Notebook blues

A notebook came in the other day that had had tea poured into it and now refuses to work. I’d never seen inside one of these before and we wondered if the hard disk could be removed and installed elsewhere to recover any files. At that time I’d not been to Google to check on the model etc. because there was a disk-sized lump which surely must be it?

No, it’s part of an odd shaped battery! On inspection I could only see two connections and even though the whole ‘thing’ was connected by a multi-way plug it definitely looked very un-disk-like. Off to Google.

Yup. It’s a battery alright. This notebook has no disk, just some Gb’s worth of flash. All data is stored on OneDrive. Hopefully!

You live and learn…

US now wants your Facebook details when you visit

Lots of chatter today that the US now requires “nearly all applicants for U.S. visas to submit their social media usernames, previous email addresses and phone numbers”. (1) Essentially it requires visitors to give their social media information, phone numbers and e-mail addresses for the past 5 years.

The BBC carried a bit about this back in 2017 (2) which also stated that critics considered that checking up on these “could lead to extended, fruitless lines of inquiry or the collection of personal information not relevant to security checks”. Well, yeah, and I would need several continuation sheets to fill all my information in over that period.

A quick trawl through the visa waiver website suggests (a) that it is out of date because it does not indicate the requirement is now absolute and (b) clearly they will use this information to check up on you i.e. if your Facebook page marks you out as undesirable you’re out of luck. I did not delve further.

So your social media profile may now exclude you from entry. Of course, no undesirable type is capable of creating a fake Facebook profile are they…

So, is a blog social media? I’d argue not, yet I know this blog is spidered by Google (other spiders are available) regularly!

1 – https://www.cbsnews.com/news/state-department-now-requires-us-visa-applicants-to-share-social-media-accounts-2019-06-01/

2 – https://www.bbc.co.uk/news/technology-40132506

Hacking Instagram

So I caught sight of a TV programme tonight regarding someone’s Instagram account being hacked and the difficulty in getting the account back. The suggesting is that Instagram should have been presumably instant at helping. But it missed the point by a country mile. Here we have something that is essentially free to use, and trusts you to be you. What I mean by that is there is no global ID scheme proving you are you so the only thing to rely on is, for example that when you subscribe with an email address you actually receive an authorisation email and take some action.

How you can point the finger at something which exists primarily to process your personal information while providing you a service for free, and says as much when you sign up to it, defeats me. IT’S FREE. Don’t expect 24/7 service if you are paying nothing at all for it. This is the real world. Make sure your password is strong and turn on 2FA where available.

Oh yeah, and if some scrote hacks my Instagram account you can keep it! I’m quite sure that my followers, few that they are will realise that anything odd is simply not me and should be ignored. QED.

Marketing

Politics has no place in this blog and that is not about to change. But something made me laugh today.

In days of old when techies ruled the web we’d use whatever domains we thought were best. But back then there were few, basically .com, .org, .net, .edu, .gov, .mil and a couple of others. Or course, everyone wanted a .com. Later we got country codes, thus .co.uk, .org.uk, .ac.uk and so on, and every other country did similar. And here we are today with zillions of domains, some restricted, others not so. At one stage I had a .museum domain but my project didn’t get very far and the domain costs were too high. To get that I had to fill in all sorts of proof.

A lot of my work in name and brand protection saw me acquiring domains which could be used against us, and domains which we could use for marketing in other countries. I had loads including permutations of our name as well as our actual name in other countries and regions. For example, I had China, Asia, Europe, US, may generics, and others in the organisation had India and Japan. I could throw domains up literally in seconds if we detected an issue, for example a name very close to ours but being used in a scam or some fakery. All were directed at relevant information or at our main websites or region specific parts thereof. These were all tools both for me in my work but also for marketing as we had them available for extraterritorial projects.

So it did amuse me to see that some party had purchased a .org domain but no others. Immediately someone else grabbed the .com and .eu versions of the same name and put up opposing views. Many others are also taken but are parked. An individual grabbed the .org.uk version and some enterprising person even grabbed the .party (one of the new TLDs) domain and parked that.

If you have an idea, a name, a party, or whatever, speak to your marketeers about it before anyone says anything. Listen to them but also advise them. It can save you, and them a lot of embarrasment.

Cookie consent

Seriously, when are website designers going to realise that setting lots of cookies and then asking for consent is the wrong way round? I mean, surely the concept is clear. Unless the cookie is strictly necessary, for example to carry out the function requested by the user, don’t set the darn thing until consent is gained. To me this is like someone plastering advertising stickers all over your car and then finding you and asking if it’s ok, versus someone asking ‘hey can I put these advertising stickers on your car?’

As I’ve said before, there are some truly excellent cookie consent mechanisms out there now, and some truly awful ones, and every mix in between. I’ve seen one recently that sets out your options at the bottom of the page rather than send you off to another page, and they were all pre-unchecked. And another, a cookie wall this time (to be banned soon!) where you either accept or go off to a completely different website run by an advertising agency, only to be told you then need to tell your browser to reject cookies. One had a list of about 400 partner sites and you had to deselect each, one very similar had the same but you could deselect them all in one go. But in each case they were selected by default and consent is gained basically by user frustration – click Yes just to get somewhere, anywhere.

Of course, you can always empty your browser’s cookie cache regularly as I do. But then you run the risk of Google asking you to go through their consent stuff for the umpteenth time because you deleted the cookie they set that remembers your answers. That’s understandable, but still frustrating. Browsers could use a mechanism by where you clear out everything except a few you chose specifically to persist, and have a button on the menu bar to clear them too so you do not need to go diving into the menus.

Those pesky cookie consent notices…

Those that know me probably know I do go off on one when it comes to annoying uses of cookies. Well, I came across two allegedly GDPR-compliant consent pages today, each of which amazed me but for diametrically opposing reasons.

The first of the two threw up a box obscuring most of the website telling me it uses cookies, that I can find out why in the privacy notice, and then saying “You are hereby requested to accept the use of these cookies”. No other options.

Ok. First off, the privacy notice had just about zero information about what cookies it set and what these were used for. Fail. Next, there is no way to consent or refuse. Fail. The only way to remove the annoying box is to accept. Fail. Oh, and by the way it had already set the cookies anyway regardless of if I accepted or not. Major fail!

The second example I came across was so different. Here, and in just three sentences at the bottom of the screen, it told me what it used, why it used them, and below this were a series of 4 tick boxes for Necessary, Preference, Statistics, and Marketing, all ticked except Marketing. I didn’t even need to read the linked privacy notice nor anything else to know that the options it was offering were the ones I would have chosen anyway. This is by far the best implementation of a cookie consent popup I have ever seen! YMMV.

Car manufacturer websites

I’ve been looking round several car manufacturers websites today as I am shopping for a new car. So off I went as you’d expect.

Apart from a variety of cookie notices many of which are confusing, though some are surprisingly good, the vast array of marketing methods used and abused is astonishing. I suppose this should not come as a surprise but the following is a few of the worst:

  • Link to prices is circular and you never get near a price
  • Several pages in and you find the car you came to see is not yet available
  • A car you know to be on sale does not appear anywhere on the manufactures website
  • Link to specifications page gives a 404 error (seriously?!)

I may well add to the list!

Now there are some very good and well thought out sites there – I’m not naming any or shaming any here – but for companies that make a bazillion dollars a year you’d think they could at least get this right! I mean, it’s 2019, not 1993 (ah, my first website, way back in 1993…)


EU domains

Who would have thought that .eu domains owned by companies or individuals in the UK would be at risk when the UK leaves the EU? I mean, when you register for one you are asked to declare that you are in the EU… so it should not come as a surprise that if you are not so, you can’t have a .eu domain.

Well, Eurid, the .eu domain registrar has sent a reminder that come the 30th March 2019 if the UK has left with no deal they will be switched off but there will be a 2 month grace period. https://eurid.eu/en/register-a-eu-domain/brexit-notice/ says it all…

I wonder if the leave.eu people will register a business address in the EU in order to keep their website running. Yes they can take advantage of the 2 month grace period and have their “we’ve left” party messages, but if they want to keep that message going after that they’ll have to have an office in the EU and I suspect that would be rather bad PR.

If we leave with a deal and therefore enter the transition period this is all offset a fair way but it is still out there… after all, we all signed up to the rules set by the registrar so no whinging. (yes, I have one .eu domain but I can live without it – email via the domain is currently only used by one energy supplier who, for some reason cannot change my email address despite me asking many times, and by a local law firm and then only because I have yet to change it. And some minor spam. No biggie.)

The cookie crumbled…

There are still lots of websites that are now wholly noncompliant its regard to cookies and cookie notices. I came across one today which has the usual 5th of a screen banner popup pleading with me to accept cookies:

“Please accept cookies so we can deliver you the best experience”

Well, I might if it told me even remotely why. Click on the ‘read more’ and it tells me what a cookie is and lists a series of links to browser information pages, each taking you off to the browser suppliers own website. It does not give any option to select what type of cookie I will allow, nor does it say why it sets them, which ones it sets or what it, or others will do with them. And of course it has already set them!

There are some really good (IMO) sites now which tell you they are setting cookies and let you chose which types, the better ones having the advertising type cookies deselected by default so if you just click through the screens you actually get the best option, privacy wise. Then there are media driven sites – those hanging off newspapers and such – which give you a list of 400+ websites, each of which you need to deselect or even visit in turn to stop that particular cookie. Seriously, those need shredding. I just click away when faced with them, and these days I regularly clear out all cookies anyway. The only ones of any interest to me personally are those that hold on to the fact that you are already logged into a forum, for example, and almost all the forums I use now have an option to automatically log me in using the password stored in the browser, so it matters not that I clear these out.

Facebook, WhatsApp, Messenger and Instagram

So, Facebook is planning to integrate WhatsApp, Messenger and Instagram ( https://www.bbc.co.uk/news/technology-47001460 ). Facebook has owned Instagram since 2010 and WhatsApp since 2014, and Messenger was a Facebook original. What could possibly be wrong with that? I mean, everyone would want them to, right? And they do own them.

However, for me it’s not so much about the doing but how it is done. Taking just WhatsApp, it always marketed itself as encrypted end to end (E2EE). This is a great concept in these days of rampant surveillance but at least currently, this is only true where messages stay within WhatsApp.

One of the founders of WhatsApp quit and announced that we should all delete Facebook. Riding on the wave of the Cambridge Analytica scandal this added flames to the already burning fire.

Now we learn of Facebook’s plans to better integrate WhatsApp, Messenger and Instagram, making it easy for users of each to interact with users of any of the apps. Presumably Facebook will be core to this data merging.  But what of E2EE?

Without searching for documentation on exactly how each app works E2EE is supposed to ensure that messages sent are encrypted before sending and not decrypted until receipt. Ok, this works fine in theory and if apps do what they say on the tin it works in practice provided you remain aware of limitations, not least that once a message is decrypted for display then anything that can get at that display can logically get at the decrypted message.

And here’s the thing. If, say, you send a message from WhatsApp to Messenger then unless the keys are shared between the apps the message will need to be decrypted (and possibly re-encrypted) in order to send between these disparate apps. Think of it this way: The sending WhatsApp app encrypts in a way that the receiving WhatsApp app can decrypt and the message is never touched in between. But if there is an exchange that takes a message from WhatsApp and sends to Instagram then unless Instagram can directly decrypt the encrypted WhatsApp message the exchange needs to decrypt the message prior to sending it onwards. This exchange will presumably be buried deep within Facebook and, if so (and bear in mind this is a worse case scenario – I expect these guys have thought this through and will uphold E2EE. And, yes, pigs really do fly) the decrypted text will be accessible to Facebook. This is my worry here. Mind you, when I want to discuss something in private I do use other means…

There are of course issues with E2EE after a message has been received if, say you synchronise to cloud storage. Messages here will not be re-encrypted by the original app as it is no longer playing. They may be encrypted somehow before storage in the cloud but there are no guarantees here and it will depend entirely on the cloud service being used. However, assuming you are security aware and do not send any such messages off to cloud storage, can one really rely on E2EE in any shape or form once apps begin to pass messages between themselves? I doubt it but time will tell. Maybe I’m being too opsec here…