Why is Slack storing passwords in plain text on Android devices?

https://mas.to/@cubicgarden/105712244073779967

I posted about Slack’s bug on mastodon. I knew this was going to be a pain the ass changing all those passwords, even with them all sitting in my password manager and most using 2fa.

However some of the users of Mastodon asked the question, why does the Slack app store the passwords on the device at all?

I thought about this and they are right. The app connects to a remote server and should request the user login. Once logged in, it should provide some kind of secure key/cookie/hash on the device not the actual password. On top of this, it certainly shouldn’t be in the form of plaintext.

Mistake, bug or not, this should not happen.

Schedule messages on Android

This slideshow requires JavaScript.

Happy to see Google messages getting schedule messages at long last. Its been a long time in coming after Gmail’s schedule send last year.I have been using the beta and enjoying sending messages at 1am for a quite some time now.

Be great if Signal also added scheduling, although I did buy tasker to solve the scheduling of text and signal but haven’t sat down and played with it yet.

I knew the day was coming for my Pixel2

https://mas.to/@cubicgarden/105356319833794257

Google Pixel’s come with 3 years of supported updates, I knew this but it was a shock when I saw the note saying

Regular updates have ended for this device

Although its still night and day from some of the devices I have owned in the past. For example my work Nokia 8 is still stuck with Android 9 (Pie).

Signal or Threema or how about both?

I have been a fan and person encouraging the use of signal over the likes of whatsapp. Its been good to me but like every piece of software there are things I would change about them. For example the whole pin code thing is not only concerning but also a real challenge for casual users.

The pin code thing and phone number thing is not that much of a concern for most but I’ve been keeping an eye on others coming into the space. Threema is one such messaging app which seems to have all the privacy and security needed backed with its strong European base in Switzerland.

I wrote it off in my mind because it didn’t have a open code base for security  experts to view openly. However that recently changed with them opensourcing the code base.

Because of this change I’m relooking at the Threema, although I don’t think I’ll be dumping Signal as a result but rather using both?

I finally bought the Oura smart ring

Oura  vs Motiv smart rings

I decided its about time I upgraded my smart ring. I originally bought the Motiv ring because it supported Android, had a better price tag and was interested in the 2 factor authentication.

It was good but then I hit a problem about 6 months down the line and although Motiv did the right thing of refunding me completely and letting me keep the ring. It certainly felt like it was on its way to unsupported space with the new owners.

Oura vs Motiv smart rings

So with the new Oura being a bit cheaper and finally some proper Android support, I decided its time.

First impressions are very good, the app is better than Motiv’s and the ring feels a lot more robust. It has 3 different contact points while the Motiv has one. I took the risk of skipping the ring sizing as I knew my size from the Motiv ring. Luckily they were very close but the Oura is a bit bigger giving me more options of fingers to use.

The app now finally syncs with Google fit (one of the biggest complaints for Android owners). I also noticed there is the ability to download the raw data in Json format. I do find the app a little messy but its got all what is needed and if not you can login on the web and see/manage your data.

Oura's charger

If I was going to say one bad thing about it, it would be simply the charger is quite big compared to the Motiv one, which I was able to carry around on my keychain. But its not like I’m going away for a long while, and I noticed the airplane mode which is great.

Currently everyone is using Oura and its the right decision if you need the best tracker on the market. Just glad I didn’t get it when it was mainly iOS as it would have been extremely annoying.

Looking forward to seeing its sleep tracking as the Motiv was pretty awful. Thankfully I use Sleep as Android.

Checking for Spy Cameras everywhere…

I recently been tracking a lot of Spycams in hotels and airbnb’s. Yes its currently mainly happening in the east a lot more it seems, but like most technological trends its on the way westward.

It very much reminds me of my experience in the Airbnb in Barcelona. Yes its was a listening device and they did declare it once we were in the flat but its not good enough. Airbnb is the wild west for this.

The spycameras are getting super small and higher quality all the time. For the last year I have been checking my hotel rooms (pre-covid19 when I could travel) with my camera phone and light. I’m not using an app but rather the camera light as my camera sees IR no problem. Theres some quite good tips in this travel site.

By the way, don’t search for “spycameras” on the web, as you will get some questionable results!

Epic games serves up some 1984 on the app stores

 

Epic battle unfolds

Its been a Epic (Pun intended) battle going back and forth for Epic games and the app stores (Apple & Google).

For mobile developers the 30% cut has been a talking point for a long while but the fact you can’t use other payment systems really put the foxes in the hen house. I won’t get into details as there are others which do a much better job. I love this timeline

But I found the Fortnite 1984 trailer absolutely spot on. Pointing directly at Apple and their classic 1984 advert.  Although to be fair like most big companies, Epic isn’t clean in this area but the monopoly & closed doors of the app stores is a big deal. Its very clear Epic games planned the lawsuit, the 1984 and the trigger event in a perfectly planned check move (chess).

Shall we get the popcorn ready for this clash of the titans?

Regardless of what happens, I’m sure mobile developers will massively benefit from Epic pulling the trigger. Of course many other big names have also jumped in behind Epic.

Google silently puts a knife into the Pixel 4

The view of the red moon through my window
Shot on a Google Pixel4 through my living room glass with nothing special

The Google pixel 4A looks like a really good phone and reminds me of the Nexus 5x in price and style. I won’t lie, the battery size and onboard storage certainly impressive compared to the Pixel4.

I’m still impressed with the Pixel4’s camera and its still good for me so far. But I noticed its currently leaving me with 50% battery at the end of the day. Its ok but remember I’m not really going out much at the moment. No idea what it would be like when I’m out and about again?

Its clear to me, that although I like the Pixel range, I would go for something like the One plus phone next time around. I mean look at the Pixel4a vs the Oneplus Nord?

One decision I have made is I will most likely this time around fit a new battery in the next 9 months. No idea why I didn’t do it for the Pixel2.

 

Why NHS’s world-beating app was always a going to be awful but 10+ million!

Contact tracing api
Photo by Mika Baumeister on Unsplash

Even if you forget the thoughts are coming from a ex-googler who has interests elsewhere this blog is pretty damming and I  can imagine how the NHS really bought their own nonsense about it being world beating. Of course in the end they had to back pedal and use the Google & Apple decentralised contact tracing api.

But there are parts even I was shocked at…

It worked 4% of the time.

Thats not even funny, its not just unreliable but a total waste of time. Even if thats exaggerated, double would still be a bad joke at 8%

The British effort did find workarounds that most other developers could not: They used “keepalives” (messages sent by one device to another) to circumvent restrictions on having apps in the background on iOS. Notifications were sent between two Apple devices running the app to keep the connection between the devices alive and therefore having the ability to detect each other’s keys. The NHS tried to develop with a hacker’s mentality and shared its progress through its GitHub page.

There is a reason why keepalives are a bad idea, battery is one of the number one reasons why people find their smartphones deeply frustrating. Having a app keeping the system awake is just a terrible news. Although I assume as most people are staying at home, they will be closer to a charger at least

in May it was reported by the Financial Times that the British government was simultaneously exploring a solution with Apple and Google’s decentralized system as a backup, indicating that, even within the government, there were doubts that the centralized effort could work.

And this is when I heard they were testing both systems, leading to the fact they were going to drop the centralised app soon. This would be fine but…

The development of the app has taken months and cost millions of pounds from taxpayers…

…around $15 million spent…

I have no words to sum how I feel about the UK government throwing this money down the drain in the middle of a pandemic where people are losing their jobs and dying. Its not just wasteful, its incredibly disgraceful and pretty much sums up the UK government right now.

Signal what are you up to?

I love Signal and never used Whatsapp because of many reasons included in this great opinion piece. Its gotten better and better but the recent pin number is a worry. I’m not the only one.

“Notably, things we don’t have stored include anything about a user’s contacts (such as the contacts themselves, a hash of the contacts, any other derivative contact information), anything about a user’s groups (such as how many groups a user is in, which groups a user is in, the membership lists of a user’s groups), or any records of who a user has been communicating with,” Signal wrote in 2016.

That, according to critics, has now changed.

“They should have a dumb network that knows nothing because it can’t be compromised then,” The Grugq told Motherboard. “[Having contacts] is a lot. It isn’t messages, sure. But I don’t like it. I don’t want them to have anything. Make the networks dumb and the clients smart.”

I do understand why they have done it, but I don’t know where its going next. Marlnspike (head dev of Signal) replies.

Marlinspike defended the decision to enable PINs and give users a way to migrate to a new device and keep certain data, and will increase the security of users’ metadata, “new features Signal users have been asking for.”

“The purpose of PINs is to enable upcoming features like communicating without sharing your phone number. When that is released, your Signal contacts won’t be able to live in the address book on your phone anymore, since they may not have phone numbers associated with them,” Marlinspike told Motherboard. “For most users, this also increases the security of their metadata. Most people’s address book is syncing with Google or Apple, so this change will prevent Google and Apple from having access to your Signal contacts.”

Smartphone use
Photo by Gilles Lambert on Unsplash

The changes Signal has made show how there can be a tension between messenger usability and feature set and security. It’s too early to say whether you should stop using the messenger. For most users’ threat models, it’s still one of the best options. But one of the key things that set Signal apart—that it collects almost no information about its users, appears to be changing.

Convenience is the enemy of security and I would say privacy. I wouldn’t be surprised if signal gets forked.

It was always clear to me Twitter direct messages was never secure in anyway, hence why I tried to move private conversations over to another medium. If thats not email or signal what else? Recently I have been looking at a couple others…

Session which is decentralised messaging and Criptext, which is actually secure email. Both need work but have decent security.

Curve cards are temporarily suspended

The Curve Card

Bad news, with all the joy I have had using my curve card. I was slightly shocked to see this email from Curve yesterday. To be fair I thought it was a phishing email till I checked the site myself and looked at the twitter account.

YOUR CURVE CARD IS TEMPORARILY SUSPENDED – PLEASE CARRY A BACK-UP

Dear Curve Customers,

Your Curve card and all associated Curve transaction and money transfer services will be temporarily suspended with immediate effect. Please be assured, we expect to be up and running again shortly but it may take a few days. Your money and card details held at Curve are safe and secure.

This has happened because the Financial Conduct Authority* has this morning suspended its permission for Wirecard Card Solutions Limited (the company who currently issues Curve Cards) to operate, without prior notice. This action is not related to Curve – but Curve currently depends on Wirecard for operation of the Curve card.

We are already well on the way to migrating away from Wirecard but have not fully completed this process. We are now working round the clock to achieve the migration as quickly as possible and therefore expect this disruption to last for only a limited period of time.

We will continue to communicate the details of what this means for you during this interim period.

For now, please carry a backup card.

We’ll be back,
Team Curve

*Curve currently relies on Wirecard Card Solutions Limited for all its financial transactions. Until we fully migrate, we are impacted by this suspension (as are all Wirecard’s other clients to whom they provide financial transaction services).

Hopefully they can get it up and going soon, as I couldn’t remember my pin for my old card.

Motiv ring sold to the corporate world

My Motiv ring on my hand

This was a surprise…Motiv smart ring gets bought – and will stop selling to consumers

It seems the world of consumer wearables has lost Motiv – the smart ring company that’s been an underdog hit in the world of wearable technology.

The company isn’t dead – but it’s being bought by Proxy – a digital authentication start-up that sees potential in using Motiv’s technology in enterprise. As a result of the buyout, Motiv will cease selling its smart ring device through consumer channels, and there’s no word of how long devices will be supported.

Motiv started life back in 2017 as an activity tracking smart ring that put its focus on active minutes rather than simple step counting, with a heart rate sensor on board.

But its feature set widened over the years. In 2018 a second generation landed that put its focus on biometric security – and these are the features that will have interested Proxy.

Likely explains why they returned the full price of my ring a while?

Only 5 months later and face unlock is fixed

Its one of those things which I wasn’t happy about with my Pixel4. Who on earth over looked the fact you could use the face unlock without your eyes open! It doesn’t take a lot to think about the abuses including spouses with trust issues.

Finally over the last few days Google rolled out a fix which requires your eyes open if you enable it! Only 5 moths later

It was the first thing I did when I installed the update. Till that point I’ve been enabling lockdown mode when going through sensitive areas like airport security

My last pebble smart watch… again?

Broken pebble

Today my pebble 2 smartwatch broke while playing with the diabolo in the garden. The screen came straight out the frame. Not sure why but I did put it back but found the screen was dead.

As I thought my smartphone was still connected to the watch via bluetooth and was responding to the button presses and battery charge.

However without a screen I’m forced to use my very last pebble smartwatch. The Pebble time kindly donated from Ahmed, who got a Apple watch. This is why although I did say the previous pebble was my last, I luckily had this backup. However this is the last. Lets hope the hybrid smartwatches are better than Fossil’s attempt.

Broken pebble with last one