Car manufacturer websites

I’ve been looking round several car manufacturers websites today as I am shopping for a new car. So off I went as you’d expect.

Apart from a variety of cookie notices many of which are confusing, though some are surprisingly good, the vast array of marketing methods used and abused is astonishing. I suppose this should not come as a surprise but the following is a few of the worst:

  • Link to prices is circular and you never get near a price
  • Several pages in and you find the car you came to see is not yet available
  • A car you know to be on sale does not appear anywhere on the manufactures website
  • Link to specifications page gives a 404 error (seriously?!)

I may well add to the list!

Now there are some very good and well thought out sites there – I’m not naming any or shaming any here – but for companies that make a bazillion dollars a year you’d think they could at least get this right! I mean, it’s 2019, not 1993 (ah, my first website, way back in 1993…)


EU domains

Who would have thought that .eu domains owned by companies or individuals in the UK would be at risk when the UK leaves the EU? I mean, when you register for one you are asked to declare that you are in the EU… so it should not come as a surprise that if you are not so, you can’t have a .eu domain.

Well, Eurid, the .eu domain registrar has sent a reminder that come the 30th March 2019 if the UK has left with no deal they will be switched off but there will be a 2 month grace period. https://eurid.eu/en/register-a-eu-domain/brexit-notice/ says it all…

I wonder if the leave.eu people will register a business address in the EU in order to keep their website running. Yes they can take advantage of the 2 month grace period and have their “we’ve left” party messages, but if they want to keep that message going after that they’ll have to have an office in the EU and I suspect that would be rather bad PR.

If we leave with a deal and therefore enter the transition period this is all offset a fair way but it is still out there… after all, we all signed up to the rules set by the registrar so no whinging. (yes, I have one .eu domain but I can live without it – email via the domain is currently only used by one energy supplier who, for some reason cannot change my email address despite me asking many times, and by a local law firm and then only because I have yet to change it. And some minor spam. No biggie.)

The cookie crumbled…

There are still lots of websites that are now wholly noncompliant its regard to cookies and cookie notices. I came across one today which has the usual 5th of a screen banner popup pleading with me to accept cookies:

“Please accept cookies so we can deliver you the best experience”

Well, I might if it told me even remotely why. Click on the ‘read more’ and it tells me what a cookie is and lists a series of links to browser information pages, each taking you off to the browser suppliers own website. It does not give any option to select what type of cookie I will allow, nor does it say why it sets them, which ones it sets or what it, or others will do with them. And of course it has already set them!

There are some really good (IMO) sites now which tell you they are setting cookies and let you chose which types, the better ones having the advertising type cookies deselected by default so if you just click through the screens you actually get the best option, privacy wise. Then there are media driven sites – those hanging off newspapers and such – which give you a list of 400+ websites, each of which you need to deselect or even visit in turn to stop that particular cookie. Seriously, those need shredding. I just click away when faced with them, and these days I regularly clear out all cookies anyway. The only ones of any interest to me personally are those that hold on to the fact that you are already logged into a forum, for example, and almost all the forums I use now have an option to automatically log me in using the password stored in the browser, so it matters not that I clear these out.

Facebook, WhatsApp, Messenger and Instagram

So, Facebook is planning to integrate WhatsApp, Messenger and Instagram ( https://www.bbc.co.uk/news/technology-47001460 ). Facebook has owned Instagram since 2010 and WhatsApp since 2014, and Messenger was a Facebook original. What could possibly be wrong with that? I mean, everyone would want them to, right? And they do own them.

However, for me it’s not so much about the doing but how it is done. Taking just WhatsApp, it always marketed itself as encrypted end to end (E2EE). This is a great concept in these days of rampant surveillance but at least currently, this is only true where messages stay within WhatsApp.

One of the founders of WhatsApp quit and announced that we should all delete Facebook. Riding on the wave of the Cambridge Analytica scandal this added flames to the already burning fire.

Now we learn of Facebook’s plans to better integrate WhatsApp, Messenger and Instagram, making it easy for users of each to interact with users of any of the apps. Presumably Facebook will be core to this data merging.  But what of E2EE?

Without searching for documentation on exactly how each app works E2EE is supposed to ensure that messages sent are encrypted before sending and not decrypted until receipt. Ok, this works fine in theory and if apps do what they say on the tin it works in practice provided you remain aware of limitations, not least that once a message is decrypted for display then anything that can get at that display can logically get at the decrypted message.

And here’s the thing. If, say, you send a message from WhatsApp to Messenger then unless the keys are shared between the apps the message will need to be decrypted (and possibly re-encrypted) in order to send between these disparate apps. Think of it this way: The sending WhatsApp app encrypts in a way that the receiving WhatsApp app can decrypt and the message is never touched in between. But if there is an exchange that takes a message from WhatsApp and sends to Instagram then unless Instagram can directly decrypt the encrypted WhatsApp message the exchange needs to decrypt the message prior to sending it onwards. This exchange will presumably be buried deep within Facebook and, if so (and bear in mind this is a worse case scenario – I expect these guys have thought this through and will uphold E2EE. And, yes, pigs really do fly) the decrypted text will be accessible to Facebook. This is my worry here. Mind you, when I want to discuss something in private I do use other means…

There are of course issues with E2EE after a message has been received if, say you synchronise to cloud storage. Messages here will not be re-encrypted by the original app as it is no longer playing. They may be encrypted somehow before storage in the cloud but there are no guarantees here and it will depend entirely on the cloud service being used. However, assuming you are security aware and do not send any such messages off to cloud storage, can one really rely on E2EE in any shape or form once apps begin to pass messages between themselves? I doubt it but time will tell. Maybe I’m being too opsec here…

A kitchen full of unwanted cookies…

I was notified by email today of a document shared on Yahoo! that I needed to read. So… off to Yahoo! and I am presented with a screen about privacy. I can get no further before I either blindly accept all their cookies and those of their partners or I can manage what is set. Ok, let’s manage it then – off to the Privacy Centre (hmmm… UK spelling).

What I am looking for is a button where I can reject cookies. Ok… so in paragraph 2 of 12 or so, I lost count, I find the link to the Privacy Dashboard. Off we go then, I bet the ‘reject’ button is there, oh no wait I get a screen full of brand icons I can click to see how each partner will use my personal data. Hmmm. No reject button then…

I clicked the first one and I’m whizzed off, electronically to the vendors site where I need to log in and prove I am not a robot. Try another. Same thing, and indeed the same login function hosted by AOL. And, you guessed it, it’s setting cookies before I have even had the chance to say yes or no.

And I’ve yet to get anywhere near the document I want to see…

I’m not going any further but seriously, if I actually wanted to find out how my personal data will be used by this website, the company behind it, the company behind them, and each of their partners and the companies behind those, it would take me an hour or more, and I’d be rewarded with a whole kitchen full of cookies.

So, the document remains unread… shame really. And now I need to get rid of the cookies that have been set before I even had the chance to say ‘no’.

Ubuntu 18.04 LTS

I finally upgraded to 18.04, an advantage of which is I am finally rid of the Unity desktop and back to Gnome. I never ‘got’ Unity and had added there Gnome add-ons which made it Gnome-like but quirky. For some reason, the system would always launch a service process via upstart that sat there doing nothing every time I unlocked the screen… resulting in the process table filing up before I realised.

The upgrade caught me out however. For some reason it did not bring across php-mysql or the Stomp library but both were easy to put back in. I use Stomp to pull in Network Rail Open Data, something I’ve been fiddling with recently but more of that some time later on.

It also seems to default to a later CIFS protocol than my poor old backup NAS devices use meaning they would not mount, so I had to add vers=1.0 to the lines in /etc/fstab to solve that one.

Finally, until I find more, Apache would not see PHP even though PHP had been upgraded so it needed a2enmod php7.2 and a bounce of Apache. That one is particularly annoying as without it Apache merrily shows The World your PHP script as text, including of course any passwords or other niceties contained therein. Fortunately this system is not accessible from outside the house network.

Nothing else seems to be amiss, the PC still sees the SignaLink USB interface and all audio devices are still where I left them.

Awful cookie consent pages…

There’s an interesting mixture of cookie consent pages and functions these days, ranging from one nice site I saw that had defaulted to ‘none’, to those that seem to want you to opt out individually to over 400 advertising cookies, with quite a few of those requiring you to go and find the advertiser in question to opt out. I just saw one which has the usual half-page banner that only gives an option to accept all cookies, but hidden (in plain sight) is a link that takes you to a consent page. This page does nothing that wanting you to consent to all cookies but, if you try hard enough it tells you how you can opt out – by visiting some advertising agency cookie control site. Er, no, that’s not how it should be done.

I wonder if anyone (other than me) actually bothers to complain to whatever agency is even listening about these stupid practices!

The perils of using remote scripts

The BBC ran an article on the recent BA hack. The thing that stands out for me is the following:

“Hacks like this make use of an increasingly common phenomenon, in which large websites embed multiple pieces of code from other sources or third-party suppliers.
Such code may be needed to do specific jobs, such as authorise a payment or present ads to the user. But malicious code can be slipped in instead – this is known as a supply chain attack.” (https://www.bbc.co.uk/news/technology-45481976)

I’ve argued against this in the past but to no avail. And it’s everywhere now. Designers use code located in any old place in order to make their websites work. I’ve even seen it inside commercial CMS systems where, when PHP versions come out with functions deprecated the software vendor has a major task in finding or writing new libraries because the Internet sourced one they use is no longer being updated. I have also seen font libraries used where the usage exceeds the agreement and the download then fails, sometimes causing a delay in the poor user’s browser. Browse to just about any commercial website now and take a look at the connections your system is making and to where, these often to download a font or a Javascript library to do some jazzy function.

Remember the news when some Javascript library included a bitcoin mining script?

And heaven forbid programmers won’t simply take bits of code from Internet sources and glue it all together to create a new app. I mean, that would just be asking for trouble, right?

Basically, we’re doomed…

Google’s hopeless reCaptcha strikes again!

Good grief. The infernal recaptcha is used on the car insurance amendment form of a well known insurer. I had to use this today as it is a lot easier than the phone. SEVEN screens of asking me to click every road sign and every store front, then the form would not finish, simply saying ‘field required’ – all were filled in correctly. No way back so I reloaded and started that part of the form over, another SEVEN screens, this time road signs and busses. Finally I got through. So FOURTEEN of these infuriating Google screens later I got to the end of the form. Actually, phoning would be easier, let’s give up on these web forms, as the use of this maddening junk makes it wholly useless now.

Oh yes and still if I dare click for the audio version it just tells me I have clearly mounted an automated attack and blocks all further requests. Clearing all my cookies sorted that one but the voices are generally unintelligible, so little help there.

Again with the photo ID

I need to collect some building supplies. These were ordered online ‘click and collect’, the emails and associated text comes to my phone, and yet I am told I need to bring photographic ID with me. I wonder if they will accept a photo of my passport photo on my phone… if there’s no queue I may well try that out!

Ok I can see the point, after all I already paid for the supplies and I would be really cross if someone faked my name and grabbed them.

Maybe if there was some government-backed ID other than a passport that can prove I am me… oh, wait.