There is a way to find the meat address of a web browser, *even if through an anonymizing proxy*, if the user is connected via a modem subject to Hayes command sequence attacks. The attack uses a variant of the Hayes exploit that Eric Cordian mentioned in a DDoS context. The idea is that instead of DDoS'ing some phone number, you force a call to a toll free number that collects the caller's number (and time of day), thereby trashing privacy and anonymity. A URL containing the disconnect & redial sequence will work. You learn the phone number, time of browsing, and browsed site. Presumably Eric's ping-data method would also work, and not require that the user browse a particular page. You could scan dial up dynamic IPs, ping them, and collect the phone-ids of (some of) the computer/modem users in that geographic area who browse at a certain time/date. Someone seems to have set up a demo at http://www.geocities.com/joe_cypherpunk/ which has links to try the disconnect and the redial method from a browser.
