Tag: Technology

Your Password, Please

Since I live in the United States, I spend most of my time lambasting its government’s infringements on privacy. But the United States doesn’t have a monopoly on violating individuals’ privacy. Every government has an interesting in violating rights. The hot privacy violation at the moment is demanding access to cell phones. Cell phones are becoming more integrated into our daily lives every day, which makes them a treasure trove of personal information. Here in the United States the government has made several efforts to force cell phone manufacturers to include a backdoor it can access. New Zealand has taken a different approach. If you don’t hand over your password to law enforcers, you will be fined:

New Zealand privacy activists have raised concerns over a new law that imposes a fine of up to NZ$5,000 (more than $3,200) for travelers—citizens and foreigners alike—who decline to unlock their digital devices when entering the country. (Presumably your phone would be seized anyway if it came to that.)

The Southern Pacific nation is believed to be the first in the world to impose such a law.

As a general rule, especially when crossing borders, it’s best to travel with clean devices and access whatever information you need remotely when you arrive at your destination. For example, instead of storing contract information on your cell phone when traveling, you might consider have your contract information on a remotely accessible server. When you get to your destination, you can log into the server and grab the phone numbers you need when you need them. When you’re ready to leave the country, you can factory reset your phone so your call log is erased.

Such a plan isn’t bulletproof. A factory reset phone is suspicious in of itself. Unfortunately there are no silver bullets. Every defensive measure has a list of pros and cons. You have to decide which set of pros and cons best fit your situation.

Making Security Illegal

A recent court ruling has potentially made secure devices and effective security services illegal:

The Canadian executive of a 10-year-old company that marketed its purportedly secure BlackBerry services to thousands of criminals (who paid at least $4,000 per year, per device) has pleaded guilty to a racketeering conspiracy charge, federal prosecutors in San Diego said Tuesday.

[…]

As the Department of Justice said in a Tuesday statement:

To keep the communications out of the reach of law enforcement, Ramos and others maintained Phantom Secure servers in Panama and Hong Kong, used virtual proxy servers to disguise the physical location of its servers, and remotely deleted or “wiped” devices seized by law enforcement. Ramos and his co-conspirators required a personal reference from an existing client to obtain a Phantom Secure device. And Ramos used digital currencies, including Bitcoin, to facilitate financial transactions for Phantom Secure to protect users’ anonymity and launder proceeds from Phantom Secure. Ramos admitted that at least 450 kilograms of cocaine were distributed using Phantom Secure devices.

[…]

At the time of his arrest, the Department of Justice said that the Ramos case was the “first time the U.S. government has targeted a company and its leaders for assisting a criminal organization by providing them with technology to ‘go dark,’ or evade law enforcement’s detection of their crimes.”

From what I could ascertain, the reason Vincent Ramos was arrested, charged, and declared guilty was because he offered a device and service that allowed his customers to actually remain anonymous. This is what most Virtual Private Network (VPN) providers, I2P, Tor, and other anonymity services offer so will one of them be the next Department of Justice target?

I’m going to take this opportunity to go on a related tangent. Ramos was charged because his devices and service were being used by other people to facilitate illegal activities such as selling cocaine. Ramos himself wasn’t, as far as I can tell, performing those illegal activities. Since the illegal actions in this case weren’t performed by Ramos, why was he charged with anything? Because the illegal activities being performed with his devices and service were related to the drug war and the drug war has served as the United States government’s excuse to go after anybody it doesn’t like.

Anything that can be tacitly tied to the drug war can be punished. If an officer doesn’t like you, they can claim that the cash you have on hand is evidence that you are participating in drug crimes and use civil forfeiture to seize your stuff. If your roommate is dealing drugs without your knowledge, prosecutors can claim that you actually do have knowledge and charge you with a plethora of crimes. If you offer a product that anonymizes users, prosecutors can charge you for aiding drug dealers. All of the supposed civil rights you enjoy suddenly go out the window when the word drugs is involved.

All Data Is for Sale

What happens when a website that sells your personal information asks you to input your phone number to enable two-factor authentication? Your phone number is sold to advertisers:

Facebook is not content to use the contact information you willingly put into your Facebook profile for advertising. It is also using contact information you handed over for security purposes and contact information you didn’t hand over at all, but that was collected from other people’s contact books, a hidden layer of details Facebook has about you that I’ve come to call “shadow contact information.” I managed to place an ad in front of Alan Mislove by targeting his shadow profile. This means that the junk email address that you hand over for discounts or for shady online shopping is likely associated with your account and being used to target you with ads.

There really is no reason for a website to require a phone number to enable two-factor authentication. Short Message Service (SMS) is not a secure protocol so utilizing it for two-factor authentication, which many websites sadly do, is not a good idea. Moreover, as this study has demonstrated, handing over your phone number just gives the service provider another piece of information about you to sell.

Instead of SMS-based two-factor authentication websites should at a minimum offer two-factor authentication that utilizes apps that use Time-based One-time Password Algorithm (TOTP) or HMAC-based One-time Password Algorithm (HOTP) like Authy and Google Authenticator. Better yet websites should offer two-factor authentication that utilizes hardware tokens like YubiKeys.

Properly Warning Users About Business Model Changes

I have an update from my previous article about how the developers of GPGTools botched their changeover from offering a free software suite to a paid software suite. It appears that they listened to those of us who criticized them for not properly notifying their users that the latest update will change the business model because this is the new update notification:

That’s how you properly inform your users about business model changes.

Installing macOS Mojave on Unsupported Macs

I’m back, I’m married, and I’m behind the news cycle. Although being behind the news cycle should be treated as a state of bliss, it’s not a great place to be when you use news articles for blog material. It’s going to take me a day or two to catch up.

One project I did tackle over my extended vacation is getting macOS Mojave installed on my computers. Mojave dropped official support for several Macs but just because Apple doesn’t officially support a platform doesn’t mean it can’t be used. I see no reason to throw away perfectly functional hardware and enjoy receiving security updates. Because of that, I ended up playing with dosdude1’s Mojave Patcher.

The patcher originally didn’t work for me because all of my computers have FileVault enabled and the version I first downloaded had a bug where it couldn’t mount FileVault containers. That was before I left for my wedding. Fortunately, by the time I got back a new version that fixed that bug was released.

I used the patcher to install Mojave on my 2010 Mac mini 4,1 and my 2010 MacBook Pro 5,4. Installation on my Mac mini was smooth. I haven’t had any major problems with it. Installation on my MacBook Pro was another matter. I should note beforehand that the MacBook Pro in question has a bad memory controller. One of the two memory banks has a 50/50 chance of working when I power the system on. If it doesn’t work, I only have access to half of my memory. That may be why I have to reset the NVRAM every time I power the system on in order to get it to boot (if I don’t reset the NVRAM, I get the dreaded no symbol when I start the computer).

If you’ve been happily running an older Mac and found out that Mojave won’t install, try dosdude1’s Mojave Patcher. It doesn’t work on every old Mac (a list of supported Macs can be found at the link) but it does work for most of the 64-bit Intel Macs.

We’re Not Telling You the Rules

The politicians in California have passed the first law regulating the security of Internet connected devices. However, manufacturers of said devices are going to have a difficult time complying with the law since the rules are never defined:

This bill, beginning on January 1, 2020, would require a manufacturer of a connected device, as those terms are defined, to equip the device with a reasonable security feature or features that are appropriate to the nature and function of the device, appropriate to the information it may collect, contain, or transmit, and designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure, as specified.

The California bill doesn’t define exactly what a ‘reasonable security feature’ would be but it mandates that connected devices come with unique passwords that users can change, which isn’t the case for many IoT products. If someone can log into the device outside a LAN, then it must have either preprogrammed passwords that are unique to each device (no more default login credentials) or a way to generate new authentication credentials before accessing it for the first time.

You must implement ‘a reasonable security feature or features’ but we’re not going to tell you what those features are. Oh, and if you fail to comply with our undefined rules, you will be subject to punishment. Anyways, good luck!

That sounds perfectly reasonable, doesn’t it?

Upgrading Your Unsupported Mac to Mojave

macOS Mojave was released last night. As is often the case with major macOS updates, Mojave dropped support for a slew of older platforms. But just because Apple doesn’t support installing Mojave on older computers doesn’t mean that it can’t be installed. dosdude1 has a utility that allows you to install Mojave on a lot of officially unsupported Macs.

I’ve used his patch utility to get High Sierra on my unsupported 2010 MacBook Pro and haven’t had an issues. I attempted to upgrade my 2010 Mac Mini to Mojave last night but discovered that the utility currently has a problem decrypting encrypted APFS containers. dosdude1 is aware of this problem and will hopefully be able to figure out what is going on so it can be fixed. However, if your older Mac isn’t utilizing APFS or FileVault 2 (which it really should be utilizing), you should be good to go.

How Not to Handle Business Model Changes

GPGTools is a software suite that makes using OpenPGP on macOS easier. I’ve recommended this tool for quite some time to the three people who are interested in encrypting the contents of their e-mail. While the tool was freely available, the development team has been warning users for over a year that the suite would eventually move to a paid model. I completely understand their motivation. A man has to eat after all. However, there are proper ways to change business models and improper ways. The GPGTools team chose the improper way.

Here is the latest update notification for GPGTools:

It looks innocuous enough but if you install it, you’ll discover that your Mail.app plugin will be a one month trial. The initial screen of the update note doesn’t indicate that this update is the one that moves GPGTools from free to paid. You have to scroll down to learn that tidbit of information. Since most users probably don’t scroll through the entire update note, they will likely be rather surprised when their free app is now telling them that they have to pay.

Another issue with GPGTools’s transition is that there is no English version of the terms of distribution. Since GPGTools is based in Germany, this might not seem odd but everything else on the site is translated into English. If you’re going to toss a license agreement at somebody, you should provide it in every language that your application supports.

The final major problem with the transitions, which has fortunately been fixed now but you can read about it by digging through the announcement thread on Twitter, was that there was no information about the license being sold. When you went to buy a license, the site originally didn’t tell you if the license was per computer, per user, or something else. Now the site states that the purchase covers one person and activation on up to three computers (a limit that I find more restrictive than I prefer).

I’m not one to criticize somebody when they make an effort to profit from their endeavors but GPGTools’s transition from a free suite to a paid suite should be a valuable lesson on how not to perform such a transition.

If you’re ever in a situation where you want to begin charging users for something that you have been providing for free, here are a few rules.

First, don’t foist the change on users out of the blue. Announce your intentions early. Moreover, give your users a firm date as soon as possible. GPGTools’s development team kept saying that the change would come eventually but never provided a hard date.

Second, if you’re going to change the business model through an update, make sure that the update informs users in a very obvious manner. That information should be the first thing in the update note. It wouldn’t hurt to put that part of the note in big bold letters so it jumps out at the user. An even better solution would be to release another free version that told the user that the next version would be the one that transitioned over to a paid model. When the next update was released, have the app clearly tell the user that it will transition the software over to a paid model.

Third, make sure you tell the user what they’re purchasing. The link to buy the software should inform the user if the license is per user, per computer, a monthly subscription, or something else.

Fourth, make any license agreements available in every language that the software supports. If the application is translated into English, then the user should expect an English version of any license agreements to be available.

If anybody is wondering if I’m going to buy a license for GPGTools, the answer is maybe. I haven’t been enamored with the GPGTools development team. Its biggest problem has been a lack of timeliness. Mail.app doesn’t support plugins so the GPGTools plugin requires a fair bit of hackery and often breaks between major macOS releases. GPGTools has often been months behind of major macOS releases, which means that there has often been months where the tool simply doesn’t work if you’re running the current version of macOS. I’m willing to overlook such an issue for a free tool (you get what you pay for) but not a paid tool. So the GPGTools development team will have to demonstrate an ability to have working versions of its software available when new versions of macOS are released before I’ll purchase a license. I also find the three computer limitation too restrictive. I’d rather see it bumped up to at least five computers or better yet unlimited computers (merely make it a per user license agreement).

If the GPGTools development team does resolve these issues, I’ll likely buy a license. It’s only $23.90 (for the current major version, it is implied that a new license will be required for the next major release), which is reasonable. And while I don’t use encrypted e-mail very often (not for lack of want but for lack of people who also use it), I do like to throw money at teams that make quality products and GPGTools, minus the issue noted in the previous paragraph, has been a quality product.

Feed Me More Data, Seymour!

When fitness trackers started becoming affordable and popular many people knew that this was right around the corner:

Life insurance company John Hancock will stop offering traditional policies, according to Venture Beat. Instead, the company, which is one of the oldest and largest life insurance underwriters in the US, will only sell policies that track fitness and health data.

The company will offer two different types of insurance: the basic Vitality offering will require customers to enter their fitness activity into an app or on a website. They will receive gift cards and other rewards for completing goals. For a discount of up to 15 percent on premiums, though, John Hancock is offering an expanded insurance policy that will track health data and fitness using wearable devices.

Insurance companies are in the business of risk mitigation and have therefore always had an interest in collecting as much data as possible on the property and people they insure. Fitness trackers and apps provide data that can be pretty valuable to health and life insurance companies since they give some indication about an individual’s health. The danger of this kind of policy is that the insurance company gets possession of the data. Even if you trust your insurance company to not sell that data to third parties (which is something you should never trust a company to refrain from doing), the chances of that data falling into unauthorized hands through a database breach are high. Another potential danger is that this data could be used to identify unlawful activity.

Most illegal substances cause changes in heart rate. If an individual’s heart rate changes without any obvious reason (such as they’re exercising), that information could potentially be used at evidence that they’re using illegal substances. If law enforcers suspect that you’re using illegal substances, they could acquire your health data via a subpoena and use it as probable cause to get an arrest warrant issued. Worse yet, if your health data indicates that you might be using illegal substances, your insurance company might decide to hand that data over to law enforcement voluntarily. In a nation where so many activities are illegal, handing out health data can be dangerous.

Cloudflare Makes Tor Use More Bearable

One of the biggest annoyances of using the Tor Browser is that so many sites that rely on Cloudflare services throw up CAPTCHA challenges before allowing you to view content. Yesterday Cloudflare announced a change to its service that should make life more bearable for Tor users:

Cloudflare launched today a new service named the “Cloudflare Onion Service” that can distinguish between bots and legitimate Tor traffic. The main advantage of this new service is that Tor users will see far less, or even no CAPTCHAs when accessing a Cloudflare-protected website via the Tor Browser.

The new Cloudflare Onion Service needed the Tor team to make “a small tweak in the Tor binary,” hence it will only work with recent versions of the Tor Browser –the Tor Browser 8.0 and the new Tor Browser for Android, both launched earlier this month.

Hallelujah!