You like HTTPS. We like HTTPS. Except when a quirk of TLS can smash someone's web privacy

Found on The Register on Friday, 19 October 2018
Browse Internet

The privacy risks associated with web tracking, however, persist, and now it appears there's yet another mechanism for following people online. Blame researchers from the University of Hamburg in Germany for the latest expansion of the privacy attack surface.

They note that Facebook and Google, due to their behavioral ad businesses, specify longer session resumption ticket lifetimes than most. Facebook's lifetime hint setting of 48 hours is higher than 99.99 per cent of all session ticket hints found. Google's 28 hour value exceeds 97.13 per cent of Alexa's top million websites.

Facebook and Google track you. Facebook in the most aggressive way. Clearly they have learned absolutely nothing from the privacy scandals they went through and just keep on doing business like before.

Remote South Atlantic Islands Are Flooded With Plastic

Found on Smithsonian on Thursday, 18 October 2018
Browse Nature

Now, reports Marlene Cimons at Nexus Media, that pollution is getting even worse. A new study in the journal Current Biology shows that plastic trash on the beaches and in the ocean has increased tenfold in the just the last decade and a hundredfold over the last three decades.

“Three decades ago these islands, which are some of the most remote on the planet, were near-pristine,” lead author David Barnes of the British Antarctic Survey says in a statement. “Plastic waste has increased a hundredfold in that time, it is now so common it reaches the seabed. We found it in plankton, throughout the food chain and up to top predators such as seabirds.”

If only it was possible to dump that junk onto those who created it. Instead, global politics fail so very hard at something so important as protecting the world everybody lives in.

Printer Makers Are Crippling Cheap Ink Cartridges Via Bogus 'Security Updates'

Found on Motherboard on Wednesday, 17 October 2018
Browse Hardware

Printer maker Epson is under fire this month from activist groups after a software update prevented customers from using cheaper, third party ink cartridges. It’s just the latest salvo in a decades-long effort by printer manufacturers to block consumer choice, often by disguising printer downgrades as essential product improvements.

Hardware makers began cooking draconian restrictions into printers, ranging from unnecessary cartridge expiration dates to obnoxious DRM and firmware updates blocking the use of “unofficial” cartridges.

Along with net neutrality, there is a clear need for ink neutrality too.

Web browsers sharpen knives for TLS 1.0, 1.1, tell protocols to dig their own graves for 2019

Found on The Register on Tuesday, 16 October 2018
Browse Internet

The Internet Engineering Task Force has been considering when to hold the funeral of TLS 1.0, which will be 20 years old in January 2019, as well as a burial for TLS 1.1, since June this year. Its Internet-Draft on the matter is expected to formalize the 'net standards body's “die die die” recommendation later this year. When the draft progresses to standard status, the IETF will no longer fix new protocol vulnerabilities in TLS 1.0 and 1.1.

That's going to be similar to the adoption of IPv6 probably.

Internet operator challenges network tapping by German spy agency

Found on Reuters on Monday, 15 October 2018
Browse Internet

DE-CIX said it received orders from the Federal Intelligence Service (BND) to allow it to access data at its internet exchange in Frankfurt. The BND has in recent years received a mirror image of the traffic as part of its counter-terrorism and cyber-security efforts.

In Germany, the right to privacy of correspondence, posts and telecommunications is protected by Art. 10 of the constitution. This is restricted by a law that allows federal and state spy agencies to tap such communications, subject to review by a control commission on which lawmakers sit.

Pretty sad that you're more protected from being spied on if you send just a letter.

Yale users locked out of homes after 'smart' home app crashes

Found on The Inquirer on Sunday, 14 October 2018
Browse Technology

Users of Yale's so-called 'smart' locks were trapped out of their homes for more than 24 hours following after the company's smartphone app went to Borksville.

Yale blamed an "unforeseen issue while carrying out unplanned network maintenance", but claimed to have resolved the problem on Friday morning. However, users still claim that notifications - such as whether an alarm has been armed or disarmed - aren't coming through.

While the app was down, customers complained of being 'stuck' in their homes, while others were forced to wait outside until the problem was fixed.

Oh the sweet irony. Nothing would have happened if clients would have just stuck to something so very old-fashioned like mechanical locks with keys; but no, even unlocking your door has to be "smart". Now imagine someone would find a way to remotely brick all those locks...

branch.io bug left '685 million' netizens open to website hacks

Found on The Register on Saturday, 13 October 2018
Browse Various

That staggering nine-figure number is because the security issue was actually within a toolkit, called branch.io, that tracks website and app users to figure out where they've come from, be it Facebook, email links, Twitter, etc.

Among the sites found to be using the vulnerable components were reviews site Yelp, cash wiring biz Western Union, Shopify, and photo-sharing site Imgur, it is claimed. Hochstadt estimated the sites together handle around 685 million user accounts.

So basically, all that happened because those websites want to analyze their visitors even more; and then they wonder why privacy addons in browsers are so popular.

Firefox removes core product support for RSS/Atom feeds

Found on Gijsk on Friday, 12 October 2018
Browse Software

After considering the maintenance, performance and security costs of the feed preview and subscription features in Firefox, we’ve concluded that it is no longer sustainable to keep feed support in the core of the product. While we still believe in RSS and support the goals of open, interoperable formats on the Web, we strongly believe that the best way to meet the needs of RSS and its users is via WebExtensions.

Likewise, the feed viewer has its own “special” XML parser, distinct from the main Firefox one, and has not had a significant update in styling or functionality in the last seven years.

Styling RSS feeds? What for? To stuff annoying advertising and tracking into the textblocks? Maintaining your own "special" XML parser is like maintaining your own "special" encryption: in other words, pretty much a really bad idea.

Microsoft Windows 10 October update giving HP users BSOD

Found on The Register on Thursday, 11 October 2018
Browse Software

Microsoft on Tuesday posted KB4464330 (Windows 10 1809 Build 17763.55) in an effort to halt the damage done by last week's Windows 10 version 1809 update, but it hasn't quite worked.

"After doing updates, this machine blue screens with the error message WDF_VIOLATION," wrote an individual identified as "PhilBJSPC." "I cannot boot to safe mode and it does not allow me to do a system restore before the updates have gone through. …"

"This is why auto-installed updates are so dangerous," observed Steve Bellovin, a professor in the computer science department at Columbia University, via Twitter.

So to sum it up, this autoupdate messes up when Intel audio is present, deletes userdata and bluescreens on HP and DELL machines? Is Microsoft testing at all? These are not rare edge cases with obscure hardware.

Federal Court Dumps Another Lawsuit Against Twitter For Contributing To Worldwide Terrorism

Found on Techdirt on Wednesday, 10 October 2018
Browse Legal-Issues

The lawsuits against social media companies brought by victims of terrorist attacks continue to pile up. So far, though, no one has racked up a win. Certain law firms (1-800-LAW-FIRM and Excolo Law) appear to be making a decent living filing lawsuits they'll never have a chance of winning, but it's not doing much for victims and their families.

The problem that continues to be talked around in these lawsuits is that you cannot hold a social media platform responsible for the actions of its users. If the plaintiffs drop the ATA arguments, they're just going to run into Section 230 immunity. While the acts of terrorism were horrific and drastically affected the lives of the families of those killed, suing Twitter, Facebook, et al over these acts doesn't do anything for the plaintiffs but take time and money away from those who've already lost loved ones.

In other words, shady lawyers swindle money out of victims with false promises. Probably nobody will be surprised by that.