Categories
Privacy Security Website whinging

Failed circular verification

So, you need access to a Google doc but when you log in Google senses that the PC has not been used before and is suspicious. It needs verification.

Ok, first off, this is not me. I have access to Google etc. And verification is a great idea. But there is a hole and as yet we’ve not found the bottom.

Verification is all very well provide you can actually do what is required. But what where your verification is your works telephone and you did not enter a mobile number, nor do you want to tell Google your mobile number anyway?

Google has ‘other ways’ to verify you. Following this path it sends you a code to an email address. The only email address in use was the works one. The code came but this is not enough. Google still wants to send a text to a phone – it still wants that mobile number you don’t want to put in. This ends up being circular, with another code being emailed and, once again another request for a mobile.

In the end it was quicker to ask the document owner to simply email it rather than trying to reach the bottom of the hole being dug by Google.

Categories
Data protection Internet surveillance Privacy Security

Correcting the panoptic vision

Data retention – those laws requiring providers to retain communications metadata – has come under attack again from the CJEU. After a chain of legislation fell foul to data protection laws over the decades the latest and greatest Investigatory Powers Act is now on very thin ice.

The punchline in Case C‑623/17 was twofold. First, the court determined that “national legislation enabling a State authority to require providers of electronic communications services to forward traffic data and location data to the security and intelligence agencies for the purpose of safeguarding national security” falls under data protection legislation. And second, it found that the legislation precludes “national legislation enabling a State authority to require providers of electronic communications services to carry out the general and indiscriminate transmission of traffic data and location data to the security and intelligence agencies for the purpose of safeguarding national security.”

Mind you, given the government’s actions of late including enacting legislation which is technically illegal, one wonders what difference it will make. Throwing Brexit into the mix may not actually help Them out here because unless changes are made this will greatly affect the UKs ability to transfer personal data as a third country to the EU. Perhaps Schrems, the destroyer of Safe Harbor and Privacy Shield will turn his attention on the UK!

Categories
Security

The perils of using remote scripts

The BBC ran an article on the recent BA hack. The thing that stands out for me is the following:

“Hacks like this make use of an increasingly common phenomenon, in which large websites embed multiple pieces of code from other sources or third-party suppliers.
Such code may be needed to do specific jobs, such as authorise a payment or present ads to the user. But malicious code can be slipped in instead – this is known as a supply chain attack.” (https://www.bbc.co.uk/news/technology-45481976)

I’ve argued against this in the past but to no avail. And it’s everywhere now. Designers use code located in any old place in order to make their websites work. I’ve even seen it inside commercial CMS systems where, when PHP versions come out with functions deprecated the software vendor has a major task in finding or writing new libraries because the Internet sourced one they use is no longer being updated. I have also seen font libraries used where the usage exceeds the agreement and the download then fails, sometimes causing a delay in the poor user’s browser. Browse to just about any commercial website now and take a look at the connections your system is making and to where, these often to download a font or a Javascript library to do some jazzy function.

Remember the news when some Javascript library included a bitcoin mining script?

And heaven forbid programmers won’t simply take bits of code from Internet sources and glue it all together to create a new app. I mean, that would just be asking for trouble, right?

Basically, we’re doomed…

Categories
Security

BA’s power outage

Not really a subject for my blog, but I must say the thought of someone unplugging a whole data centre from its only power sources reminds me of this Father Ted clip:

https://m0.joe.ie/wp-content/uploads/2014/12/17143558/dougal-button-o.gif

Categories
Security Website whinging

URL shortener problems

I noticed today that the BBC uses bbc.in as a URL shortener. I wanted to see a story posted by the local BBC outfit on Twitter that carried such a link. But the bbc.in link redirected to bit.ly… trouble is bit.ly is currently blocked by Sky Broadband Shield for phishing or malware. Actually there’s not surprise there given what bit.ly et al do.

Later on the redirect from bbc.in went to trib.al which is not blocked and that then took me to a BBC page.

So… given the BBC owns bbc.in why not put a URL shortener there and avoid these external, uncontrolled ones? I mean, these externals are bound to continue to cause issues.