I just spotted this in my inbox, airbnb has updated their policy on security devices.
We’re updating our policy on the use and disclosure of security cameras, recording devices, noise decibel monitors and smart home devices for all Airbnb listings.
Starting on 30 April 2024, these rules apply to the presence of these devices, even if they’re turned off:
You’re not allowed to have cameras that monitor indoor spaces.
You must disclose the location of outdoor cameras. For example, “I have cameras monitoring the front door and the pool”.
Outdoor cameras are prohibited in spaces where guests expect greater privacy, such as enclosed showers and saunas.
You must disclose noise decibel monitors, which may only be present in common spaces.
You can have smart home devices like TVs and voice assistants. You aren’t required to disclose these devices, but we encourage you to tell guests that you have them and how to turn them off.
These requirements don’t apply to devices in common spaces outside your home that you don’t control, such as cameras in the foyer of a block of flats.
We’re making these changes after carefully considering how to best balance the privacy and security concerns of our community. Read the full policy on the Help Centre.
Interesting point about disclosing smart devices, as I think this should be the case full stop when entering a space. I don’t know about other people but I tend to be guarded with what I say when under surveillance.
Digital legacy is in that place right now where there are companies which will do it for you but the trust model seems broken to me. Also they tend to need everything to be in one place/platform rather than the real way people use digital technology today and into the trustless/diy/open future.
With this in mind, I checked out a few different options and the one which came up consistently was Hereditas.
Hereditas, which means inheritance in Latin, is a static website generator that builds fully-trustless digital legacy boxes, where you can store information for your relatives to access in case of your sudden death or disappearance.
For example, you could use this to pass information such as passwords, cryptographic keys, cryptocurrency wallets, sensitive documents, etc.
Herditas is neat and the code is open source allowing anyone to investigate it. But as its alpha software I always felt a bit uneasy about using it for my digital legacy because it felt a bit too barebones (although I did sign up for Auth0).
I looked for alternatives such which also used the method of trustless, zero-knowledge and verification, but found little. So decided to try setting something up myself based on what I already have and use.
It was about the same time the lastpass security breach happened and although I’m not using a online password manager started thinking if there was a way to combine the both in a safe way.
So what did I do?
First I bought these secure USB drives and of course changed the passcode to something long and unique.
Then made a copy of my keepass database (my password manager) on to the USB drive along with my Letter of wishes, a readme file and other bits and bobs. The database is locked up with a very long and difficult master password. That password is stored inside another online password manager, bitwarden which includes the feature of emergency access. I have already set up family members and close friends using this feature. Meaning only a few selected people can access it once I don’t reject their access request.
Once someone gets access to the bitwarden account, they would still need access to the database file, which is on the secure keys. Then to top that, keepass has the option of a key file which can look like almost any file including ones on the secure USB stick. Its not elegant but I can’t see many flaws and it works in a simple way which was explained to my family.
Looking Herditas again, I quite like the idea of a static website on the secure website which could make a better solution that a readme file. It would be great if Herditas could actually run on/offline
Thoughts and comments are welcomed…
Is there a major flaw which I’m missing or is something which could work?
Update Tuesday 24th Jan
There has been some discussion on the fediverse about my post and I wanted to add some more details. Some people have asked why bother and I wanted to address some of them.
The scenario of death is a lot clearer and the death certificate will unlock a lot of things, however its worth noting some EULAs from the likes of dropbox need explicit consent before they will provide access. I’m also using the likes of Google, Facebook, etc’s legacy contact support.
The scenario I alluded to, was when I was in in ICU for 3-4 weeks and my family and friends needed to sort out my life when I was buying a new flat. I was lucky but I could have lost the flat. Yes its unique but a lot can happen when you are temporarily or even permanently out of action. Permanent disability is possible and providing access in a safe way, can make a lot of difference. I also think my thoughts still works in this case too.
To quote Buckminster Fuller “You never change things by fighting the existing reality. To change something, build a new model that makes the existing model obsolete.”
Ian thinks: Ransomware is awful and is such a big problem. Interpol and others decided to do something about it, to encourage victims from paying out. The 1.5 million victims helped in a short time is impressive
Ian thinks: Over the last few months, the AI image generation world has gone in overdrive. I found this comparison really intriguing although the story of midjourney speaks volumes.
Ian thinks: I’m not usually a reader of Sci-Fi but now Black Mirror is cancelled, I am looking out for the audiobook of this book. Interesting short stories about the future we are slowly walking towards.
Ian thinks: This talk from the Thinking Digital Conference in Newcastle, made me chuckle but highlights a lot of the problems with the future dreams of robots around the home. Its worth checking out the rest of the conference videos too.
Ian thinks: MIT’s podcast about the automation of everything is a good listen. Well thought out and I’m looking forward to the next season in this ongoing question about trust and machines.
Ian thinks: I am still fascinated and still impressed the podcasting industry is holding tight against the larger players. Innovating together and for the benefit of all, a great example of the public focused future.
Ian thinks: Everyone has been beating up on Netflix recently, but I found this summary sensible, logical and raises questions about the multipliers of tech companies.
Ian thinks: For a long time, I have thought about a term which sums up the downsides of social media/networking. In the book Social Warming: The dangerous and polarising effects of social media, I feel Charles Arthur has found the perfect term.
I noticed in dropbox terms and conditions a while, if you were to die and didn’t make very clear who your designated executors are and that you want them to gain access to your dropbox in your death. They will be denied access.
A valid court order establishing that it was the deceased person’s intent that you have access to the files in their account after the person passed away, and that Dropbox is compelled by law to provide the deceased person’s files to you
In short, if you don’t state your intent, dropbox can/will block access to your files. Or in short its won’t be simply hand over your password, as they can revoke your account if they think its been accessed by someone else than yourself. Of course this will most likely be decided by algorithms not humans.
My Dell XPS13 with that SD card, I mean camera cover sticking out
One thing I did look forward to was the new position of the webcam from the hinge alongside the keyboard. To the top of the screen like most laptops. There is a problem however, as the bezels get smaller the camera covers are not keeping up.
This isn’t just my new Dell XPS but also the Chromebook I got last year.
Looks like there is a SD card sticking out of my Chromebook
I get Apple are more private about data than others like Google (which pings Android phones so much people are suing for data charges) but there is something about misplaced trust with Apple which always bugs me. These latest adverts and recent news stories say it all.
Of course this is all clear reasons why I’m very much in the open source camp. Maybe I won’t understand the code, but someone will and can inspect it or track down the issue without signing an NDA. I urge for people to not blindly trust. Always look out for open code, zero-knowledge security, no logging, transparency, etc
Wherever there are body scans, always-on microphones and a tech giant in the same service, there’s bound to be security concerns. Amazon knows this, and has already outlined what privacy will look like for future Halo users.
Halo health data is encrypted in transit and in the cloud, and sensitive data, like body scan images, are deleted once processed. Meanwhile, voice analysis is processed entirely on the user’s smartphone and deleted after. Nothing is recorded for playback — users can’t even listen to their own speech samples.
All Amazon Halo data can be managed and deleted in the Halo app. Your Halo account is also separate from your Amazon Prime one, so anyone you share your Prime account with won’t be able to access your private health information.
This for me is one of the things people in the Quantified Self movement were always worried about.
Do you trust Amazon with this much personal data?
Whats the actual pay off?
Is it all actually worth it?
Then you have to ask the question what makes it different from other quantified self devices and systems?
“Notably, things we don’t have stored include anything about a user’s contacts (such as the contacts themselves, a hash of the contacts, any other derivative contact information), anything about a user’s groups (such as how many groups a user is in, which groups a user is in, the membership lists of a user’s groups), or any records of who a user has been communicating with,” Signal wrote in 2016.
That, according to critics, has now changed.
“They should have a dumb network that knows nothing because it can’t be compromised then,” The Grugq told Motherboard. “[Having contacts] is a lot. It isn’t messages, sure. But I don’t like it. I don’t want them to have anything. Make the networks dumb and the clients smart.”
I do understand why they have done it, but I don’t know where its going next. Marlnspike (head dev of Signal) replies.
Marlinspike defended the decision to enable PINs and give users a way to migrate to a new device and keep certain data, and will increase the security of users’ metadata, “new features Signal users have been asking for.”
“The purpose of PINs is to enable upcoming features like communicating without sharing your phone number. When that is released, your Signal contacts won’t be able to live in the address book on your phone anymore, since they may not have phone numbers associated with them,” Marlinspike told Motherboard. “For most users, this also increases the security of their metadata. Most people’s address book is syncing with Google or Apple, so this change will prevent Google and Apple from having access to your Signal contacts.”
The changes Signal has made show how there can be a tension between messenger usability and feature set and security. It’s too early to say whether you should stop using the messenger. For most users’ threat models, it’s still one of the best options. But one of the key things that set Signal apart—that it collects almost no information about its users, appears to be changing.
It was always clear to me Twitter direct messages was never secure in anyway, hence why I tried to move private conversations over to another medium. If thats not email or signal what else? Recently I have been looking at a couple others…
Session which is decentralised messaging and Criptext, which is actually secure email. Both need work but have decent security.
This is of course very difficult as its what we use at work and of course being in the middle of the covid19 lockdown, makes things tricky. Because of this, I’m going to still use it but with much more caution and I’m going to be a lot more forceful about the hosting side of it.
The defaults of Zoom, is setup for a semi trusted corporate environment. I understand the covid-19 pandemic changed everything but there has been many updates and only now is the defaults only just safe. Their share prices have rocketed but they are only now focused on security ahead of more features?
Their idea of end to end encryption is a total dump on top of the security findings saying some calls are being routed via China.. Today they announce you can choose your routing but you need to pay for it. More governments and companies are blocking zoom because they just don’t trust it.
Likewise neither do I… but I will use it… with caution.
I have been thinking about an equivalent, and thought about two.
I lost trust in Facebook a long while ago but still use it for volleyball events and the occasional post about something I feel could be important for friends, family and the public who don’t read my blog (as its posted on the internet already, I post publicly adopting the indieweb Posse approach, much to the surprise of some friends). For example I posted what happened on zoom yesterday there today.
Facebook was hardly trustworthy to start with and over and over again they took the living daylights with our data.
There was a point when Windows Vista pushed as the step/edition of Windows XP and I didn’t like what Microsoft had done to it. To be fair I didn’t trust them and saw shadows of where things were heading. So I switched to Ubuntu.I know the new Microsoft is quite different of course but the damage was done.
If you are hosting a Zoom call, please do lock it down theres a number of guides to help including this one.
Facebook is looking to take the initiative in the social media privacy debate by opening a network of pop-up cafes around the UK. Each will offer patrons free drinks and a privacy checkup, to help assuage consumer concerns about their privacy online.
Facebook Café will run from 28 August to 5 September in a bid to encourage Britons to get on top of their digital footprint, helped along by free-flowing caffeine.
One of these will be located within The Attendant on Great Eastern Street, London, in response to surveys indicating that 27% of Londoners have no idea how to personalise their social media privacy parameters.
She also reminded me about the web3 summit, which I wish I could attend but always felt like I might not be quite the right person for it. I look forward to hearing what comes out of it however because its clear as Jutta says
…The first time I interacted with the web like everything was open and somehow that was the the perception like we now have this great tool and sort of thought like it’s not this these closed intranets. But it’s the information superhighway we can do whatever we want but what happened really over the 30 or so years afterwards was we replicated or built a ton of intermediaries that basically sit between us and anybody we want to interact on the with on the web online, be that through what’s that when we text to someone through Facebook, venmo, whatever you use you buy anything there’s always an intermediary for something that really should be a general p2p interaction. So the problem with this really is what’s underneath this and what led to this mass these mass centralization and of power and data in the hands of very few people is the fact that we had to do this in a very centralized way because this is just how the Internet technologies of where to work so we have an underlying architecture with centralized servers where all the data is gathered because of network effect the power accumulates and accumulates, and this is a very fraught way of doing things because you have a central point of failure and that was massively exposed by the Snowden revelations I mean partly because also backdoors are built into it but partly because it’s it’s centralized architecture…
I was sure I tooted/tweet a thank you to the Google team in Berlin’s Re:publica conference. But it looks like it never quite happened due to connectivity issues with the wifi at certain points of the day.
Due to a misconfiguration in the Titan Security Keys’ Bluetooth pairing protocols, it is possible for an attacker who is physically close to you at the moment you use your security key — within approximately 30 feet — to (a) communicate with your security key, or (b) communicate with the device to which your key is paired. In order for the misconfiguration to be exploited, an attacker would have to align a series of events in close coordination:
When you’re trying to sign into an account on your device, you are normally asked to press the button on your BLE security key to activate it. An attacker in close physical proximity at that moment in time can potentially connect their own device to your affected security key before your own device connects. In this set of circumstances, the attacker could sign into your account using their own device if the attacker somehow already obtained your username and password and could time these events exactly.
Before you can use your security key, it must be paired to your device. Once paired, an attacker in close physical proximity to you could use their device to masquerade as your affected security key and connect to your device at the moment you are asked to press the button on your key. After that, they could attempt to change their device to appear as a Bluetooth keyboard or mouse and potentially take actions on your device.
This all being a big mistake, Google has offered a replacement key. However because my key hasn’t been added to my account yet, I get a message saying no action is required but a email to override this. However after double checking my key is a type T3 meaning it wasn’t effected.
Tim Berners-Lee helped invent the world wide web 30 years ago. And he has consistently pointed out that the original dream that gave rise to it is under threat.
It is exactly 30 years since Sir Tim submitted a paper to his colleagues at CERN, suggesting a way of sharing data across networks, under the title “Information Management: A Proposal”. The humble title belies the importance of what was contained inside, which included a complete sketch for the networked information system that would on to become the internet we know today.
But its really important to think about the next 30 years.
I had a really good 10min talk with Sir Tim Berners-Lee during the last Mozilla Festival, while talking about Solid, Databox and data trust. What got me as we talked, was ultimately we were talking about power and where it lies. Power in the hands of governments (Chinese model) , corporations (American model) or people? (could be the European model?)
I think remembering their are humans, not eyeballs, not lefties/rightwingers, etc is so important. Lets celebrate the people of the web!
I received a email from have have I been pwned that my email address and password had been exposed in breach from My Heritage. Most breaches are somewhat worry-some but as I don’t use the same passwords because I have a password manager with lengthy random passwords; its less of a problem.
What was shocking about the myheritage breach for me, was that I have never logged in to or used myheritage ever. If I had an account, I would have an entry in my password manager. To confirm this I have requested my data via GDPR.
I believe a member of my large family entered my email address and then added details about me into myheritage, therefore creating a shadow profile for me to log into. It makes sense, as others in the family can fill in details they have for me. So the password which was leaked isn’t even set by me, but rather auto generated by myhertiage? The only way I could get access to the account was via a password reset. Once in I deleted my account straight away, but I thought about it some more.
The leaked/breached password and login would give the buyer access to any information my family member entered including date of birth, relationships with other members of the family, etc.
If I’m right this is deeply troubling and a worrying precedent!
Its been a difficult time recently. My scooter was damaged once again in a break in on the car park where I park. I say again because in April 2018 exactly the same thing happened. Less that a year!
In April 2018, the motorbikes were targetted but none were taken, if I remember some other things were broken and taken. However between the chains and locks broken, it was clear they tried to break my steering lock by forcing the handle bars. They slightly twisted but not at the fork level lucky, this still costed about £150 to fix.
This time the motorbikes were targetted and looking at the CCTV images from the different cameras across the site its clear they were only after the motorbikes nothing else.
CCTV cover up in 2018
CCTV cover up in 2019
There was some other similarities between the break-ins. The CCTV over looking the motorbikes was covered up in both cases.
They also broke into the car park from the building site next door
Unlike last time however, I spotted 4 men acting very weirdly on the canal side on Monday 14th night/Tuesday 15th morning. They were dressed in black with hoods and scarfs across their mouths and noses. They seemed to be breaking into Islington Wharf Mews by jumping over a wall with a sleeping bag to protect themselves from the spikes on top.
23:49 – Calling the non-emergency number (101) I was put on hold for ages but finally by the time they picked up. The men jumped back over the wall to the canal side, they disappeared from my view.
00:09 – The police took some details and asked where they were now. I happened to catch them breaking into the building site from the road side. Telling the police, they originally said they were going to send someone out. However as I found out later they looked at the public CCTV, which obviously doesn’t point on to the building site plus they were dressed in complete black. Once they looked and saw nothing they closed the logged case
00:45 – Meanwhile I hadn’t noticed but saw later on the garage CCTV a 5th man dressed totally in Black was trying to get into the garage by sneaking in while the roller shutter was coming down after some left or entered the garage. He failed and even got shouted at by residents in a car.
00:48 – I get a short phone call from the police asking if I seen anything else new? I said no.
01:08 – Not long after my original call and 20mins after my call back, some men gain access to the car park via the ground floor car park by breaking the wood slats. I know this for sure because the CCTV confirms the moment they broke through and climbed through.
How they got into the carpark
They headed straight for the motorbikes ignoring all the cars and bicycles. Broke two locks of 2 motorbikes, and damaging my scooter. They are in the car park for 35mins (01:08 – 01:43), All their movements around the carpark are captured on our own CCTV, except the one right above the bikes
01:43 – Finally they leave heading out the car park pedestrian door with 2 motorbikes
Damage to my scooter
0941 – I only found out the next day when I was going to work and saw the damage and the missing motorbikes. This time to tried to get at the scooter ignition instead of trying to break the steering lock. As you can see the damage is pretty bad but the steering is actually fine. I checked all the other locks and chains and they are good.
However 2 other motorbikes are gone and I got lucky. I’ve beefed up my locks and now using my alarm more often now (not just the immobiliser). I also got a crime reference and asked about my early morning call. I’m told the case is on going but police were sent out.
1953 – Later in the evening when I call up again, I’m told the cases are not connected was closed and the police were not sent out because there was nothing on a CCTV (no idea which one they are referring to)
My problem I see is…
The police are not connecting the two cases. Now I understand there is a chance the 4 men dressed head to toe in black on a building site may not be the same 5 people who broke into the garage from the same building site stealing the bikes? Yes it happened with 60 mins of my call but who knows – right? What I don’t understand is why no one was sent out? Even a visit could have prevented a crime. They also lied to me on the phone
I don’t get how the building site isn’t partly to blame for it lack of security not just once but twice now. There is a good chance the men stole tools from the building site to break the locks. I certainly didn’t see them carrying anything when getting into Islington Wharf Mews.
The police still haven’t looked or requested the CCTV from Islington Wharf, The Mews or the building site next door. Yes they are dressed in black but it could be useful to see where they came from and got to with the stolen motorbikes?
Why was I told they will send out a police offer but later told they didn’t? I feel like I was lied to….
I’m doing what I can but its slow going and not being able to get actual CCTV (for good reasons) its kinda impossible to convince the police to follow up. This is partly why I decided to share my frustrations without too much details.
Updated – Evening of Tuesday 29th Jan 2019
I’ve had an update from a few sources and the timeline includes this..
Tuesday 15 January 2019
00:19 – While I see 4 men getting into Islington Wharf Mews, another man also dressed in black from head to toe is trying to gain entry to the Islington wharf car park by trying to sneak in when someone leaves or enters. Unsuccessfully he returns to his hiding position each time. This also explains why 1 of the 4 men I saw kept looking out from their 1st floor position.
00:45 – They tried to gain entry again but a resident closes the shutter too quickly. 3mins later I get my call from the police, but still no one shows up. On the building site they break a padlock on a tool box, giving them access to stronger tools
01:08 – They break into the car park via the ground floor through the fence using the builders tool.
01:18 – They send 2 of them for an initial scope out of the carpark and then after all 5 of them go into the car park. Breaking two locks of 2 motorbikes, and damaging my scooter. They are in the car park for 35mins
01:43 – One of the Residents tried to drive in to the car park and when the roller shutter goes up they run away pushing the motorcycles.
Updated – Morning of Wednesday 30th Jan 2019
At 8:30am I received a phone call from the special operations police. They had read my email and were slight shocked at how I’d be treated through this investigation. He massively apologized and agreed based on the research I had done, the cases are linked. Then finally at 1300 they did go and review the footage from the flats and are using it in their ongoing investigation along with other CCTV footage.
