Conversation
| ### Correlation | ||
|
|
||
| Anyone can run servers **and** explorer instances. | ||
| Using IPs captured by a server, one can correlate **when an IP address stops pinging** (ie; just connected to a server) and **when a new client joined a server** (username data from explorer query directly to a jamulus server) to produce an IP<‐>username mapping. The IP address can then be processed to provide geolocation data. From this one can determine the location of a specific user. |
There was a problem hiding this comment.
| Using IPs captured by a server, one can correlate **when an IP address stops pinging** (ie; just connected to a server) and **when a new client joined a server** (username data from explorer query directly to a jamulus server) to produce an IP<‐>username mapping. The IP address can then be processed to provide geolocation data. From this one can determine the location of a specific user. | |
| Using IPs captured by a server, one can correlate **when an IP address stops pinging** (ie; just connected to a server) and **when a new client joined a server** (username data from explorer query directly to a jamulus server) to produce an IP<‐>username mapping. The IP address can then be processed to provide geolocation data. From this one can determine the approximate location of a specific user even if no location was set in the users' profile. |
| Anyone can run servers **and** explorer instances. | ||
| Using IPs captured by a server, one can correlate **when an IP address stops pinging** (ie; just connected to a server) and **when a new client joined a server** (username data from explorer query directly to a jamulus server) to produce an IP<‐>username mapping. The IP address can then be processed to provide geolocation data. From this one can determine the location of a specific user. | ||
|
|
||
| ## Current Correlation (as of 20260202) |
There was a problem hiding this comment.
| ## Current Correlation (as of 20260202) | |
| ## Current Correlation (as of 2026-02-02) |
| ## Current Correlation (as of 20260202) | ||
|
|
||
| ### Listeners | ||
|
|
There was a problem hiding this comment.
You should clarify that this are known IP addresses. There could be others. Also you should link to the site this IP belongs to.
Users should be informed about this. Judging if this is good or bad lies in the eyes of the user and cannot be part of this page.
|
|
||
| When you open the Connect dialog window your client starts sending pings to every server in the list. **`24.199.107.192`** is the IP address of one of those servers. A server using **`24.199.107.192`** exists on each genre, their names are ***Duet***. | ||
|
|
||
| Blocking outgoing **UDP** traffic on your DAW or router to **`24.199.107.192`** will prevent the listeners from collecting your IP address and breaks correlation. This will help prevent you from being tracked. |
There was a problem hiding this comment.
Alternatively you can try to use the -c argument from the command line (add link to docs) to connect directly to the server by skipping directories.
|
|
||
| ### Server Admins | ||
|
|
||
| Server admins can contribute to helping prevent user tracking by blocking the explorer probe. |
There was a problem hiding this comment.
| Server admins can contribute to helping prevent user tracking by blocking the explorer probe. | |
| Server admins can decide to prevent user tracking by blocking the explorer probe. |
There was a problem hiding this comment.
Well, they decided, and then they prevented. So "can prevent user tracking" seems clear enough.
| Server admins can contribute to helping prevent user tracking by blocking the explorer probe. | ||
| If you run a server on the jamulus public network, it is currently being indexed by the explorer instance on **`137.184.43.255`** | ||
|
|
||
| Blocking incoming **UDP** traffic from **`137.184.43.255`** will prevent the explorer from indexing your server and breaks correlation. This will protect users on your server from being tracked while they use it. |
There was a problem hiding this comment.
| Blocking incoming **UDP** traffic from **`137.184.43.255`** will prevent the explorer from indexing your server and breaks correlation. This will protect users on your server from being tracked while they use it. | |
| Blocking incoming **UDP** traffic from **`137.184.43.255`** will prevent the explorer from indexing your server and breaks correlation. This will disable user tracking on your server from the blocked server. |
There was a problem hiding this comment.
maybe "This will prevent users of your server from being tracked when they connect."
|
|
||
| --- | ||
|
|
||
| Updated information can be found here: [https://jamulusjams.com/block-user-tracking.html](https://jamulusjams.com/block-user-tracking.html) |
There was a problem hiding this comment.
This KB entry should be held up to date imo.
|
|
||
| ### Pings | ||
|
|
||
| When a user attempts to connect to a server, they open the Connect dialog window. The client will **start** sending “pings” to every server listed in that genre to report delay latency (basically network distance) to those servers. |
There was a problem hiding this comment.
| When a user attempts to connect to a server, they open the Connect dialog window. The client will **start** sending “pings” to every server listed in that genre to report delay latency (basically network distance) to those servers. | |
| When a user wants to connect to a server, they typically open the Connect dialog window. The client will **start** sending “pings” to every server listed in that directory, so it can report how much delay the user would experience on each server. |
Genre might make more sense than directory. Either's fine.
|
|
||
| ## Scope | ||
|
|
||
| This document will attempt to summarize the problem, and provide mitigations for both users, and server admins. |
There was a problem hiding this comment.
| This document will attempt to summarize the problem, and provide mitigations for both users, and server admins. | |
| This document will attempt to summarize how this happens, and provide mitigations for both users, and server admins. |
I go back and forth about how much it's a problem, but I agree it is not ideal. There are a few people who seek out IPs to taunt with them. I think ideally directories would gather IP addresses and use them to provide additional services that improve userbase optimizations like what I've done, and ideally, it would not be possible to derive a client's IP address. But problems are things we do mitigate so the words are kind of a pair.
| When a user attempts to connect to a server, they open the Connect dialog window. The client will **start** sending “pings” to every server listed in that genre to report delay latency (basically network distance) to those servers. | ||
|
|
||
| Anyone running a server can capture those “pings” using tools like `tcpdump` or `tshark/wireshark` and view the IP addresses of the clients that are sending them. | ||
| **No username data is sent.** This is part of the Jamulus protocol, by design, to maintain a level of privacy and prevent others from finding the IP addresses of specific users. |
There was a problem hiding this comment.
There's nothing in the Jamulus protocol that leads me to believe they designed a private protocol. It's totally possible to do but they didn't do so here. Let's imagine what you're saying: Rather than ping, they could ping a... username? Do pings even have payloads like that?
Security by obscurity is not security. You can't just say, oh, it's private because we didn't shove all the data in every ping. Can you tell me one way in which the Connect dialog's ping pattern promotes privacy? In MVP/V1 style, it shoves those pings out there, and then stops shoving them. You're saying their lack of explicit metadata payload is a privacy design? it's not.
| ### Listeners | ||
|
|
||
| There are seven servers on public Jamulus space, one in each genre. They are named ***Duet***, and have a userlimit set at two. They all share the same IP and each sit on different ports. | ||
| These servers are “listening” for pings from clients, and packet capturing them to get the IP addresses of users clients. |
There was a problem hiding this comment.
| These servers are “listening” for pings from clients, and packet capturing them to get the IP addresses of users clients. | |
| These servers are “listening” for pings from clients, and packet capturing them to get the IP addresses of user clients. |
|
|
||
| ### User Data | ||
|
|
||
| There is an explorer instance collecting lists of servers and users running from **`137.184.43.255`** |
There was a problem hiding this comment.
Somewhat I'm concerned that publishing the specific IP addresses will put this document out of date if I have to change IPs. I don't typically change IPs, but it can happen. Maybe I could present a page of these addresses that's always current.
There was a problem hiding this comment.
Agree. Best in machine readable form (like csv or json)
| There is an explorer instance collecting lists of servers and users running from **`137.184.43.255`** | ||
| IP addresses of users collected from the listeners are being correlated with join events derived from the explorer instance to produce IP<‐>username mappings. IP addresses are processed to provide geolocation data of users. This geolocation data is being collected **and** displayed without express permission of users, and with no means to opt in or out. | ||
|
|
||
| **This data is also being fed into AI for various analyses**, again with no express permission, and no means to opt in or out. |
There was a problem hiding this comment.
| **This data is also being fed into AI for various analyses**, again with no express permission, and no means to opt in or out. |
There's nothing in the production software that involves AI.
| These servers are “listening” for pings from clients, and packet capturing them to get the IP addresses of users clients. | ||
|
|
||
| ``` | ||
| Genre Name IP:port |
There was a problem hiding this comment.
This would probably look good as an actual table.
| @@ -0,0 +1,84 @@ | |||
| --- | |||
| layout: post | |||
| title: "Privacy: Mitigating User Tracking By Third Parties" | |||
There was a problem hiding this comment.
| title: "Privacy: Mitigating User Tracking By Third Parties" | |
| title: "Privacy: Mitigating User Tracking By Jamulus.Live" |
Is there anything in here about mitigating user tracking carried out by anyone but me? It kind of describes how anyone could do this, but it only explains how to mitigate one very particular website.
|
|
||
| A user will either select a server from the list, or type in a server address:port, click Connect or hit Enter, and the client will then attempt to connect to the server. At this point the client **stops** sending the “pings” and the client typically completes the connection to the server. | ||
|
|
||
| Each genre has a directory server. The purpose of the directory server is to provide clients with a listing of servers registered to it, and the users connected to each server. This is public data, and viewed in the Connect dialog window, and available through a number of websites, like [explorer.jamulus.io](https://explorer.jamulus.io) or [jamulusjams.com](https://jamulusjams.com). |
There was a problem hiding this comment.
| Each genre has a directory server. The purpose of the directory server is to provide clients with a listing of servers registered to it, and the users connected to each server. This is public data, and viewed in the Connect dialog window, and available through a number of websites, like [explorer.jamulus.io](https://explorer.jamulus.io) or [jamulusjams.com](https://jamulusjams.com). | |
| Each genre has a directory server. The purpose of the directory server is to provide clients with a listing of servers registered to it, and the users connected to each server. This public data can be viewed in the Connect dialog window, and also through a number of websites, like [explorer.jamulus.io](https://explorer.jamulus.io) or [jamulusjams.com](https://jamulusjams.com). |
I think there's also a third website that does this.
|
|
||
| Each genre has a directory server. The purpose of the directory server is to provide clients with a listing of servers registered to it, and the users connected to each server. This is public data, and viewed in the Connect dialog window, and available through a number of websites, like [explorer.jamulus.io](https://explorer.jamulus.io) or [jamulusjams.com](https://jamulusjams.com). | ||
|
|
||
| Anyone can run an explorer instance. An explorer queries each genres directory server to get a list of servers, then queries each server directly to get a list of connected users. This is public data. **There is no IP address information on users, just the user profile data**. Again this is by design to prevent IP<‐>username mapping. This data can also be saved for later processing. |
There was a problem hiding this comment.
| Anyone can run an explorer instance. An explorer queries each genres directory server to get a list of servers, then queries each server directly to get a list of connected users. This is public data. **There is no IP address information on users, just the user profile data**. Again this is by design to prevent IP<‐>username mapping. This data can also be saved for later processing. | |
| Anyone can run an explorer instance. An explorer queries each genre's directory server to get a list of servers, then queries each server directly to get a list of connected users. This is public data. **There is no IP address information on users, just the user profile data for each**. Again this is by design to prevent IP<‐>username mapping. This data can also be saved for later processing. |
If the design intends to prevent IP-username correlation, then the design is broken.
There was a problem hiding this comment.
We try not to send IPs out if not necessary. The correlation is a side effect we didn't think about.
My opinion: As long as users are aware of it and can opt out I'm mostly fine.
| ### User Data | ||
|
|
||
| There is an explorer instance collecting lists of servers and users running from **`137.184.43.255`** | ||
| IP addresses of users collected from the listeners are being correlated with join events derived from the explorer instance to produce IP<‐>username mappings. IP addresses are processed to provide geolocation data of users. This geolocation data is being collected **and** displayed without express permission of users, and with no means to opt in or out. |
There was a problem hiding this comment.
I remember going through 4 iterations of making the geolocation less specific. So here it seems misleading to be so vague about the granularity of the disclosures. I believe there are ten million people in my state, which doesn't really narrow down which house is mine.
| ### Server Admins | ||
|
|
||
| Server admins can contribute to helping prevent user tracking by blocking the explorer probe. | ||
| If you run a server on the jamulus public network, it is currently being indexed by the explorer instance on **`137.184.43.255`** |
There was a problem hiding this comment.
| If you run a server on the jamulus public network, it is currently being indexed by the explorer instance on **`137.184.43.255`** | |
| If you run a server on the Jamulus public network, it is currently being indexed by the explorer instance on **`137.184.43.255`** |
|
I believe this is technically called a side-channel attack rather than a correlation attack. |
3 participants
Short description of changes
Provides knowledge base entry to document current correlation attack in progress, and provides mitigations for clients and servers.
Context: Fixes an issue? Related issues
Relates to https://github.com/orgs/jamulussoftware/discussions/3545
Status of this Pull Request
What is missing until this pull request can be merged?
Does this need translation?
Checklist