Geo Location extracted from visitors ip address

[Robert Kern]

Στις 6/7/2013 11:30 πμ, ο/η Chris Angelico έγÏαψε:

No, no registration requirements.

you know when i go to maps.google.com its always find my exact city of location
and not just say Europe/Athens.

and twitter and facebook too both of them pinpoint my _exact_ location.

How are they able to do it? We need the same way.

They use client-side JavaScript. This is a relatively new API available in most,
but not all, recent browsers. This information will not be available to your CGI
script. You will have to generate HTML with the proper JavaScript to get the
geolocation (if the user allows it) and then send it back to your server through
a different CGI script (or web application endpoint).

http://diveintohtml5.info/geolocation.html

--
Robert Kern

"I have come to believe that the whole world is an enigma, a harmless enigma
that is made terrible by our own mad attempt to interpret it as though it had
an underlying truth."
-- Umberto Eco

 

[Tim Chase]

you know when i go to maps.google.com its always find my exact city
of location and not just say Europe/Athens.

and twitter and facebook too both of them pinpoint my _exact_
location.

How are they able to do it? We need the same way.

A couple possibilities:

1) using the aforementioned HTML5 location API, your device may be
tattling on where you are. Are you browsing from a smart-phone or
other device with a GPS built in?

2) at some point in the distant past, you told Google where you are,
and it has dutifully remembered that. Try using an alternate browser
in a new session (Firefox has the ability to create a new profile;
Chrome/Chromium should have the ability to start up with a virgin
profile; I can't say for Safari or IE) and see if Google suddenly
lacks the ability to locate you

3) Google has a better IP-to-location map database than you have.
You might have to pay real money for such functionality. Or, you
might have to use a different library, as the IP-to-location database
that I linked you to earlier has both an "IP to Country" and an "IP
to City" database. Note that this is often wrong or grossly
inaccurate, as mentioned in other threads (geolocation by IP address
often puts me in the nearest major city which is a good 45min drive
away, and if I just visit Google maps with a fresh browser, it just
shows me the state, TX, which is a ~13hr drive across, if done at
65mph the whole way)

-tkc

 

[Dave Angel]

Στις 6/7/2013 11:30 πμ, ο/η Chris Angelico έγÏαψε:

No, no registration requirements.

you know when i go to maps.google.com its always find my exact city of
location and not just say Europe/Athens.

and twitter and facebook too both of them pinpoint my _exact_ location.

How are they able to do it? We need the same way.

At some point, you entered your address, and it's stored in some
database in the sky. You have cookies on your machine which correlate
to that database.

Chances are you did it for google-maps, and google shared it with their
search engine and other parts.

As far as I know, each such company has a separate database, but perhaps
google (for exakmple) has an partner API which facebook uses.

 

[Dennis Lee Bieber]

It was some guy form hostgator.com that had told me that a python script
has the same level of access to anything on the filesystem as its
coressponding user running it, implying that if i run it under user
'root' the python script could access anything.

Yes, IF YOU RUN IT UNDER "root"... The ownership of the script file
doesn't control the privileges it runs under as long as the file itself is
read-access to other "users".

Are you sure that python scripts run under Apache user or Nobody user in
my case and not as user 'nikos' ?

That is the /normal/ way a web-server (or any server) should be
configured -- explicitly to prevent operations from leaking into the rest
of the system.

Is there some way to test that?

There are a whole bunch of methods in the os module (which I can't
demonstrate as 95% of them are UNIX type OS only, and I'm running under
Win7). All sorts of things for retrieving group and user IDs. Only thing I
can access on Win7 is the least reliable items... (username is an
environment variable, and as such could have been changed from the real
user by something in the startup)

import os
os.environ["username"] 'Wulfraed'
os.getcwd() 'C:\\Users\\Wulfraed'

 

[Îίκος Gr33k]

Στις 6/7/2013 5:43 μμ, ο/η Dennis Lee Bieber έγÏαψε:

Yes, IF YOU RUN IT UNDER "root"... The ownership of the script file
doesn't control the privileges it runs under as long as the file itself is
read-access to other "users".

I though that the ownership of the script file controlled the privileges
it runs under.....

Who controlls the script's privileges then?
The process that calls the script file, i.e. Apache?

as the file itself is
read-access to other "users".

What do you mean by that?

 

[Îίκος Gr33k]

Στις 6/7/2013 2:20 μμ, ο/η Tim Chase έγÏαψε:

1) using the aforementioned HTML5 location API, your device may be
tattling on where you are. Are you browsing from a smart-phone or
other device with a GPS built in?

I'm using my lenovo laptop, by maps.gogole.com, fb and twitter have no
problem pionpoint my exact location, even postal code.

How do they do it?

Can you be more specific please about using the aforementioned HTML5
location API ?

Never heard of it. Can it be utilizized via a python cgi script?

 

[Tim Chase]

On 2013-07-06 23:14, Îίκος Gr33k wrote:
Can you be more specific please about using the aforementioned

HTML5 location API ?

https://www.google.com/search?q=html5+location+api

It's client-side JavaScript.

Never heard of it. Can it be utilizized via a python cgi script?

Because it's client-side JavaScript, it runs, well, on the client's
browser. Note that the user may be prompted regarding whether they
want to permit the website to access location information, so this
information may not be available. If the user permits and JS is
enabled, the client-side JS code can then make AJAX requests (or stash
it in a cookie that gets sent with future requests) to convey the
location information to the server where your Python code is running.

-tkc

 

[Tim Chase]

I though that the ownership of the script file controlled the
privileges it runs under.....

Only if the script is SUID. In some environments, scripts
can't be run SUID, only binaries.

Who controlls the script's privileges then?
The process that calls the script file, i.e. Apache?

Yes.

-tkc

 

[Îίκος Gr33k]

Στις 6/7/2013 11:33 μμ, ο/η Tim Chase έγÏαψε:

Yes.

When we run the python interpreter to run a python script like
python metrites.py

then out script will inherit the kind of access the python interpreter
has which in turn will inherit the kind of access the user that is run
under upon has?

 

[Îίκος Gr33k]

Στις 6/7/2013 11:32 μμ, ο/η Tim Chase έγÏαψε:

Can you be more specific please about using the aforementioned
https://www.google.com/search?q=html5+location+api

It's client-side JavaScript.

so, i must edit my cgi script and do this:

print '''
<script>
var x=document.getElementById("demo");
function getLocation()
{
if (navigator.geolocation)
{
navigator.geolocation.getCurrentPosition(showPosition);
}
else{x.innerHTML="Geolocation is not supported by this browser.";}
}
function showPosition(position)
{
x.innerHTML="Latitude: " + position.coords.latitude +
"<br>Longitude: " + position.coords.longitude;
}
</script>
'''

Will that do the trick?

but then again i want the city to be stored in the city variable.
Somehow the above javascript code mu return me a value that i will the
store at variable "city".

I don't know how to do that.

 

[Dennis Lee Bieber]

I though that the ownership of the script file controlled the privileges
it runs under.....

The owner can control /who/ runs the script -- via Group and Other
settings... But the access privileges to the rest of the system are
controlled by the process that runs the script -- in this case, Apache is
probably spawning a process (since you appear to be using classical CGI
invocation rather than a framework) that runs Python for each invocation.

The privileges, thereby, are those of Apache (at best -- I don't know
UNIX systems well enough to know if Apache is capable of putting even more
restrictions on subprocesses).

Depending on how the scripts are put into Apache's CGI system, Apache
may even be the owner of the script file.

 

[Îίκος Gr33k]

Στις 6/7/2013 11:51 μμ, ο/η Îίκος Gr33k έγÏαψε:

Στις 6/7/2013 11:32 μμ, ο/η Tim Chase έγÏαψε:


so, i must edit my cgi script and do this:

print '''
<script>
var x=document.getElementById("demo");
function getLocation()
{
if (navigator.geolocation)
{
navigator.geolocation.getCurrentPosition(showPosition);
}
else{x.innerHTML="Geolocation is not supported by this browser.";}
}
function showPosition(position)
{
x.innerHTML="Latitude: " + position.coords.latitude +
"<br>Longitude: " + position.coords.longitude;
}
</script>
'''

Will that do the trick?

but then again i want the city to be stored in the city variable.
Somehow the above javascript code mu return me a value that i will the
store at variable "city".

I don't know how to do that.

I had a reply of another person telling me these:

Google, Facebook, Microsoft, Amazon and most other gigantic companies
with lots of money track you in several different ways, not just by the
IP. They compare several categories of tracking to generate a list of
possible locations for you and then pick the one with the highest
confidence.

For example, I have an AU phone. If I register with AU Cloud that also
registers me with Google, and then my AU tower, IP and GPS location all
get reported to Google. When I login later on a desktop to the same
GoogleID account, they only have my IP and tracking cookies to look at,
but they already know to check the latest location of my phone -- and
whether its turned on/permitting GPS updates right then affects the
confidence report % of that method of tracking. Recent reservations,
dated product/service reviews, driving directions, map inquiries, map
bookmarks/pins, etc. all give some confidence for frequented location
and movement history each. Any billing relationship you have with them
will give them another tracking point based on your billing address, and
they can compare the billing address with frequented GPS locs, past
shipping information and recent locale-oriented searches. The more
recent the data and the more points of data match the same location the
more confidence the potential location has.

....and so on.

Its pretty creepy, actually. Anyway, you can't just do this using IP
information. To get reliable, live, pinpoint user location data you need
to do one of:
Convince the user to report/register/pick their location
Convince the user to permit you to track their phone
Get a contract with Google that buys you their best guess at user location
Be like Google and engage in a conspiracy to invade the privacy of
millions that dwarfs the resources of most intelligence agencies (and
then sell it to intelligence agencies, just like Google does)

 

[Grant Edwards]

Yes i know iam only storing the ISP's city instead of visitor's homeland
but this is the closest i can get:

try:
gi = pygeoip.GeoIP('/home/nikos/GeoLiteCity.dat')
city = gi.time_zone_by_addr( os.environ['HTTP_CF_CONNECTING_IP'] )
host = socket.gethostbyaddr( os.environ['HTTP_CF_CONNECTING_IP'] )
except Exception as e:
host = repr(e)


Tried it myself and it falsey said that i'am from Europe/Athens (capital
of Greece) while i'am from Europe/Thessaloniki (sub-capital of Greece)

If we can pin-point the uvisitor more accurately plz let me know.

For the Nth time: you can't.

 

[Grant Edwards]

???????? 6/7/2013 4:41 ????, ??/?? ?????????? Gr33k ????????????:

Yes i know iam only storing the ISP's city instead of visitor's homeland
but this is the closest i can get:

try:
gi = pygeoip.GeoIP('/home/nikos/GeoLiteCity.dat')
city = gi.time_zone_by_addr( os.environ['HTTP_CF_CONNECTING_IP'] )
host = socket.gethostbyaddr( os.environ['HTTP_CF_CONNECTING_IP'] )
except Exception as e:
host = repr(e)


Tried it myself and it falsey said that i'am from Europe/Athens (capital
of Greece) while i'am from Europe/Thessaloniki (sub-capital of Greece)

If we can pin-point the uvisitor more accurately plz let me know.

Good morning from Greece,

All my Greece visitors as Dave correctly said have the ISP address which
here in Greece is Europe/Athens, so i have now way to distinct the
cities of the visitors.

Is there any way to pinpoint the visitor's exact location?

No.