I get Apple are more private about data than others like Google (which pings Android phones so much people are suing for data charges) but there is something about misplaced trust with Apple which always bugs me. These latest adverts and recent news stories say it all.
Of course this is all clear reasons why I’m very much in the open source camp. Maybe I won’t understand the code, but someone will and can inspect it or track down the issue without signing an NDA. I urge for people to not blindly trust. Always look out for open code, zero-knowledge security, no logging, transparency, etc
Wherever there are body scans, always-on microphones and a tech giant in the same service, there’s bound to be security concerns. Amazon knows this, and has already outlined what privacy will look like for future Halo users.
Halo health data is encrypted in transit and in the cloud, and sensitive data, like body scan images, are deleted once processed. Meanwhile, voice analysis is processed entirely on the user’s smartphone and deleted after. Nothing is recorded for playback — users can’t even listen to their own speech samples.
All Amazon Halo data can be managed and deleted in the Halo app. Your Halo account is also separate from your Amazon Prime one, so anyone you share your Prime account with won’t be able to access your private health information.
“Notably, things we don’t have stored include anything about a user’s contacts (such as the contacts themselves, a hash of the contacts, any other derivative contact information), anything about a user’s groups (such as how many groups a user is in, which groups a user is in, the membership lists of a user’s groups), or any records of who a user has been communicating with,” Signal wrote in 2016.
That, according to critics, has now changed.
“They should have a dumb network that knows nothing because it can’t be compromised then,” The Grugq told Motherboard. “[Having contacts] is a lot. It isn’t messages, sure. But I don’t like it. I don’t want them to have anything. Make the networks dumb and the clients smart.”
I do understand why they have done it, but I don’t know where its going next. Marlnspike (head dev of Signal) replies.
Marlinspike defended the decision to enable PINs and give users a way to migrate to a new device and keep certain data, and will increase the security of users’ metadata, “new features Signal users have been asking for.”
“The purpose of PINs is to enable upcoming features like communicating without sharing your phone number. When that is released, your Signal contacts won’t be able to live in the address book on your phone anymore, since they may not have phone numbers associated with them,” Marlinspike told Motherboard. “For most users, this also increases the security of their metadata. Most people’s address book is syncing with Google or Apple, so this change will prevent Google and Apple from having access to your Signal contacts.”
The changes Signal has made show how there can be a tension between messenger usability and feature set and security. It’s too early to say whether you should stop using the messenger. For most users’ threat models, it’s still one of the best options. But one of the key things that set Signal apart—that it collects almost no information about its users, appears to be changing.
It was always clear to me Twitter direct messages was never secure in anyway, hence why I tried to move private conversations over to another medium. If thats not email or signal what else? Recently I have been looking at a couple others…
Session which is decentralised messaging and Criptext, which is actually secure email. Both need work but have decent security.
This is of course very difficult as its what we use at work and of course being in the middle of the covid19 lockdown, makes things tricky. Because of this, I’m going to still use it but with much more caution and I’m going to be a lot more forceful about the hosting side of it.
The defaults of Zoom, is setup for a semi trusted corporate environment. I understand the covid-19 pandemic changed everything but there has been many updates and only now is the defaults only just safe. Their share prices have rocketed but they are only now focused on security ahead of more features?
Their idea of end to end encryption is a total dump on top of the security findings saying some calls are being routed via China.. Today they announce you can choose your routing but you need to pay for it. More governments and companies are blocking zoom because they just don’t trust it.
Likewise neither do I… but I will use it… with caution.
I have been thinking about an equivalent, and thought about two.
I lost trust in Facebook a long while ago but still use it for volleyball events and the occasional post about something I feel could be important for friends, family and the public who don’t read my blog (as its posted on the internet already, I post publicly adopting the indieweb Posse approach, much to the surprise of some friends). For example I posted what happened on zoom yesterday there today.
Facebook was hardly trustworthy to start with and over and over again they took the living daylights with our data.
There was a point when Windows Vista pushed as the step/edition of Windows XP and I didn’t like what Microsoft had done to it. To be fair I didn’t trust them and saw shadows of where things were heading. So I switched to Ubuntu.I know the new Microsoft is quite different of course but the damage was done.
If you are hosting a Zoom call, please do lock it down theres a number of guides to help including this one.
Facebook is looking to take the initiative in the social media privacy debate by opening a network of pop-up cafes around the UK. Each will offer patrons free drinks and a privacy checkup, to help assuage consumer concerns about their privacy online.
Facebook Café will run from 28 August to 5 September in a bid to encourage Britons to get on top of their digital footprint, helped along by free-flowing caffeine.
One of these will be located within The Attendant on Great Eastern Street, London, in response to surveys indicating that 27% of Londoners have no idea how to personalise their social media privacy parameters.
She also reminded me about the web3 summit, which I wish I could attend but always felt like I might not be quite the right person for it. I look forward to hearing what comes out of it however because its clear as Jutta says
…The first time I interacted with the web like everything was open and somehow that was the the perception like we now have this great tool and sort of thought like it’s not this these closed intranets. But it’s the information superhighway we can do whatever we want but what happened really over the 30 or so years afterwards was we replicated or built a ton of intermediaries that basically sit between us and anybody we want to interact on the with on the web online, be that through what’s that when we text to someone through Facebook, venmo, whatever you use you buy anything there’s always an intermediary for something that really should be a general p2p interaction. So the problem with this really is what’s underneath this and what led to this mass these mass centralization and of power and data in the hands of very few people is the fact that we had to do this in a very centralized way because this is just how the Internet technologies of where to work so we have an underlying architecture with centralized servers where all the data is gathered because of network effect the power accumulates and accumulates, and this is a very fraught way of doing things because you have a central point of failure and that was massively exposed by the Snowden revelations I mean partly because also backdoors are built into it but partly because it’s it’s centralized architecture…
I was sure I tooted/tweet a thank you to the Google team in Berlin’s Re:publica conference. But it looks like it never quite happened due to connectivity issues with the wifi at certain points of the day.
Due to a misconfiguration in the Titan Security Keys’ Bluetooth pairing protocols, it is possible for an attacker who is physically close to you at the moment you use your security key — within approximately 30 feet — to (a) communicate with your security key, or (b) communicate with the device to which your key is paired. In order for the misconfiguration to be exploited, an attacker would have to align a series of events in close coordination:
When you’re trying to sign into an account on your device, you are normally asked to press the button on your BLE security key to activate it. An attacker in close physical proximity at that moment in time can potentially connect their own device to your affected security key before your own device connects. In this set of circumstances, the attacker could sign into your account using their own device if the attacker somehow already obtained your username and password and could time these events exactly.
Before you can use your security key, it must be paired to your device. Once paired, an attacker in close physical proximity to you could use their device to masquerade as your affected security key and connect to your device at the moment you are asked to press the button on your key. After that, they could attempt to change their device to appear as a Bluetooth keyboard or mouse and potentially take actions on your device.
This all being a big mistake, Google has offered a replacement key. However because my key hasn’t been added to my account yet, I get a message saying no action is required but a email to override this. However after double checking my key is a type T3 meaning it wasn’t effected.
Tim Berners-Lee helped invent the world wide web 30 years ago. And he has consistently pointed out that the original dream that gave rise to it is under threat.
It is exactly 30 years since Sir Tim submitted a paper to his colleagues at CERN, suggesting a way of sharing data across networks, under the title “Information Management: A Proposal”. The humble title belies the importance of what was contained inside, which included a complete sketch for the networked information system that would on to become the internet we know today.
But its really important to think about the next 30 years.
I had a really good 10min talk with Sir Tim Berners-Lee during the last Mozilla Festival, while talking about Solid, Databox and data trust. What got me as we talked, was ultimately we were talking about power and where it lies. Power in the hands of governments (Chinese model) , corporations (American model) or people? (could be the European model?)
I think remembering their are humans, not eyeballs, not lefties/rightwingers, etc is so important. Lets celebrate the people of the web!
I received a email from have have I been pwned that my email address and password had been exposed in breach from My Heritage. Most breaches are somewhat worry-some but as I don’t use the same passwords because I have a password manager with lengthy random passwords; its less of a problem.
What was shocking about the myheritage breach for me, was that I have never logged in to or used myheritage ever. If I had an account, I would have an entry in my password manager. To confirm this I have requested my data via GDPR.
I believe a member of my large family entered my email address and then added details about me into myheritage, therefore creating a shadow profile for me to log into. It makes sense, as others in the family can fill in details they have for me. So the password which was leaked isn’t even set by me, but rather auto generated by myhertiage? The only way I could get access to the account was via a password reset. Once in I deleted my account straight away, but I thought about it some more.
The leaked/breached password and login would give the buyer access to any information my family member entered including date of birth, relationships with other members of the family, etc.
If I’m right this is deeply troubling and a worrying precedent!
Its been a difficult time recently. My scooter was damaged once again in a break in on the car park where I park. I say again because in April 2018 exactly the same thing happened. Less that a year!
In April 2018, the motorbikes were targetted but none were taken, if I remember some other things were broken and taken. However between the chains and locks broken, it was clear they tried to break my steering lock by forcing the handle bars. They slightly twisted but not at the fork level lucky, this still costed about £150 to fix.
This time the motorbikes were targetted and looking at the CCTV images from the different cameras across the site its clear they were only after the motorbikes nothing else.
There was some other similarities between the break-ins. The CCTV over looking the motorbikes was covered up in both cases.
They also broke into the car park from the building site next door
Unlike last time however, I spotted 4 men acting very weirdly on the canal side on Monday 14th night/Tuesday 15th morning. They were dressed in black with hoods and scarfs across their mouths and noses. They seemed to be breaking into Islington Wharf Mews by jumping over a wall with a sleeping bag to protect themselves from the spikes on top.
23:49 – Calling the non-emergency number (101) I was put on hold for ages but finally by the time they picked up. The men jumped back over the wall to the canal side, they disappeared from my view.
00:09 – The police took some details and asked where they were now. I happened to catch them breaking into the building site from the road side. Telling the police, they originally said they were going to send someone out. However as I found out later they looked at the public CCTV, which obviously doesn’t point on to the building site plus they were dressed in complete black. Once they looked and saw nothing they closed the logged case
00:45 – Meanwhile I hadn’t noticed but saw later on the garage CCTV a 5th man dressed totally in Black was trying to get into the garage by sneaking in while the roller shutter was coming down after some left or entered the garage. He failed and even got shouted at by residents in a car.
00:48 – I get a short phone call from the police asking if I seen anything else new? I said no.
01:08 – Not long after my original call and 20mins after my call back, some men gain access to the car park via the ground floor car park by breaking the wood slats. I know this for sure because the CCTV confirms the moment they broke through and climbed through.
They headed straight for the motorbikes ignoring all the cars and bicycles. Broke two locks of 2 motorbikes, and damaging my scooter. They are in the car park for 35mins (01:08 – 01:43), All their movements around the carpark are captured on our own CCTV, except the one right above the bikes
01:43 – Finally they leave heading out the car park pedestrian door with 2 motorbikes
0941 – I only found out the next day when I was going to work and saw the damage and the missing motorbikes. This time to tried to get at the scooter ignition instead of trying to break the steering lock. As you can see the damage is pretty bad but the steering is actually fine. I checked all the other locks and chains and they are good.
However 2 other motorbikes are gone and I got lucky. I’ve beefed up my locks and now using my alarm more often now (not just the immobiliser). I also got a crime reference and asked about my early morning call. I’m told the case is on going but police were sent out.
1953 – Later in the evening when I call up again, I’m told the cases are not connected was closed and the police were not sent out because there was nothing on a CCTV (no idea which one they are referring to)
My problem I see is…
The police are not connecting the two cases. Now I understand there is a chance the 4 men dressed head to toe in black on a building site may not be the same 5 people who broke into the garage from the same building site stealing the bikes? Yes it happened with 60 mins of my call but who knows – right? What I don’t understand is why no one was sent out? Even a visit could have prevented a crime. They also lied to me on the phone
I don’t get how the building site isn’t partly to blame for it lack of security not just once but twice now. There is a good chance the men stole tools from the building site to break the locks. I certainly didn’t see them carrying anything when getting into Islington Wharf Mews.
The police still haven’t looked or requested the CCTV from Islington Wharf, The Mews or the building site next door. Yes they are dressed in black but it could be useful to see where they came from and got to with the stolen motorbikes?
Why was I told they will send out a police offer but later told they didn’t? I feel like I was lied to….
I’m doing what I can but its slow going and not being able to get actual CCTV (for good reasons) its kinda impossible to convince the police to follow up. This is partly why I decided to share my frustrations without too much details.
I’ve had an update from a few sources and the timeline includes this..
Tuesday 15 January 2019
00:19 – While I see 4 men getting into Islington Wharf Mews, another man also dressed in black from head to toe is trying to gain entry to the Islington wharf car park by trying to sneak in when someone leaves or enters. Unsuccessfully he returns to his hiding position each time. This also explains why 1 of the 4 men I saw kept looking out from their 1st floor position.
00:45 – They tried to gain entry again but a resident closes the shutter too quickly. 3mins later I get my call from the police, but still no one shows up. On the building site they break a padlock on a tool box, giving them access to stronger tools
01:08 – They break into the car park via the ground floor through the fence using the builders tool.
01:18 – They send 2 of them for an initial scope out of the carpark and then after all 5 of them go into the car park. Breaking two locks of 2 motorbikes, and damaging my scooter. They are in the car park for 35mins
01:43 – One of the Residents tried to drive in to the car park and when the roller shutter goes up they run away pushing the motorcycles.
At 8:30am I received a phone call from the special operations police. They had read my email and were slight shocked at how I’d be treated through this investigation. He massively apologized and agreed based on the research I had done, the cases are linked. Then finally at 1300 they did go and review the footage from the flats and are using it in their ongoing investigation along with other CCTV footage.
I have a lot of curiosity and one of the things which has consistently got me curious, is the challenges of the hidden. Hidden being the trick, the data, the technique, the place or the knowledge. This is why I’m very interested in Hacker House (it was almost added to my new years resolutions for 2017 even).
Currently data is the hidden which intrugued me the moment, hence my massive interest in data ethics. There’s been 3 experiments which have really got me jumping up and down about this all… thought I’d share while I eat cheese and drink wine on Christmas day
I know what you downloaded (…last summer or even last Christmas)
This site collects IPs from public torrent swarms by parsing torrent sites and listening to the DHT network. They have more than 500.000 torrents which where classified and have data on peers sharing habits. The slightly twisted feature is the ability to share a link and see what people have been sharing. I promise not to do this but highlights the problem with shortern urls and long query strings you can’t be bother to read or don’t understand how they work (knowledge). Found via Torrentfreak
Find my phone
Man’s smartphone is stolen in Amsterdam, so the same man decides to root another phone and deliberately track the phone. Along with the person who stole it! The results are turned into a video which you can watch on youtube.
Found via Schneier
This is exactly the sort of Internet-of-Things attack that has me worried:
“IoT Goes Nuclear: Creating a ZigBee Chain Reaction” by Eyal Ronen, Colin OFlynn, Adi Shamir and Achi-Or Weingarten.
Abstract: Within the next few years, billions of IoT devices will densely populate our cities. In this paper we describe a new type of threat in which adjacent IoT devices will infect each other with a worm that will spread explosively over large areas in a kind of nuclear chain reaction, provided that the density of compatible IoT devices exceeds a certain critical mass. In particular, we developed and verified such an infection using the popular Philips Hue smart lamps as a platform. The worm spreads by jumping directly from one lamp to its neighbors, using only their built-in ZigBee wireless connectivity and their physical proximity. The attack can start by plugging in a single infected bulb anywhere in the city, and then catastrophically spread everywhere within minutes, enabling the attacker to turn all the city lights on or off, permanently brick them, or exploit them in a massive DDOS attack.
To put it bluntly, I’ve stopped worrying about whether the public cares about privacy – and I believe privacy advocates should stop worrying about it too.
Unless human rights activists and their philanthropic backers abandon their focus on public opinion, the prospects for reform of mass surveillance will disintegrate.
I’ll go even further. Unless human rights activists and their philanthropic backers abandon their focus on public opinion, the prospects for reform of mass surveillance will disintegrate.
I’m aware that these thoughts might sound wildly contradictory – if not insane. Over the past three years I’ve tested them out on audiences across the world and experienced waves of disbelief. That’s one reason why I’m certain those ideas are on the right track.
In summary, my belief is that too many of us are obsessing about whether X percent of people change their default privacy settings, or whether Y+4 percent “care very much” about privacy – or indeed whether those figures went up or down in the last few months or were influenced by loaded questions, etc etc.
As advocates, we should never buy into that formula; it’s a trap. And for funding organisations to think that way is a betrayal of fundamental rights. A program director for a medium sized philanthropic foundation told me earlier this month that her board had “given up” on privacy because “we can’t measure any change in people’s habits”. I don’t see that equation being used as a measure of the importance of other rights.
In the failed rationale of opinion and user behaviour statistics, the relative importance of privacy depends on the level of active popular interest in the topic. According to some commentators, privacy is a non-issue if only a minority of people actually adopt privacy protection in their social networking or mobile use.
Imagine if that logic extended to other fundamental rights. It would mean that the right to a fair trial would be destabilized every time there was a shift in public sentiment. And it would mean that Unfair Contract protections in consumer law would never have been adopted – replaced instead with a “Buyer Beware” ideology.
Just to be clear, I’m not saying public opinion isn’t relevant. Nor am I saying that public support isn’t a laudable goal. We should always strive to positively influence thoughts and beliefs. It’s certainly true that for some specific campaigns, changing the hearts and minds of the majority is critically important.
The struggle for human rights – or indeed the struggle for progress generally – rarely depended on the involvement of the majority (or even the support of the majority).
However, on the broader level, there’s a risk that we will end up cementing both our belief system and our program objectives to the latest bar talk or some dubiously constructed stats about online user behaviour. Or, at least, the funding organisations will do so.
It seems to me we’ve been collectively sucked into the mindset that privacy protection somehow depends on scale of adoption. That populist formula is killing any hope that this fragile right will survive the overwhelming public lust for greater safety and more useful data.
I’ve noticed an enduring (and possibly growing) argument that public support for privacy is largely theoretical because relatively few people put their beliefs into practice. Conversations on that topic tend to dwell depressingly on public hypocrisy, with detractors pointing out that the general population fails to use the privacy tools that are on offer. Even worse, whole populations avidly feed off the very data streams that they claim to be wary of. Apparently this alleged public disinterest and hypocrisy invalidates arguments for stronger privacy.
(As a side point, I don’t believe that the situation is so black and white. People have become far more privacy aware in recent years, and their expectations of good practice by organisations have increased. People change their behaviour slowly over time, and yet there has been real progress in recent years.)
I also (generally) am less caring of what the general public think about these issues. In recent times, people have convinced me to join different services and tactfully decline. I do sometimes forget my world isn’t the mainstream, and wonder why are we still having these discussions.
Don’t get me wrong, its always interesting good to have the discussion, especially because most people still see privacy in a binary way but when pressed are much less binary about their decisions. A while ago I started calling it data ethics as privacy alone leaves the door open to worries about security for example.
Context and experience has a lot to do with it and in the discussion this becomes much clearer. Just ask anyone who has had their idenity stolen, hacked or abused. Most of the public will never (luckily) experience this.
The personal or private cloud is growing in popularity and I’m starting to see it spring up in the popular tech press more and more. Interestingly I keep starting a blog post then not finishing it because theres not quite enough to talk about. Then I heard Bruce Sterling’s 2012 South by south westtalk (recommended to me by Imran)
“[There’s] a new phenomena that I like to call the Stacks [vertically integrated social media]. And we’ve got five of them — Google, Facebook, Amazon, Apple and Microsoft. The future of the stacks is basically to take over the internet and render it irrelevant. They’re not hostile to the internet — they’re just [looking after] their own situation. And they all think they’ll be the one Stack… and render the others irrelevant. And they’ll all be rendered irrelevant. That’s the future of the Stacks.
People like the Stacks, [because] the internet is scary now — so what’s the problem there? None of them offer any prosperity or security to their human participants, except for their shareholders. The internet has users. Stack people are livestock — ignorant of what’s going on, and moving from on stack to another. The Stacks really, really want to know you’re a dog.
They’re annihilating other media… The Lords of the Stacks. And they’re not bad guys — I’d be happy to buy them a beer. But really, a free people would not be so dependent on a Napoleonic mobile people. What if Mark Zuckerberg trips over a skateboard?
This structure won’t last very long… But you’re really core people for them and their interests. You are them. I’m them.
Bruce is right on the money. The 5 stacks have been trying to outdo each other for many years and see the whole thing as a zero-sum game, death to the end. This is not the way the internet or human society has to work or has to be. On the face of it, they are friendly but like a vicious dog (remember I’m not really a fan of them) they need a certain amount of caution.
Even myself are weary of how much data I hand over to Google. It may seem like I don’ t care but you would be very wrong. If I didn’t care I would sign up for Google Drive storage (I like the idea of being able to search across all my files, something which is tricky with Dropbox), would have moved from Evernote to Google Keep, etc, etc… I tend to keep my data across different stacks and deal with the migration and syncing myself. Its a bit of a pain and boy would it be easier to just dump it in Google’s cloud/stack. But I don’t want that.
I have been experimenting with my own cloud but not found anything yet which works the way I really want it to. The thing about clouds is they should merge and split or in other terms they should seamlessly blend. A personal cloud should consume and work with the other clouds. Now I understand the 5 stacks don’t really want to work with anyone else and will make there clouds/stacks difficult to inter-operate with but it can be done.
The lure of having a cloud which is as powerful and ubiquitous as other the other 5 clouds would be amazing. The advantages are all there but unlike the 5 clouds, you wouldn’t have to worry about it snooping on you and selling data to others. Increasingly more and more of us post Edward Snowdon.would like to something which we could exist and support our own ambitions not the shareholders.
Revelations that many governments of the world are able to collect personal data on-demand has called into question our desire and need to keep everything online. While we want to access and share our content, we want privacy and security as well. Whether it is photos on a social network or work documents in an online storage account, we want to know that we have absolute control of our data because it is ours, regardless of what services we use and regardless of how they choose to manage their Terms of Service.
Ok so were all down with Personal clouds? What are the projects I have been keeping an eye on? Cozy.io, Sparkleshare, Owncloud, Tonido and Amahi. Weirdly the last one isn’t really a Cloud but I’ve looked into turning it into a personal cloud platform.
The problem with the personal clouds is they are a long way off that ready state. They require a lot of hand cranking and can be a massive time and money hog. Which means only those knowledgeable and with enough money can afford the privacy…?
Its a shame but whats new?
Well nothing much but its fascinating what else you can do with your own cloud. I have seen a lot of activity around the idea. For example you have things like tent.io and you got to admire what Bit Torrent inc are doing in the labs, if only it was open source. Would love to use Bittorrent sync across the board but I just don’t trust it more than dropbox. In which case I might as well keep using dropbox? At least they have 2 factor authentication now and full support for Linux. Plus the amount of other cloud services which support dropbox is very high.
Ultimately if the personal cloud is going to really make a dent. It needs to be super flexible, work with others and support features which the others wouldn’t dare (bit torrent is one such feature)