If you read through the paper this looks like a total nothingburger. They get the training data for the neural network they use for activity classification from the target system. Unless you give advertises labeled activity data from your system, the attack will not be possible as demonstrated.
this post was submitted on 28 May 2026
33 points (94.6% liked)
Technology
43005 readers
55 users here now
A nice place to discuss rumors, happenings, innovations, and challenges in the technology sphere. We also welcome discussions on the intersections of technology and society. If it’s technological news or discussion of technology, it probably belongs here.
Remember the overriding ethos on Beehaw: Be(e) Nice. Each user you encounter here is a person, and should be treated with kindness (even if they’re wrong, or use a Linux distro you don’t like). Personal attacks will not be tolerated.
Subcommunities on Beehaw:
This community's icon was made by Aaron Schneider, under the CC-BY-NC-SA 4.0 license.
founded 4 years ago
MODERATORS
Another reason to be aggressively blocking attempts to run JavaScript from marketing (and other non critical) domains.
Is there a way to automate it?
I use noscript https://en.wikipedia.org/wiki/NoScript
It starts with a default position of blocking everything (which breaks a lot of sites) but as you use the internet you just tell it to trust the domains that you need and permablock those you don't. After a few weeks, you find your regular sites are taken care of.
googletagmanager and fascistbook are obvious blocks on most sites. Same for trust pilot and the like.
It can get more complicated when you try to buy something as that does legitimately require scripts from other services like stripe, worldpay etc. Or from shopify and the like.
You always have the option of temporarily allowing the page to do what it wants if you just find the pagelist too overwhelming but it is worth just experimenting and reloading the page till you figure out what is necessary and what is not. Set once, and it's done.
Another option is to have a second browser not running noscript, that deletes all data on exit, and use that for purchasing. I use Librewolf when I want to do that and minimise fingerprinting and tracking.
Bonus fact, most news sites with paywalls, run those paywalls with JavaScript. No script, no paywall. 😂
Letting those marketing fuckwits on the internet was a mistake ...
In principle, yes.
But the problem here is that they aren't fuckwits. They're too clever for our own good.
Is there any way to exploit what they are doing to feed them a bunch of shit data to waste their time and effort? Would it even be worth any effort? I’m asking sincerely cos I have a lot of time on my hands wink wink nudge nudge
Nobody that we know of is doing this to any computers but their own. This is researchers demonstrating a possible side-channel attack, but there's no sign anyone is doing this in the wild. What the researchers demonstrated also has some pretty significant shortcomings, so I don't see this being viable for real tracking, at least without changes.
I wonder if you could setup a virtual drive that gets picked up as an SSD and then automate and randomize everything that happens within it so it’s just noise. The problem is that this hack probably gives insight into every drive on the system, so the exploit would still grab that data; it would just run alongside the bullshit stream of data.
the attack should only have insight into the abstracted storage provided by the browser, so your idea of a virtual device that spits out random timing results is probably reasonable.
the issue is that timing being random, in and of itself, is a potential fingerprint when combined with other data from your browser - unless everyone is doing it as well.
all I can say is I give thanks for noscript every single day.