Tag: security

Airbnb: New rules for using security cameras and other devices

Airbnb monitoring warning

I just spotted this in my inbox, airbnb has updated their policy on security devices.

We’re updating our policy on the use and disclosure of security cameras, recording devices, noise decibel monitors and smart home devices for all Airbnb listings.

Starting on 30 April 2024, these rules apply to the presence of these devices, even if they’re turned off:

  • You’re not allowed to have cameras that monitor indoor spaces.
  • You must disclose the location of outdoor cameras. For example, “I have cameras monitoring the front door and the pool”.
  • Outdoor cameras are prohibited in spaces where guests expect greater privacy, such as enclosed showers and saunas.
  • You must disclose noise decibel monitors, which may only be present in common spaces.
  • You can have smart home devices like TVs and voice assistants. You aren’t required to disclose these devices, but we encourage you to tell guests that you have them and how to turn them off.
  • These requirements don’t apply to devices in common spaces outside your home that you don’t control, such as cameras in the foyer of a block of flats.

We’re making these changes after carefully considering how to best balance the privacy and security concerns of our community. Read the full policy on the Help Centre.

I have to say its a good and well needed change.

Interesting point about disclosing smart devices, as I think this should be the case full stop when entering a space. I don’t know about other people but I tend to be guarded with what I say when under surveillance.

Digital legacy the home made version

 

iStorage datAshur PRO 4GB Secure flash USB drive

For a long while since my brush with death, I have been thinking about my digital legacy as most of my stuff is digital. I know its not something most people think about but in the same way most people don’t think about their will till something major happens or its too late.

Digital legacy is in that place right now where there are companies which will do it for you but the trust model seems broken to me. Also they tend to need everything to be in one place/platform rather than the real way people use digital technology today and into the trustless/diy/open future.

With this in mind, I checked out a few different options and the one which came up consistently was Hereditas.

Hereditas, which means inheritance in Latin, is a static website generator that builds fully-trustless digital legacy boxes, where you can store information for your relatives to access in case of your sudden death or disappearance.

For example, you could use this to pass information such as passwords, cryptographic keys, cryptocurrency wallets, sensitive documents, etc.

Herditas is neat and the code is open source allowing anyone to investigate it. But as its alpha software I always felt a bit uneasy about using it for my digital legacy because it felt a bit too barebones (although I did sign up for Auth0).

I looked for alternatives such which also used the method of trustless, zero-knowledge and verification, but found little. So decided to try setting something up myself based on what I already have and use.

It was about the same time the lastpass security breach happened and although I’m not using a online password manager started thinking if there was a way to combine the both in a safe way.

So what did I do?

First I bought these secure USB drives and of course changed the passcode to something long and unique.

Then made a copy of my keepass database (my password manager) on to the USB drive along with my  Letter of wishes, a readme file and other bits and bobs. The database is locked up with a very long and difficult master password. That password is stored inside another online password manager, bitwarden which includes the feature of emergency access. I have already set up family members and close friends using this feature. Meaning only a few selected people can access it once I don’t reject their access request.

Once someone gets access to the bitwarden account, they would still need access to the database file, which is on the secure keys. Then to top that,  keepass has the option of a key file which can look like almost any file including ones on the secure USB stick. Its not elegant but I can’t see many flaws and it works in a simple way which was explained to my family.

I’m still experimenting with this all but been thinking a better option is to use another encrypted filesystem or Certs for the keepass 2nd authentication. Of course that file doesn’t have to even sit on the secure USB drive at all, as I’m considering buying and using more FIDO2 keys and using that instead.

Looking Herditas again, I quite like the idea of a static website on the secure website which could make a better solution that a readme file. It would be great if Herditas could actually run on/offline

Thoughts and comments are welcomed…

Is there a major flaw which I’m missing or is something which could work?

Update Tuesday 24th Jan

There has been some discussion on the fediverse about my post and I wanted to add some more details. Some people have asked why bother and I wanted to address some of them.

The scenario of death is a lot clearer and the death certificate will unlock a lot of things, however its worth noting some EULAs from the likes of dropbox need explicit consent before they will provide access. I’m also using the likes of Google, Facebook, etc’s legacy contact support.

The scenario I alluded to, was when I was in in ICU for 3-4 weeks and my family and friends needed to sort out my life when I was buying a new flat. I was lucky but I could have lost the flat. Yes its unique but a lot can happen when you are temporarily or even permanently out of action. Permanent disability is possible and providing access in a safe way, can make a lot of difference. I also think my thoughts still works in this case too.

Public Service Internet monthly newsletter (Sept 2022)

a group of people walking down a street next to tall buildings, cyberpunk art by Ji Sheng, cgsociety, afrofuturism, concept art HQ
a group of people walking down a street next to tall buildings, cyberpunk art by Ji Sheng, cgsociety, afrofuturism, concept art HQ – via Midjourney

We live in incredible times with such possibilities that is clear. Although its easily dismissed seeing the ring door bell show, twitter not taking security seriously and Android stalkerware with a flaw affecting millions.

To quote Buckminster Fuller “You never change things by fighting the existing reality. To change something, build a new model that makes the existing model obsolete.

You are seeing aspects of this with some cameras which can optically not see objects and people. Facebook messager pushed into deploying some-kind of encryption and Chokepoint capitalism look very well timed indeed.

1.5 million people avoided ransomware

Ian thinks: Ransomware is awful and is such a big problem. Interpol and others decided to do something about it, to encourage victims from paying out. The 1.5 million victims helped in a short time is impressive

Side by side, the differences between AI image generators

Ian thinks: Over the last few months, the AI image generation world has gone in overdrive. I found this comparison really intriguing although the story of midjourney speaks volumes.

The privacy and security problems of frictionless design

Ian thinks:: What Tiktok is doing is deeply worrying but it raises the bigger question of usability to avoid user agency and data rights.

Terraform: Stories from the future?

Ian thinks: I’m not usually a reader of Sci-Fi but now Black Mirror is cancelled, I am looking out for the audiobook of this book. Interesting short stories about the future we are slowly walking towards.

Could we ever trust robots?

Ian thinks: This talk from the Thinking Digital Conference in Newcastle, made me chuckle but highlights a lot of the problems with the future dreams of robots around the home. Its worth checking out the rest of the conference videos too.

In machines we trust?

Ian thinks: MIT’s podcast about the automation of everything is a good listen. Well thought out and I’m looking forward to the next season in this ongoing question about trust and machines.

The future is bright for open podcasting

Ian thinks: I am still fascinated and still impressed the podcasting industry is holding tight against the larger players. Innovating together and for the benefit of all, a great example of the public focused future.

What can be learned from Netflix’s downturn?

Ian thinks: Everyone has been beating up on Netflix recently, but I found this summary sensible, logical and raises questions about the multipliers of tech companies.

Have you ever considered the term social warming?

Ian thinks: For a long time, I have thought about a term which sums up the downsides of social media/networking. In the book Social Warming: The dangerous and polarising effects of social media, I feel Charles Arthur has found the perfect term.

Find the archive here

When the dead out number the living in social networks

I can’t say how good this TedX talk is, so many good points in a short video.

I noticed in dropbox terms and conditions a while, if you were to die and didn’t make very clear who your designated executors are and that you want them to gain access to your dropbox in your death. They will be denied access.

A valid court order establishing that it was the deceased person’s intent that you have access to the files in their account after the person passed away, and that Dropbox is compelled by law to provide the deceased person’s files to you

In short, if you don’t state your intent, dropbox can/will block access to your files. Or in short its won’t be simply hand over your password, as they can revoke your account if they think its been accessed by someone else than yourself. Of course this will most likely be decided by algorithms not humans.

Thats just the start…

We got to do better than this… Webcam covers

Camera cover on the new XPS13
How attractive on a new laptop

I agree this is a privileged thing but I got a replacement for my aging Dell XPS 13 work laptop. Another Dell XPS 13 but the updated version with much better support for Ubuntu. Its a great machine!

Dell XPS13 with that camera cover
My Dell XPS13 with that SD card, I mean camera cover sticking out

One thing I did look forward to was the new position of the webcam from the hinge alongside the keyboard. To the top of the screen like most laptops. There is a problem however, as the bezels get smaller the camera covers are not keeping up.

This isn’t just my new Dell XPS but also the Chromebook I got last year.

Chromebook camera cover sticking out
Looks like there is a SD card sticking out of my Chromebook

I gather there is sticker packs which don’t leave that usual glue stuff, which I’ll give a try but I certainly feel like I’m putting a plaster (literately) on a much deeper rooted problem. Camera should never be possible to enable without the light coming on full stop.

Apple and their form of privacy

Apple's smug new iPhone ad says privacy matters, just ...

Ummmm right…

I get Apple are more private about data than others like Google (which pings Android phones so much people are suing for data charges) but there is something about misplaced trust with Apple which always bugs me. These latest adverts and recent news stories say it all.

Downloads outage down issues which is all around Apples Gatekeeper privacy and Apple’s latest OS update Big sur network traffic bypass.

Of course this is all clear reasons why I’m very much in the open source camp. Maybe I won’t understand the code, but someone will and can inspect it or track down the issue without signing an NDA. I urge for people to not blindly trust. Always look out for open code, zero-knowledge security, no logging, transparency, etc

Amazon halo…be afraid be very afraid

There is so much I wanted to say about the Amazon Halo health/fitness tracker. The Twit.tv video above pretty much sums up my thoughts. I haven’t read through the halo privacy policy yet, but others are picking bit out already.

Amazon Halo privacy concerns

Wherever there are body scans, always-on microphones and a tech giant in the same service, there’s bound to be security concerns. Amazon knows this, and has already outlined what privacy will look like for future Halo users.

Halo health data is encrypted in transit and in the cloud, and sensitive data, like body scan images, are deleted once processed. Meanwhile, voice analysis is processed entirely on the user’s smartphone and deleted after. Nothing is recorded for playback — users can’t even listen to their own speech samples.

All Amazon Halo data can be managed and deleted in the Halo app. Your Halo account is also separate from your Amazon Prime one, so anyone you share your Prime account with won’t be able to access your private health information.

This for me is one of the things people in the Quantified Self movement were always worried about.

Do you trust Amazon with this much personal data?
Whats the actual pay off?
Is it all actually worth it?

Then you have to ask the question what makes it different from other quantified self devices and systems?

Signal what are you up to?

I love Signal and never used Whatsapp because of many reasons included in this great opinion piece. Its gotten better and better but the recent pin number is a worry. I’m not the only one.

“Notably, things we don’t have stored include anything about a user’s contacts (such as the contacts themselves, a hash of the contacts, any other derivative contact information), anything about a user’s groups (such as how many groups a user is in, which groups a user is in, the membership lists of a user’s groups), or any records of who a user has been communicating with,” Signal wrote in 2016.

That, according to critics, has now changed.

“They should have a dumb network that knows nothing because it can’t be compromised then,” The Grugq told Motherboard. “[Having contacts] is a lot. It isn’t messages, sure. But I don’t like it. I don’t want them to have anything. Make the networks dumb and the clients smart.”

I do understand why they have done it, but I don’t know where its going next. Marlnspike (head dev of Signal) replies.

Marlinspike defended the decision to enable PINs and give users a way to migrate to a new device and keep certain data, and will increase the security of users’ metadata, “new features Signal users have been asking for.”

“The purpose of PINs is to enable upcoming features like communicating without sharing your phone number. When that is released, your Signal contacts won’t be able to live in the address book on your phone anymore, since they may not have phone numbers associated with them,” Marlinspike told Motherboard. “For most users, this also increases the security of their metadata. Most people’s address book is syncing with Google or Apple, so this change will prevent Google and Apple from having access to your Signal contacts.”

Smartphone use
Photo by Gilles Lambert on Unsplash

The changes Signal has made show how there can be a tension between messenger usability and feature set and security. It’s too early to say whether you should stop using the messenger. For most users’ threat models, it’s still one of the best options. But one of the key things that set Signal apart—that it collects almost no information about its users, appears to be changing.

Convenience is the enemy of security and I would say privacy. I wouldn’t be surprised if signal gets forked.

It was always clear to me Twitter direct messages was never secure in anyway, hence why I tried to move private conversations over to another medium. If thats not email or signal what else? Recently I have been looking at a couple others…

Session which is decentralised messaging and Criptext, which is actually secure email. Both need work but have decent security.

I lost all trust for Zoom yesterday…

British PM on Zoom
Wonder how many people have tried to dial into that zoom id?

Yesterday I was on a zoom call which was hijacked or zoombombed with something not just horrible but totally illegal. Because of this I have pretty much lost all trust in zoom.

This is of course very difficult as its what we use at work and of course being in the middle of the covid19 lockdown, makes things tricky. Because of this, I’m going to still use it but with much more caution and I’m going to be a lot more forceful about the hosting side of it.

Its clear war-dialers for public Zoom meetings is so easy and well used by inscrutable groups of people. Zoom could make sharable links much more difficult to war dial, similar to the way Google docs uses combinations of characters and numbers to make a much longer url, a lot harder to war-dial.

The defaults of Zoom, is setup for a semi trusted corporate environment. I understand the covid-19 pandemic changed everything but there has been many updates and only now is the defaults only just safe. Their share prices have rocketed but they are only now focused on security ahead of more features?

Their idea of end to end encryption is a total dump on top of the security findings saying some calls are being routed via China.. Today they announce you can choose your routing but you need to pay for it. More governments and companies are blocking zoom because they just don’t trust it.

Likewise neither do I… but I will use it… with caution.

I have been thinking about an equivalent, and thought about two.

  1. I lost trust in Facebook a long while ago but still use it for volleyball events and the occasional post about something I feel could be important for friends, family and the public who don’t read my blog (as its posted on the internet already, I post publicly adopting the indieweb Posse approach, much to the surprise of some friends). For example I posted what happened on zoom yesterday there today.
    Facebook was hardly trustworthy to start with and over and over again they took the living daylights with our data.
  2. There was a point when Windows Vista pushed as the step/edition of Windows XP and I didn’t like what Microsoft had done to it. To be fair I didn’t trust them and saw shadows of where things were heading. So I switched to Ubuntu.I know the new Microsoft is quite different of course but the damage was done.

If you are hosting a Zoom call, please do lock it down theres a number of guides to help including this one.

Facebook cafe with free drinks and privacy check-ups?

https://twitter.com/wearesorryfor/status/1162346869017763853

When I saw Jasmine’s reply to Claires tweet. I thought exactly the same thing. Its the ethical dilemma cafe, only 5 years out too late.

Facebook is looking to take the initiative in the social media privacy debate by opening a network of pop-up cafes around the UK. Each will offer patrons free drinks and a privacy checkup, to help assuage consumer concerns about their privacy online.

Facebook Café will run from 28 August to 5 September in a bid to encourage Britons to get on top of their digital footprint, helped along by free-flowing caffeine.

One of these will be located within The Attendant on Great Eastern Street, London, in response to surveys indicating that 27% of Londoners have no idea how to personalise their social media privacy parameters.

Free coffee (what kind) and teas in exchange for? Privacy advice from Facebook, Wifi snooping like most, a honeypot, or maybe a bit of social engineering from FB staff (Scientology style)?

Is it worth it? I very much doubt it but it would be fun to mess with the FB cafe staff and systems. Don’t you think?