PASTE THE LIST FROM THE ARRAY YOU CHEEKY SCAMP']"