Zoom's end-to-end encryption isn't actually end-to-end at all

Found on The Register on Friday, 03 April 2020
Browse Software

Most notably, the company has been forced to admit that although it explicitly gives users the option to hold an “end-to-end encrypted” conversation and touts end-to-end encryption as a key feature of its service, in fact it offers no such thing.

E2E ensures all communications are encrypted between devices so that not even the organization hosting the service has access to the contents of the connection. With TLS, Zoom can intercept and decrypt video chats and other data.

Zoom granted itself the right to mine your personal data and conference calls to target you with ads, and seemed to have a "creepily chummy" relationship with tracking-based advertisers.

Personal information gathered by the company included, but was not limited to, names, addresses and any other identifying data, job titles and employers, Facebook profiles, and device specifications. It also included "the content contained in cloud recordings, and instant messages, files, whiteboards ... shared while using the service."

Another day, another failure day for Zoom. Do yourself and everybody else a favor and drop this insecure spyware.

Zoom is Leaking Peoples' Email Addresses and Photos to Strangers

Found on Vice on Thursday, 02 April 2020
Browse Software

The issue lies in Zoom's "Company Directory" setting, which automatically adds other people to a user's lists of contacts if they signed up with an email address that shares the same domain.

"I just had a look at the free for private use version of Zoom and registered with my private email. I now got 1000 names, email addresses and even pictures of people in the company Directory. Is this intentional?," one user tweeted last week along with a screenshot.

Last week, Zoom updated the iOS version of its app after Motherboard found it was sending analytics data to Facebook. On Monday a user filed a class action lawsuit against Zoom for the data transfer. On the same day the New York Attorney General sent a letter to Zoom asking what security measures the company had put in place as the app has sky-rocketed in popularity.

It's just getting worse and worse for them. Whenever one hears abou Zoom, it's about pricavy problems, spying and tracking. It feels like you could just install malware instead of it.

Firefox to remove support for the FTP protocol

Found on ZD Net on Friday, 20 March 2020
Browse Software

Mozilla has announced plans today to remove support for the FTP protocol from Firefox. Going forward, users won't be able to download files via the FTP protocol and view the content of FTP links/folders inside the Firefox browser.

"We're doing this for security reasons," said Michal Novotny, a software engineer at the Mozilla Corporation, the company behind the Firefox browser.

"Security reasons". That's like the "terrorism" or "child abuse" argument politicians use to justify snooping. Public FTP is in not way less secure than public HTTP. Oh wait, they are trying to force everything to HTTPS too for various reasons; even where it makes no sense at all. So now people who need FTP are looking for replacement software, and quite a few of them will end up with shady adware based programs that make the entire system less secure.

We love open source, but not enough to share code for our own app, says GitHub

Found on The Register on Thursday, 19 March 2020
Browse Software

The GitHub app however is aimed at all the other things developers do, such as raising or commenting on issues, approving pull requests (requests to merge new code), and responding to notifications such as @mentions.

In an interview, Nystrom and GitHub designer Brian Lovin explained how they mocked up a design for one platform and had the team on the other platform replicate it with appropriate adjustments. The downside of the approach is that the app works differently from visiting the GitHub website with a mobile browser, meaning more to learn.

Sooner or later GitHub will go fully closed-source.

Browser minnow Brave nips at Google with GDPR complaint

Found on The Register on Tuesday, 17 March 2020
Browse Software

Google's size does not relieve it from GDPR responsibilities, though, and Brave's claim is that the search giant is not transparent about the purposes for which it collects data.

The privacy officer and his employer consider that Google's privacy policies are "hopelessly vague and unspecific", despite the GDPR requirement for specificity.

Ryan is asking the data protection commissions to require Google to provide "a full and complete list of the purposes for which his data has been collected and processed." He also proposes that Google's processing activities are audited.

It would indeed be very interesting to see all the details they collect about you, how they are used and who has access.

Brave to generate random browser fingerprints to preserve user privacy

Found on ZD Net on Wednesday, 11 March 2020
Browse Software

Brave's decision comes as online advertisers and analytics firms are moving away from tracking users via cookies to using fingerprints.

For non-technical users or readers who are not familiar with the term, user fingerprints are a collection of technical details about a user and their browser. They include a large spectrum of data, such as platform details and Web API measurements.

The privacy of the users should be the top priority for browser developers. Too bad many others think different.

Brave deemed most private browser in terms of 'phoning home'

Found on ZD Net on Sunday, 08 March 2020
Browse Software

The professor found evidence that Chrome, Firefox, and Safari all tagged telemetry data with identifiers that were linked to each browser instance. These identifiers allowed Google, Mozilla, and Apple to track users across browser restarts, but also across browser reinstalls.

The professor said that Edge collected the hardware UUID of the user's computer, an identifier that cannot be easily changed or deleted without altering a computer's hardware.

Similarly, Prof. Leith also found that Yandex transmitted a hash of the hardware serial number and MAC address to its backend servers.

This makes the "Do not track" checkboxes a cheap joke. Tracking should be illegal. That aside, Windows 10 is the most spying OS ever and a real problem for users.

Windows 7 goes dual screen to shriek at passersby: Please, just upgrade me or let me die

Found on The Register on Tuesday, 03 March 2020
Browse Software

Microsoft has spent the last year begging Windows 7 users to move to a better place. In this case, it appears that the abandoned OS's mewling has gone unheeded by the operators at c2c's Thorpe Bay station, leaving it no choice but to yell at passersby that it is out of support – will somebody just please upgrade it already?

If the successor wouldn't be that bad, more people would move on; but a paid software that comes by default with adverts, forces users to create online accounts, snoops on you and takes control away from them is not meant to be used.

Microsoft Wants to do Away with Windows 10 Local Accounts

Found on Bleeping Computer on Friday, 28 February 2020
Browse Software

As time goes on, it is becoming increasingly clear that Microsoft is trying to make local accounts a thing of the past and push all new Windows 10 users to a Microsoft account.

A Local Account is one that is tied to the computer, cannot be used to login to other computers, is not integrated into Windows 10 cloud services such as OneDrive and the Microsoft Store, and does not require an email address.

For those affected, the only way to create a local account during setup is to ... disconnect the computer from the Internet.

Yes, that's right, Microsoft now makes you disconnect the computer from the Internet to create a local account during setup!

It's their idea to collect more and more information about their customers products. Sooner or later, this data will be analyzed and sold.

CTO calls for patience after devs complain promised donations platform has stalled

Found on The Register on Saturday, 22 February 2020
Browse Software

At the end of August, JavaScript package registry NPM Inc said it intended "to finalize and launch an Open Source funding platform by the end of 2019."

Funding has also been a concern for NPM Inc, which was said last year to be running short on cash. Asked about the financial state of the biz, Schlueter didn't get into specifics but suggested things have been going well.

If you intend to put money into npm, you should see a doctor.