Intel, Online Gambling, and Your (Lack Of) Privacy: ieSnare
Friday, October 03, 2008   

People, for better or worse, have always been a little touchy about unique identifiers. Social security numbers. Barcodes. RFID. GUIDs. In this day and age of massive registration databases, of drive-by identity theft, a number can be a very powerful thing.

You may remember the sound and fury over the Pentium III processor's embedded serial number, a feature which could have been used (potentially) to track a user's computer without the user's knowledge or consent. This was back in 1999—ancient history—but it was taken quite seriously at the time. In the United States, the Federal Trade Commission was asked, repeatedly, to investigate the technology as an unfair and deceptive trade practice. Meanwhile, across the Atlantic, an advisory group to the European Parliament came very close to recommending a complete European ban of the chip.

The Pentium III processor

Intel was and is one of the premiere technology companies in the world. And yet the message was clear, on both sides of the Atlantic: stay the f--k out of our lives. Intel was forced to first disable, and then discontinue entirely, the tracking feature. And you know what? In hindsight, the privacy concerns were probably exaggerated. Computer hardware is and has always been full of unique or semi-unique markers. That's how most licensing and registration software works, after all: by taking a look at a couple pieces of hardware and cobbling together a unique key.

Fast forward, ten years later.

Today I'd like to talk to you about an electronic privacy issue which is a hundred times more serious than the Pentium III, and a hundred times less publicized. This technology, which exists today, and which quite possibly is working its deceptive magic on your computer even as you read this, is exactly what the world was worried about when the Pentium III was introduced. Back then, the privacy concerns were unfounded.

Today, not so much. Read on.

Imagine, if you will, that your computer has been branded with a unique identifier, very similar to the one introduced with the Pentium III. Only this unique identifier isn't associated with a particular piece of hardware; it's associated with your entire machine—the one you're using to read this, and who knows, maybe the one your kid uses. You can change your CPU; doesn't matter. Reformat your hard drive; doesn't matter. The identifier persists.

And this is where it gets scary.

Let's imagine that this "computer barcode" was distributed across the Internet without your knowledge or consent, linked into a massive online database containing some 60,000,000 unique device identifiers, each one representing a personal computer somewhere in the world: yours, mine, your next door neighbor's, your cousin's in Tuscaloosa, your uncle's in Paris. And let's assume that this database was billed as "fraud prevention" technology, but that it was maintained by a private company selling their services—access to this database—for cold, hard cash. With zero oversight. Zero regulation. Zero anything.

Would it bother you?

Because, ladies and gentlemen, this technology already exists.

Exactly as described above.

And it's far more common than you think.

And if you're reading this article, there's a better than average chance that you've already been infected with it (and "infected," believe me, is the word).

Welcome to the wonderful world of ieSnare.

Sporting a name that smacks of destructive Internet script kiddie hubris, and backed by the resources of a dedicated company by the name of iovation, ieSnare is quietly one of the nastiest, most underhanded pieces of spyware/malware this author has encountered, in a long history of spyware-induced pain and anguish. It is quite simply a worldwide, online, profit-driven computer blacklist capable of uniquely identifying your machine (once submitted to the database) whenever you visit any site, or use any product, protected by the ieSnare system. In iovation's own words:

iovation ReputationManager utilizes proprietary methods to uniquely identify devices connected to the Internet, creating unique identification for them that remain constant across all subscribing online businesses. For example, a PC device connecting to one online gaming or e-commerce site protected by iovation ReputationManager is assigned a device identifier by the same method used to identify PCs connecting to other e-commerce sites/networks protected by the system. 

Hello, Big Brother.

Tellingly, there is no publically available listing of companies who employ ieSnare technology although you can find various mentions and references on Google. I found out about ieSnare because I noticed that the Full Tilt, Ultimate Bet, and Bodog online poker clients were opening a curious file on my local hard drive:

Caught red handed?

STM.SOL is what's known as a Flash local shared object—which is basically a Flash "cookie". And unless you're a web developer, I'll bet you had no idea that there was even such a thing as a Flash cookie, or that Flash cookies are immune to typical "delete cookie" commands in your web browser. What's more, ieSnare sneaks under the radar of most antispy software because Flash cookies are either ignored, or viewed as low-risk items.

Like most successful spyware, ieSnare capitalizes on user ignorance. Whether or not ieSnare is an acceptable way to prevent fraud and/or increase operational efficiency is a discussion we can have once companies stop trying to slip this technology in through the electronic back door.

And by the way: guess who provides at least some of the funding for iovation?

Anybody?

The selfsame company which brought you the Pentium III and the unique identifier that caused such a stir ten years ago: Intel.

What a coincidence. No matter how things change, it would seem, the more they stay the same.


Posted by James Devlin   28 comment(s)

TIRE TRACKS

SEARCH

BROWSE

SUBSCRIBE

COMMENTS

i have it. did a search for "iesnare.mpsnare" on my machine and found it in my flash folder. this really, really, REALLY PISSES ME OFF.

Anonymous on 10/3/2008 4:08:26 AM (48 days ago)

make that "mpsnare.iesnare"...

Anonymous on 10/3/2008 4:10:05 AM (48 days ago)

Well, when it comes to online poker, you get what you pay for... still. The online gambling sites will get theirs, courtesy of the world financial collapse... wait and see

Ed K. on 10/3/2008 5:50:13 AM (48 days ago)

James, I really enjoy your articles.

Thank you Wink

Albert on 10/3/2008 6:12:29 AM (48 days ago)

Well, I don't have it - mind you I *did* turn off the IE plugin that Carbon Poker installed on me - even though I always use Firefox - thanks to your mentioning it.

Terry Smith on 10/3/2008 6:51:52 AM (48 days ago)

I'd heard of ieSnare before but I didn't know it was being used by the poker companies. Seems like an awfully risky ploy for them; bad risk to reward ratio. If the technology were any damn good it would've prevented the UB/AP super-user scandals which it didn't. So it's basically a way for people to get pissed off at the sites which are in hot enough water as it is.

- an anonymous poker botter on 10/3/2008 7:35:55 AM (48 days ago)

James,

you may or may not know the role that ieSnare and iovation have played in the AbsolutePoker/UltimateBet scandals. there has been a ton of "research" done on the company, it's founders (particularly Greg Pierson), and the product.

of course, Two Plus Two forums has a few threads on it, but signal/noise ratio is pretty high. still a lot of useful info in those threads.

interestingly, when researching iovation for the AP/UB scandal, we came across .sol files. i haven't checked on the effectiveness of this tool vs say Full Tilt's use of ieSnare, but here was a suggested tool to use on .sol files: http://objection.mozdev.org/ my guess is that this brower-based .sol tool might not be effective against thick-client apps such as poker software.

feel free to contact me if you have any questions; there are some significant theories on Pierson/iovation and their role in the scandals.

thanks!

bcd on 10/3/2008 9:29:11 AM (48 days ago)

This article does not provide enough detail, and sounds very FUDsy to me. How does this software survive a harddrive reformat? I guess it could re-infect you, recognize your hardware and identify you that way, but only if you don't have an OEM machine. There are a lot of spyware companies out there building databases. How is this one any different?

That doesn't give this software any excuse to exsist since it's breaking a law in my book. Unauthorized software installation should be against the US law, but it's not for obvious reasons. (money) Still this article is a bit overblown IMO.

Sean on 10/3/2008 1:13:08 PM (48 days ago)

Sean, the patent application describing the technology is here:
www.google.com/patents

Looks like it gathers your hardware/software configuration (called a "fingerprint"), stores that in their central database server and in a flash cookie on your machine, and associates it with a screen name (like a poker login). If you reformat your hard drive, the central server just re-stores the cookie the next time you log in to the poker site with that screen name. The method also allows for some minor changes in your system configuration, like swapping out a network card, and simply associates your screen name with your latest information the next time you log in.

Unless they've figured out otherwise, the only way to create a new fingerprint and perhaps become anonymous again would be to drastically swap out your software and hardware and reformat your drive, or maybe at least swap out some undetermined critical component(s) (the patent suggests that getting a new CPU serial number would be a critical change). I'm sure the ACTUAL method you would use to avoid simply being re-associated with your new system configuration is tightly held at iovation. Even then, your fresh system would be flagged because its fingerprint doesn't match what was previously associated with your login.

The non-anonymity privacy concerns aside, I think an even bigger issue is that iovation's goal is to share your digital fingerprint among all its clients. That way if one website flags your account for fraud (rightly or wrongly), iovation alerts other client sites with whom you have accounts. Even assuming nothing insidious comes of that (not a fair assumption), the potential for unregulated abuse is huge. Think of iovation like a credit agency that collects your digital credit score information. We already know what happens if bad information gets in there (like when your credit card or identity is stolen) and how difficult it is to fix it. See http://www.iovation.com/images/pdf/dra_wp.pdf

David on 10/3/2008 3:27:27 PM (48 days ago)

Sean I def understand your frustration here and there is an element of FUD but the fact is NOBODY has talked about this. It's been in a few forum posts and that's it. I had no idea about this and I just checked (i play at full tilt) and i've got it so, thanks to the author for that. I'm kind of pissed.

Second, David thanks for the extremely informative comment...James you should roll that info into an addendum.

Pince-nez on 10/3/2008 4:26:00 PM (48 days ago)

Fear, Uncertainity, Doubt? you must be kidding me, or rather yourself.

A computer/you can be identified by its network cards MAC address, harddrive serialnumbers, bluetooth MAC address, serialnumber on the BIOS chip, VGA card, and a shitload of other components with a unique identifier stored in a ROM chip. All of which is readable by software. And even if you replaced every piece of uniquely identifying hardware, your windows license, or any other unique software license could still potentially identify you.

- There is no paranoid, it is true.

Nyx on 10/3/2008 5:41:43 PM (48 days ago)

Seems to me that your best/easiest solution would be go to another site for your gambling. I'm sure there are more trustworthy sites out there. Apparently there are scanners that will catch this bug.

In the future it is only going to become more and more difficult to maintain anonymity. Data mining is only going to become more pervasive and ultimately cheap or free. Even passing laws against building these types of databases will only push it deeper into the black market.

But another solution for your individual problem if you want to continue using this site is to run your client on a virtual system. If everyone is running the same virtual hardware then their identification tactic becomes useless. Adobe Flash is a virtual environment. I think playing flash poker would be more secure.

Anonymity and Internet security in general could be improved greatly with more virtualization technology and having it adapted to the user level, but this has its own positives and negatives, and does not prevent datamining and the data-market on the server side.

Sean on 10/3/2008 5:55:58 PM (48 days ago)

Thanks for the information. I will certainly be running Full Tilt inside a virtual machine from now on. Not that it will probably help much, but I know the VM masks things like MAC address and so forth, which from what I gather is what ieSnare uses to establish the unique ID for the machine.

By the way, interesting that PokerStars does NOT use ieSnare. I'll probably switch based on this alone.

Anonymous on 10/3/2008 7:51:41 PM (48 days ago)

You keep on publishing this crap, trying to make online poker look bad.....the sites are well within their goddamned rights to put the spyware on your machine and every other player who reads your shitty site... they should add Coding the Wheel to the list of forbiden software on poker stars then i doubt you'd be laughing mr. programmer man who never played a hand of real poker in his life.. only if they did that you'd probably be happy because you obviously are just a disengruntled player who probably lost your mommy's $100 and got pissed about it and started a blog good for you. if i ever see you at the tables we're gonna step outside and see how brave you are then... no wonder links tothis blog are delted on 2+2 on site

Whatefer on 10/3/2008 9:57:00 PM (48 days ago)

@Whatefer

I'm sure you don't realize that you're the one who sounds like an idiot. Online poker sites have a right to install spyware? Are you freaking nuts? And by the way, Coding the Wheel is a blog, not a piece of software, so it's kinda hard to add it to the "forbiden list on poker stars". You sound like the one who's disgruntled, been losing at the tables and figured you were playing James' bot? Tong

Ehsanul on 10/4/2008 1:58:48 AM (47 days ago)

Reading about this almost makes me hope the current crop of poker sites fail, so we can replace them with people and companies who actually have a clue about how to run an international gaming enterprise. It doesn't stop with this ieSnare crap. I have played online poker for almost ten years and they've always engaged in this kind of invasive bullshit. And they think they can get away with it.

Gilbert Royes on 10/4/2008 5:21:48 PM (47 days ago)

Anybody know of a good list of programs/sites which use ieSnare?

Anonymous on 10/4/2008 7:19:30 PM (47 days ago)

I thought I kept my PC pretty clean. I did a search for mpsnare.iesnare and found nothing.

I was reading the blogs when I clicked on the link that “bcd" (on 10/3/2008 9:29:11 AM (1 day ago) gave us - http://objection.mozdev.org/.

I followed the link www.adobe.com/products/flashplayer/articles/lso/ and was amazed to find mpsnare.iesnare and three others including one from a professional organization to which I belong.

Thanks guys – I knew there was some reason I keep reading this blog.

James

James on 10/4/2008 8:11:48 PM (47 days ago)

Adobe has provided a mechanism by which one can prevent their machine from being tracked in this fashion: the Flash Player Settings Manager.

www.macromedia.com/.../settings_manager.html

The Flash app on this page controls the global and per-site permissions for the storage of Shared Objects (i.e. the tracking cookies described above), access to your Microphone and Webcam, and more. The instructions provided for each "tab" are fairly straightforward and comprehensive but, to solve this particular issue:

1. Go to www.macromedia.com/.../settings_manager03.html
2. Drag the slider on this panel down to "None".
3. You will now be prompted whenever a site wants to store Flash data. You can allow or deny that site, and optionally choose to never be asked again.
4. Go to www.macromedia.com/.../settings_manager07.html
5. If you want to eliminate ieSnare tracking only, select "mpsnare.iesnare.com" in the list and click "Delete website".
6. If you want to delete ALL Shared Objects from your system, click "Delete all sites". Note that plenty of Flash games and LEGITIMATE APPS store their save game progress or settings here, so you may be wiping out more than you intended.

As far as I'm aware, these settings govern both Flash content accessed in your browser AND Flash content embedded in desktop apps like the poker clients. It's fantastic to have this degree of granular control over the data stored on your machine by Flash Player. Unfortunately, Adobe has done a piss-poor job of exposing its existence to the end user.

Danelope on 10/5/2008 2:24:35 AM (46 days ago)

Whatefer is awesome! He's either a cunningly hilarious troll, or a hilariously unsocialized douche. I feel like deconstructing this!

I mean, honestly, he calls the site author a coward and threatens to fight him...on the Internet...without using his real name. Just threatening to fight somebody would be enough, but the irony is platinum.

He actually typed "mr. programmer man".

Poker websites have special goddamned rights to spy on people.

And the site author is supposed to stop laughing and become morose at the thought of this website joining the list of forbiden [sic] software, which is especially great because whatefer certainly doesn't have the power to carry out this threat.

Man, there's so much more, but it all comes back to that last line where he basically says "I'm gonna' beat you up ifn' I ever sees ya'!" That's fantastic! Good show.

For the record, if I ever see you, whatefer, I'm not going to punch you in the face. Not because you don't deserve it, but because I'm just not that criminally assholish.

Ens on 10/5/2008 7:50:45 AM (46 days ago)

Agree with Ens. Also agree that the post should contain more actual information about the inner workings of ieSnare. And I'd really like to see a list of applications which use it, does anybody know of such a list?

Armand on 10/5/2008 11:47:00 PM (45 days ago)

Awesome article. I keep myself really pretty protected these days.

Poker Forums on 10/6/2008 11:58:22 AM (45 days ago)

While I can understand your concern about "Big Brother" tracking, don't most of these systems exist to prevent ID theft and fraud? I'm not a proponent of implanting a tracking chip in newborns or anything, but it's pretty easy for perpetrators of fraud to cheat online gaming sites and the like.

It seems like there are bigger issues concerning our privacy these days than pointing the finger at companies that volunarily choose to use such anti-fraud services. Do you bitch about the security cameras when you go into 7-Eleven?

Anonymous on 10/13/2008 12:15:58 PM (38 days ago)

I don't much like that companies are doing hidden monitoring like this and storing hidden info on our personal PCs to accomplish it. And I don't like that the default "apparently" is that any company can store practically anything... practically anywhere on our PCs... without our knowledge.

BUT... I do understand that at least some of it is for "fairly" legitimate reasons. Poker sites like Full Tilt enforce a policy that individuals are only allowed to have one screen-name account. This is primarily enforced as an attempt to prevent collusion... or at least minimize it. I can imagine what some underhanded players might attempt to get away with, in the way of collusion... if they could play several different accounts at the same time. Botting collusion rings wouldn't exist... because every individual could be his own collusion ring.

So poker sites have to enforce policies like that. And they do that by identifying individuals through their account information... and through the computer they use. I expect that FullTilt pays iesnare for the service of being able to detect individual PCs in this way. I may not like that it can be (and is being) done... but I at least understand some of the reasons of "why" it is done.

In fact... every company that offers a trial version of there software needs to be able to tell when you originally downloaded their software app. And they need to be able to do this even if you delete the software app and then re-download it. So I expect that many companies either use the type of service that iesnare provides... or they emulate it in some way. I myself sell something on the internet and require something like this for my business (not here to advertise).

All that said... I will still attempt to minimize this type of monitoring on my PCs. And I thank James Devlin for bringing this specific one to my/our attention.

dmonpoker on 10/15/2008 8:20:30 PM (36 days ago)

I recently had my account frozen by PokerStars. They said in the email they knew I was using code from CodingTheWheel and although they know you have not posted a working bot with poker logic, use of your code was against their policy. They unlocked my account when I wrote back an email stating something like, 'I acknowledge that the use of bots is against your rules'.
I compiled some of your code and used it a very short period of time, just to see if it worked. I used it on a real money table.
One thing, I forgot to disable the Pokerstars IE add-in.
Any idea how they found out?

JJ on 10/25/2008 7:27:12 PM (26 days ago)

The financial crisis will help the online gaming industry because more people will decide to start gambling from home.. and save gas, hotel fees and enjoy lower limits, less noise, smoke, etc.

online casinos on 10/27/2008 3:11:49 AM (24 days ago)

Intel provided 10 million in funding to iovation another 5 million from SAP Ventures. The background of the company is very shady, with their connections to online gambling and the fact that top poker players were early stage investors and are seen around their offices. Their customers include gambling sites, dating sites, financial sites including banks. But, if you research it, you will find that it is quite easy to work around. So someone who commits fraud etc will be able to work around this quite easily, whereas the average user will be tracked without their consent. iovation claims they do not log any "personal informaion" however their customers can tie that information to personal information. There have also been recent cases where an IP address is considered personal information, it will be interesting to see the first lawsuit regarding iovation. I have a feeling that all of the money they received from Intel will go to legal bills.

Anonymous on 11/2/2008 11:40:15 PM (17 days ago)

Hi,
I find it amazing that 2+2 dont allow links to this site.Frankly sites like 2+2 piss me off.They give the impression that they are there to inform whilst in reality are supporting fully the questionable activities of the casinos.
As for Watever's comments(!!),well in the immortal words of some cynical twat from history"There IS one born every minute".
Watever,not only likes being ripped off/conditioned/controlled/usurped/brainwashed(the list is endless) by big brother, he is also willing to defend is own humiliation by fighting those who attempt to liberate him from his insignificence and deference.

Jim on 11/13/2008 6:35:51 AM (7 days ago)

Comment on this post:

Thanks for your interest in Coding the Wheel. All fields are optional.