Archive

Archive for the ‘online’ Category

Google+ spotted in the wild

16 November 2011 Leave a comment

When Google plus hit in typical Google beta-fashion, some people put up an “I’ve moved” profile picture on Facebook, and left, or so their status update said.

Everyone that I saw do this is still active on Facebook. The trouble is that they have 300 contacts on Facebook, 200 on LinkedIn, and ten on Google+. (Actual values may vary, contact your friends for details.)

Forgetting the personal/social point of view, from a fan/corporate point of view, there are lots of “follow us on Twitter” or “like our Facebook page” links on websites, but none that say “Join our circle on Google+.” Until, that is, today, when my favourite motor racing team, Force India (I’m not sure I should put the sponsor’s name in front of that) *tweeted*

Join our circle on Google+ to share even more plus.google.com/i/1x6CO0EiYkI:…

This is the first time I’ve seen this in the wild. And the irony that they used another social media to inform us of their circle is not lost on me. I’m pretty sure that there will be no extra content for me, only extra work for the admins that run the team’s social media, as they now need to tweet, post on Facebook, possibly update blogs or websites, and now update Google+ as well. I’m not sure that Google+ is worth that effort at the moment.

The thing is, that I get overloaded with info. To me, there is no point in liking your Facebook page, if I get all your updates via RSS. And if I get your data from Facebook, I don’t need to see it in Google+.

One thing that really annoys me about messages from Google+ are that they don’t give a useful subject. Instead of saying “Alistair McDonald shared a post entitled ‘The red mist descends'” they just say “Alistair McDonald shared a post with you.” I’m NOT going to click that link, ‘cos I’m pretty sure if it was important, I’ll find out eventually. But, if the subject piqued my interest, then I might click. But clicking into a black hole – no way.

Another way I’m really going off Google is that now so many services require a unified email address/ID. I’ve stopped putting any information into YouTube (Favourites, subscribing to channels, etc.) because they want a Google ID. I already have one – well actually three – but I don’t want to join my email to my videos to my news page, maps page, or news alerts. (I know that Google can, and probably do, track my usage of these sites via cookies or embedded scripts, the point here is not privacy, but convenience for me. For example, I set my home location on maps.google.co.uk to be a zoomed in shot of my home. But since I needed to “unify” my Google accounts, now when I visit maps.google.fr or maps.google.lu, my home page is *still* in the UK. If you are viewing a UK map, then your searches default to the UK – so you get Birmingham, West Midlands, not Birmingham, Alabama. That’s a good feature. BUT, if I’m visiting the French map site, why on earth would I want to start from the UK, where all my searches are crazily misinterpreted. So, to work around this, I end up first searching for Paris, or Luxembourg, so that Google maps displays the correct country so that my searches will work. [Google pay for bandwidth and processing power, I don’t, so I lose time and they lose money. ] )

Getting back to the subject of Google+, as I said before, they need to get some client apps out there – there are dozens of Twitter clients – and that means that they need to stop trying to be so controlling over data and APIs. Part of the problem is that they are playing catch-up, and many competing services (this is business, it makes money, and so there is a real competitiveness to it) are much more free with, and, remember, Google see the usage data it collects as the most important thing that they have.

Why not take part in a little experiment: inspect the cookies that the browser(s) you use have collected. Maybe even try to delete them and see (a) how many similar ones reappear without you visiting the sites mentioned, and (b) see just how many services you can use after a single login.

Hacked email

26 October 2011 Leave a comment

I get emails from people who have had their online email accounts hacked, and spam email is issued. Normally, I just send them an email and hear nothing of it. But today I got a message (via another mechanism) that they were going to trash their email account.

The rest of this post is my message back to them. On reflection, I should have considered that their password was leaked internally from their email provider (one of the “big few” – i.e. google, hotmail or yahoo). And that this could happen from a rogue employee ($0.10 per email, here’s a text file) or from hackers getting illegitimate access.

But here goes:

I don’t think you need to discard the email account, but there are a couple of things to consider

How did you get hacked? Was it malware on your PC (you can pick up malware infections just from things like Adobe Flash-based adverts if there’s a security problem in the flash plugin, for example) or was it someone picking up a session cookie if you were using unencrypted WiFi (coffee shop/hotel) (read this post on cookie hijacking to see how it works). Or did you use someone else’s computer (colleague, internet cafe?) These are the three main categories (I’m discounting you turning into a spammer.)

No matter how it happened, visit https://browsercheck.qualys.com/ on a weekly basis – or more frequently – to check your browser(s) and plugins are up to date – you need to do this for each browser that you use, on each computer that you use.

So, how do you tell which one happened to you? I’d get some anti-virus and scan your PCs and see if they detect anything. If you’re technical enough, then the SysInternals “autoruns” tool tells you *everything* that starts when you start your PC and log in. You can google the various process names shown in Task Manager and ensure they are benign too.

So, if you have malware, the only totally secure thing to do is to wipe and reinstall your OS and applications – although you might want to trust antivirus to detect and repair, it’s not guaranteed. And if you can, try more than one anti-virus product (free versions available for several) but you might have to install one, scan your PC, uninstall it and then install another – they might not co-exist nicely.

If you’re PC is clean, but you use public Wifi, chances are that you have been victim of a cookie hijack. The solution is to either always use HTTPS (which is encrypted so no-one can “sniff” your cookie.) (Most sites now offer it, and I expect your email provider is one of them; google is now offering HTTPS for searches, let alone email/calendar/etc.), OR, if you have one available, *always* use a VPN (Virtual private network), which encrypts everything (including normal unencrypted http traffic, although your VPN provider can “sniff” stuff). Maybe your employer has a VPN, otherwise you can buy the service, I believe. And, best of all, if it was a cookie hijack, you can just log on and change your password, the hijacked cookie will be invalid afterwards. Maybe ask where you were accessing the net in the days immediately before the spam started – can you correlate a location with the date/time.

And if you think you’re the victim of a keylogger, it should appear as malware. Let me tell you that one thing I do when I’m using someone else’s computer is to *not* enter my password in one go. I use the *mouse* to move the cursor between keypresses, and build up my password. So if my password was 12345678, I might start by entering “56” then click (don’t use the keyboard, keystrokes might be logged, including the cursor keys) at the beginning and add “23”, then at click the end and add 8, then between the 3rd and 4th character and add the 4. It takes a bit of mental juggling, and I rarely use a PC I don’t trust.

So, depending on how you were hacked, is anything else at stake? If it’s malware, chances are that a keylogger has been installed, and so every keypress might have been recorded and then might have been transmitted. If you use the same password for many things, e.g. online email, work email, online banking, then you are at greater risk than if you use a different one for each service – even if the usernames are different, your identity might be linked to an account via publically available search info.I use a three-tier system – one password for sites I really don’t care if someone impersonates me on, a second for a few other things (access to my server, and email, and so on), and a third tier, where I use a different password for each system – things like online banking, the UK Government Gateway, etc.

So, the bottom line is that
1: Stopping using the account might not be enough
2: Stopping using the account might not be neccesary

And that’s what I sent. Did I miss anything apart from the password-leak-from-provider?

Update: I added
3: change all your important passwords anyway. Consider a 2/3-tier system.

Categories: online, privacy, Real Life, Software

Online Privacy – what you need to know

26 September 2011 Leave a comment

After facebook updated their UI recently, there was a spate of “Do me a favour, hover over my name and uncheck such-and-such a box. I prefer to be private” messages.

Well, let me tell you, you have no hope of retaining your privacy online. Everything you do online is extremely *un*private, and there is very little you can do about it, no matter who checks what.

There are several reasons for this.

  1. Systems change. You might think that you are safe, with the current web site you use. But, then, they change it without your permission, changing features, and, I imagine, prompting the above.
  2. Someone will leak whatever is available to them. Whether it’s deliberately and maliciously, or if their computer is infected with malware, each person/account who can see your posts, photos, whatever, can copy them, save them, and use them later
  3. The website itself can have a security problem. There are countless examples of this, where there is a mistake in a web site, and people can access other people’s accounts, just by a bit of technical jiggery-pokery, or even at random!
  4. The website may have a rogue employee, who harvests some data. I’ve had this happen to me several times, I use a unique email address for most web sites, and a couple of times they’ve been used to send spam to me.
  5. The website can change their terms and conditions at will, and, often, they already own everything you produce on their site – have you checked the T&C for the sites you use? In detail?

This problem has been boiling for years. Eleven years ago I bought and read a book called “Database Nation” about privacy, the electronic trail you leave, and how it would inevitably become impossible NOT to be tracked by databases. Store loyalty cards, automated registration recognition, all store details on a database.

As an example of this, we drove to Portsmouth for an early morning crossing to France, on holiday, a year or two ago. About a month afterwards, I received a letter from a DC, who said that an act of vandalism had occurred the morning we traveled along the M3, and my  car had been one of the last to pass the spot before the incident occurred – did I see anything suspicious?

Let’s think about this – the time of passing, and registration numbers of all cars going along the M3 were logged in a database that was available some time after the event. (The letter was not sent for over a month – why sit on the letter, they would have sent it out ASAP, yes?) Given the number of very public security lapses with computer systems, including civilians employed by police forces being dismissed for making irregular and unneeded queries on databases, how safe is this data? And what if this was not a police force, but an online concern that is maximising profit by using unvetted, offshore workers? What if you were suspicious of your other half, and a private eye had a friend who could access data on where cars had been seen? A bit like phone hacking, if you know what to do. Forgetting the police example, how safe is your other info, E.g. email address, credit card, CVC, or, possibly, the password that you use for another 20 sites?

So, almost nothing you do is private. Credit cards, store cards, there are databases everywhere, and data is increasingly being correlated between them. When you start buying organic food, and your store suggests offers on other organic (or other “healthy”) food, this is a single-database action. When you visit lots of guitar-related web sites, and all your social network site adverts start advertising guitar lessons, this is matching across more than one database (well, it’s not, as I’ll explain below, but it serves as an example that people can hopefully understand for now).

Once, my friend went to his local store, and paid (this is back in the days of signature strips on credit cards) with a card the store did not accept, but the teller (poor boy) let him go through the process of swiping and signing. They contacted him (I now wonder how?), explaining they didn’t accept the card, and would he provide details of another one, and he told them to take a hike. Later, he found that they’d later attempted to charge the transaction a different card that he did own, and had used at the store previously. This was for a fairly trivial amount, yet someone was prepared to manually go through credit card receipts, match card names (and, presumably, signatures), then make a false transaction. These days, with everything online, that search would be *so* much easier to do, the match could be done instantly, and on a much higher volume. And it is, not just on store purchases and credit cards. Match your pharmacy payments to your health, so that life insurers get a better idea of how long you’ll live? It’s not far-fetched at all.

So, why is my example of my the guitar adverts above a bad one? It’s all about cookies. Cookies are a way for a web site to “remember” you. The benign view is that it helps you to “remember” the web site, but the balance of power is all on the web site’s. So, youtube, facebook, etc. all remember your login, maybe even auto-log you in, this is all through cookies. There’s a convenience for you, but that’s only part of the story. (Remind me to tell you why free WiFi is bad because your cookies are visible to everyone in the coffee shop when you hit your favourite sites, and people can impersonate you.)

Web sites can be divided up into parts. To the users, they all seem to be part of the same, coherent site, but it can be made up of content from many different sites (often visible on a slow connection, when the page changes shape as different parts arrive). Often the adverts are served from different sites. This is because then the advert-serving sites can count accurately how many views they get, they do not trust the host website to say “Yeah, we served up your adverts 20,000 times today, that’ll be $500 please.” But, although there is no convenience for you, each of those portions of a page can set their own cookies.

Now cookies are a two-way communication. The web site can ask “give me my cookie for the username” and the browser will respond. And the web site can say “give me my secret tracking cookie” and the browser will respond. The value returned, knowing which page you are retrieving, allows the advert site to track you arround. First, you were on the social media site, now you’re home shopping, now a bit of music. The advert site will mke a correlation with your surfing habits, and will serve adverts that are more likely to get notices. So, in this case, it’s not a cross-database correlation, all the correlation is done by the advert-serving site.

And, whenever you visit a site, and there’s a “like” button on it, that link is being made, not just by advert tracking site(s), but by your social networking site.

(As an aside: and, with a new social networking site on the horizon, owned by the biggest advert-serving corporation in the world, what hope do you have if you use that one? )

The bottom line is that you can expect no privacy at all online. It used to be the case that cookies could be deleted in browsers, but there are now “super-cookies” which are much harder to delete. Wherever you go, it’s logged. Your internet address is logged, and this can be used to tie you to a geographical area. Coupled with your browser (web sites can detect plugins, screen resolutions, and all sorts of bizarre stuff), this can be enough to uniquely identify you, especially if you use an unusual browser like me (Opera) with a huge screen (1920×1200 :-)). I’ve given feedback to websites and have them contact me, not with a response, but to ask how I find their website with my particular browser!

And, all your kids are leaving an online presence too. You’re probably doing it for you until they’re twelve or so, but it’s happening. Even in 1998, I used to do an internet search when reviewing job candidate CVs, and in one case found some very (ahem!) material on one candidate. When your kids apply to uni or for a job, their online shadows are going to be searched. They need to be extra-careful what they post. And the internet *never* forgets – web pages are cached by Google, archived by non-profits such as the Wayback Machine, and who knows what criminal organisations can do with the information.

A final thought, it’s getting difficult to recruit police, as every 17-year old has an online presence with images that can be used to identify them. There can be no plain-clothes work for anyone in the days of reverse image search – put an image into a search engine, and it will try to match it with ones it’s seen already.

I can provide references for every assertion I’ve made, but I’m very tired and semi-offline, so digging them out is not easy. If there’s enough response, I will add references, and if you need a particular one, then just post a comment (they are moderated, it won’t appear immediately.)

Categories: online, Uncategorized