Tuesday, December 19, 2023

T-Mobile, Firefox, and Incognito mode

Most browsers have what they call a privacy or incognito mode. The idea is that it deletes any cookies and cache created by a website you ventured into once you close the browser (important step here). Note it does not replace a VPN or anonymize your traffic in any way; there are other tools for that. Still, I not only like that but I set my browsers to always start in that mode (we can talk about how to do so in a future post). Cookies is one of the ways websites use to track you (as in what GDPR would consider to be personal data), your habits, so they can know more about you than you do. I would rather not they do that. Also, shadier individuals -- even shadier than certain commercial organizations that I rather not mention -- also like them when they gain access (think phishing attacks) to your system as these files may have fun stuff like session cookies and even passwords they can steal.

Understandly, some companies do not like when I get rid of their cookies, but it is hard for them to do a thing because this is done at the user's end. However, it seems T-Mobile found a way around that: they chose to detect and block the user of Firefox running in Incognito Mode in their website:

T-Mobile message stating they do not support Firefox in incognito mode

Even though I provided the link to the official page, here is the text for those who are using a text based browser or cannot see images:

Firefox is no longer supported in private mode The Firefox browser is no longer supported in private mode on our site. To continue, please take Firefox out of private mode or choose another browser. We recommend Chrome, Safari or Edge.

Why are they singling out Firefox and derivatives (I also tried LibreWolf before writing this article)?

  • Could it be they assume everyone either uses a Windows, a Mac computer, or at least a Google-derives ystem (think Chromebook and Android), and any user running neither (I use Linux) is to be treated with mistrust?
  • Could it be that Safari stopped supporting extensions such as UBlock Origin, and Edge, well, is Edge just like the normal (as in not ungoogled) version of Chrome talks too much back to the mothership? After all, these browsers do have their versions of privacy modes, so that can't be the main issue. Nor that most sites, banks included, seem to work just fine with Firefox incognito mode.

Contacting T-Mobile led to nothing, so all I have are the speculations I made here. You too can make your own!

Saturday, December 2, 2023

Websites whose login pages do not work correctly

It is late a night and I just had a thought I want to share: have you ever went to a website, say, your abnk, where when you try to login -- pasting the username and password so there is no possibility of a typo -- it does not work and sends you to a "login failed, try again" page, it then works there?

I do not know about you, but if I were going to try to steal credentials, creating a website that sits in front of the real one (think man in the middle attack) would come into mind.

That is all I have for now: just food for though.

Saturday, November 18, 2023

Online subscriptions: Giveth and Taketh Away

Like many, I too have a gmail account. And I have used it to buy magazines, tv shows, and even subscriptions. My reason is the same as everyone else: it is convenient. Recently I received an email stating

Here is the text version, so people can translate to their language or jut be able to read it without having to rely on the image:

Since 2020, new purchases of magazines have not been available in Google News and very few users now regularly access their magazine subscriptions. We wanted to inform you that support for magazine content in Google News is being discontinued beginning on December 18, 2023, which means access from Google News apps or news.google.com to the library of magazines you previously purchased or subscribed to will be removed. To continue to access previously purchased magazine content, you must export and save each purchased issue before December 18, 2023.

Claiming this to be a security or even privacy topic may sound like a bit of a stretch, but hear me out. When you buy a TV show, movie, or even magazine subscription through Google, Apple, Amazon, Barnes & Noble, or whoever, unless you can download that to your computer and view it without needing to use their website or app, you may lose access to them for different reasons:

Technical issues.

People have reported ebooks purchases they made and downloaded to their book reader -- usually a phone app or Kindle -- one day are no longer in their devices. Or said books are no longer even listed in their accounts. Or, even when said books are in their devices, pages are/became missing. Contacting the publisher (or should we call them streaming providers as they may only be licensing the sale/distribution of the product?) can lead to hours if not months of frustration; they may be equally baffled for the reason of these problems.

This also frustrates authors, whose present and future earnings is directly related to the popularity of their work: imagine if one of your books was #1 bestseller and then because of a computer glitch with the streaming provider it cannot be easily found, downgrading it to #150. This have happened already.

The Wikipedia Effect

Wikipedia is a living document: people are always editing and improving on its contents. So, what you have read last month may have been disputed and edited out of it. That leads to arguments that it should not be quoted as reference source. Some authors and producers may feel the initial version of their book or movie did not portray the story the way they intended and would love to be able to come back, months or years after publication, and change it. George Lucas is the posterchild of this.

With streaming that no longer means a new release: all the old versions can be now updated just like a computer program. I myself have seen shows whose opening credits for specific episodes have changed at least 3 times; the latest of which added hints to events in the episode which really do not add value to it. Bottom line is what you bought last year may no longer be what you have. Is this good or bad? That is up to you. In my opinion while there is a benefit for textbooks and study guides, when we are talking about a work of fiction or even a technical paper, that removes the power from you the buyer to decide which version you have. I am glad I am still able to see the original Star Wars trilogy without the cgi "enhancements" added later.

Licensing issues

Let me cut to the chase: you do not own what you paid for. According to the Amazon's Conditions of Use (not singling them out but it was the one I could easily found),

All content included in or made available through any Amazon Service, such as text, graphics, logos, button icons, images, audio clips, digital downloads, data compilations, and software is the property of Amazon or its content suppliers and protected by United States and international copyright laws. The compilation of all content included in or made available through any Amazon Service is the exclusive property of Amazon and protected by U.S. and international copyright laws.

The part I highlighted (boldfaced?) is the one we want to look at. All those Kindle books and movies and music you bought at Amazon Prime belong to Amazon or whoever they licensed it from. You only paid a license to access them, and contrary to social media sites and even companies you work at this license is not perpetual. There has been cases where, for instance, Kindle owners found books they purchased were removed from their accounts. And it does not end there: the Amazon Services Terms of Use states that this license can be revoked. While its words claims that termination only happens if they decide your are not in strict compliance with the agreement, they do reserve the right to decide if that is the case.

How does that affect privacy?

Some books or movies were removed from streaming sites because they were considered inappropriate; that in itself can mean many things including not politically acceptable. Your purchase/subscription records are in possession of these streaming providers. Depending on the location of residence, what can possibly be personal information -- they can be used to infer religious beliefs, sexual orientation, and so on -- is sold to other merchants, which will certainly use this data to create a profile on you (called an avatar) to better market to you be it by ads on free phone apps or even plain old emails. Others such as government and more criminal-minded organizations can also acquire the data for their own purposes.

How to minimize personal data exposure?

If you like a movie or a book, why not buy the movie on DVD/Blueray or the book either printed or at least as a PDF? At the very least now you own it in a way they cannot remove your access to it. You can find privacy-respecting DPF readers for most phones and computers. You can still convert the movie available in some electronic form so you can watch it without worrying about damaging the disk. There may be legality issues which are beyond this post but the technology is there. As a bonus, you do not have to worry about the content of your purchase changing from the version you paid for.

Friday, October 20, 2023

Helping attackers collect your personal information: spearphishing and imgur

Since this is the cybersecurity month, let's talk about one of the sure ways to help malicious people attack you or steal your identity. Of course we are talking about companies which nudge people to place their personal information in public. In today's example, we will focus on imgur. It is not that bad of a website if you take the usual precautions with your images and what you post on it. Worried the bad guys will need to put some effort, its creators offer a "Cake Day":

For those who are not able to see the image (do not consider yourselves unlucky), here is the exceprt from that email I would like you to focus on (boldface is mine):

It is customary to celebrate your Cake Day (that's your account’s creation day) by sharing something excellent with the Imgur community. Perhaps a favorite GIF, a great personal story, a meme, or some interesting information would do? Head on over to Imgur to create a new post.

"What is so bad about that?" you may ask if you skipped the first paragraph in this post. Well, let's start with a phishing attack: while most of them are half-hearted attempts to con users with badly written emails laden with links to unscroupulous websites or malware-filled attachments, the better ones are more carefully crafted and aimed at specific people. For these to work, they need to have as much information on their targets. So, knowing the personal stories and interesting information requested by imgur help with this information gathering step.

Note that this is technically not a GDPR violation as it seems (I am not going to ask the person to click on the imgur tracking link just to get more info for this blog entry) that it requires you to go through the effort to enter it and it does not require you to enter it to continue. In a future post we will show examples where that is not the case.

Wednesday, August 2, 2023

Burger King, Data Breach, French Style

As some of you may be aware of, Burger King experienced another data breach , and it is slightly different from the 2019 event. As before, personal data was exposed due to misconfiguration of their website: specifically in the Jun 2023 incident the passwords for databases and other services were stored in a publicly accessible text file. This would not be that interesting if the incident took place in their US location, where personal data of children was also exposed (Like Panera, which uses palm scanning, Burger King nudged children to enter their info so it was more convenient to order their favourite items and parents to pay without needing to have to go to the cashier), having its customers mysteriously receive emails with blank receipts, or that one of these services whose authentication info was stored in that configuration file was also our old friend Google Analytics would be forgotten in a few weeks.

What makes the special sauce special is this is happened in France, which means it is under the jurisdiction of the GDPR. Data breach investigations under those regulations are rather different than those under US laws. If the American-based multinational cannot prove it has done due diligence regarding how it protects the personal data of its customers and current/future employees, they should at least expect heavy fines: according to GDPR Art. 83(5), severe violations can cost up to 4% of Burger Kings total global revenue, which in 2021 was US$ 1.81 billion. Given the authentication was stored in plain text and children data (which may have been collected in violation of GDPR Art 8, and falls under Recital 38) is at risk, the fast food giant should not expect the French Data Privacy Authority (Commission Nationale de l'Informatique et des Libert├ęs, or CNIL) to be as lenient towards American companies as the Irish one.

This is a very new case -- announced today in the news -- and we have no idea when Burger King reported to the CNIL (per GDPR Art. 33 they must report within 72h of learning of the incident), so we will have to wait to see how it will develop; expect the case to take at least months before the CNIL deliberates and issues fines.

Sunday, July 30, 2023

Bloatware/Spyware: TikTok & Meta preinstalled in Windows 11 devices

Have you heard of the term "promoted apps?" That is the euphemistic term for programs that were preinstalled in a new computer. People like me knew them by a different term, bloatware, they were popular in the old Microsoft Windows and MacOS installs; the idea was companies would give money to OS and/or computer/smart phone manufacturers to bundle the former software with the later's products. Think of it as a variation of paid advertising or infomercial. This junk was grouped into:

  • Trialware
  • Adware
  • Spyware, like those bundled by cell phone carriers.
  • And, on a rare occasion, something useful. Somewhere out there there is an example.

That trend has not diminished. If you check your brower, you may find it is ready to connect to offer a youtube search engine built-in. People have been reported Windows 11 coming with TikTok and Meta installed at least since 2022. No matter what people said, I do not mind TikTok/Meta/Twitter/youtube as long as I decide to install it. I mean, what is wrong with going to an app store and getting it? But, why should any of them be bundled into a new Windows 11 tablet? Yes, there are tricks and instructions online to remove them, but they should not be there to begin with.

Friday, June 9, 2023

Protest against Reddit API Changes and killing 3rd party APIs: Jun 12-14. Call today at 10:30AM PST

This may sound like a politicized post, but there is madness behind reason here: for a while there has been many third party applications used by Reddit users to post (include posting with a modicum of privacy (hey, we talk a lot about that here!) as sometimes said posts can be career-ending ones) and keep track of topics of interest. Even the moderators make use of such tools to keep spam down. All of these tools were possible using the API provided for free by Reddit. Many of these tools are open source, offered for free.

Fast forward to now, and Reddit is aiming for an IPO this year. Also, it has decided to start charging for the use of its API starting June 30. There are some who will claim the two events are related. This is expected to cause most of these 3rd party apps to be killed and force users to rely on the official app which is not know for its interface or features, besides its privacy issues.

As a result,

  • More than 3000 communities (subreddits) will go dark from Jun 12 to Jun 14 in protest to this decision, including many that are associated with IT in general and cybersecurity specifically. Some of them will shut down permanently.
  • There is a thread where you can get the most recently developments.
  • People are flocking to Reddit alternatives including Mastodon, beehaw, and Discord.

Reddit said its CEO will be hosting a "Ask Me Anything" (AMA) event today at 10:30AM PST to talk about their plans regarding the API.

Is there another reason?

Well, what if Reddit realized the people behind large language models -- OpenAI, Google, etc -- are making money by scraping their website to get data for their AI models (since it is still a hot topic, here is the obligatory mention of ChatPT), and now Reddit wants to get a piece of the action?