How Do Spy Tools Actually Work?

[ironbull]

It's an open source C program that I will not reveal the name of.

However, I've gone a step further. I paid a Linux kernel developer to have to code converted from a userspace program to a kernel patch. Whereas the userspace daemon needed on average around 30ms to identify spy tool nodes, it can do it now under 7ms. I keep the unique fingerprint details of the nodes in a database and also drop them on the fly with iptables/ip6tables.

Most of these nodes are on Amazon EC2 instances which wouldn't be a problem if they didn't stick out like a sore thumb where the spoofed browser user agent doesn't match the tcp stack.

Example:

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/13.

Detected OS TCP Stack: Linux 4.4.X kernel

-----

Here's a lazy solution for the spy tools that reside on Amazon instances. Take the IP address ranges found here and drop them with iptables.

Is there a way to check the OS TCP Stack via JavaScript?

 

[MxyzptlkFishStix]

Is there a way to check the OS TCP Stack via JavaScript?

No.

However, you can use the fingerprint2js library to identify the platform that you're on. It assigns a unique ID for each visiting browser. It's primary weakness is that it's totally dependant on what the browser reveals in the User Agent (Example: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0). Warning: it will add latency anywhere from 100ms to 250ms to your page loads. It gets worse on mobile connections.

Test your browser at the following sites:
Fingerprintjs2 test
Cross-browser fingerprinting test 2.0
Panopticlick