The perils of using remote scripts

The BBC ran an article on the recent BA hack. The thing that stands out for me is the following:

“Hacks like this make use of an increasingly common phenomenon, in which large websites embed multiple pieces of code from other sources or third-party suppliers.
Such code may be needed to do specific jobs, such as authorise a payment or present ads to the user. But malicious code can be slipped in instead – this is known as a supply chain attack.” (https://www.bbc.co.uk/news/technology-45481976)

I’ve argued against this in the past but to no avail. And it’s everywhere now. Designers use code located in any old place in order to make their websites work. I’ve even seen it inside commercial CMS systems where, when PHP versions come out with functions deprecated the software vendor has a major task in finding or writing new libraries because the Internet sourced one they use is no longer being updated. I have also seen font libraries used where the usage exceeds the agreement and the download then fails, sometimes causing a delay in the poor user’s browser. Browse to just about any commercial website now and take a look at the connections your system is making and to where, these often to download a font or a Javascript library to do some jazzy function.

Remember the news when some Javascript library included a bitcoin mining script?

And heaven forbid programmers won’t simply take bits of code from Internet sources and glue it all together to create a new app. I mean, that would just be asking for trouble, right?

Basically, we’re doomed…

General whinging about websites

Parts of my current work got me thinking about how I, personally decide whether or not to trust a site. By trust here I do not mean completely… I mean I trust my bank more than I would trust someone’s blog. But as a generalisation the following is my hit-list, or rather my go-away-fast list where I will leave a site and never return:

  • whois data is privacy protected. Now ok, I have no issue with someone protecting their blog, but if it’s a company I have to ask why are you hiding? You’re blocked.
  • website presents a pop-up asking – well, anything. Typically you get a pop-up asking if you want to take part in a survey, or saying you can subscribe to a newsletter. No, design your website correctly so I can see those options but do not force them on me. I won’t be back.
  • hard to find actual street address. Blogs excepted again, why do businesses hide or make it very difficult to find their address? Bye.
  • paywalls and ad blocker detectors. Nope, not paying, nor am I switching my ad blocker off. The Guardian do not do this but do have an ad blocker detector which puts up a message at the bottom of the page, not in your face. I don’t use it enough to warrant it but I would be far more willing to pay them than any media that fails completely if you have an ad blocker, or which shows a few lines and then requests payment. Remember, the web is a big place, and someone else has probably posted a similar story to that which you want me to pay for.
  • copyright infringement. Harder to see but I came across a local business that displayed, as it’s background image one of our own which is our IPR! Chance maybe, but hey.
  • sites which attempt to persuade you that what they are offering is not in fact illegal. Far harder to spot, these. But a number of my investigations lead me to websites offering things which although not illegal are certainly contrary to our own internal regulations, typically sites offering to write your dissertation or thesis.
  • sites which require my personal information before giving me a price for a product or service. Car hire and insurance companies are bad for this. Why do I need to tell you who I am to get a price? Ok, some data is needed, like age and postcode, but surely no more than that. I just want a quote, and only if I decide to take it up will I then send the necessary details.
  • sites which insist on having whole-frame anchors such that if you click anywhere other than somewhere obvious you are taken to somewhere else in the site or, worse, to somewhere nasty. You get blocked every time.
  • sites that have no privacy notice / set cookies without permission / have privacy notices that are pages long / have daft, unenforceable or obfuscated notices or terms. Come on people this is not rocket science.
  • sites (and, in real life, vans!) where the URL and e-mail bear no relationship to each other. If you bother to buy a domain then bother to also use it as your e-mail domain! Come on, sack your marketing team.

Not a big or even complete list, but those few points are my own personal basis for going further into a website or just clicking away.

Cloud storage confusion

With cloud services it can become confusing as to where things actually are. If you’re like me, old school, I tend to want to keep a local copy of things just in case and so I elected to do this on the MacBook with Desktop, Documents and the photo library so I would always have a local copy if things come undone.

This all worked fine until I changed my Apple ID today prior to the potential deletion of .eu domains held by UK people post-Brexit. My Apple ID was a .eu email address.

So, new ID set. The iPhone and iPad both worked fine but the MacBook presented an empty desktop and no documents. Oh. After a fiddle it transpired that it had not re-enabled the Desktop and Document folders in iCloud Drive in Settings. Checking this resulted in a re-populated desktop, albeit with the icons jumbled up. No biggie.

But all the files showed that little cloud icon with a downward facing arrow. This does not imply a pending thunderstorm, rather it means you can download the document.

But remember I kept local copies? Well, it transpires that the MacBook made an archive of everything. So all the files are sat in a named folder with ‘(archive)’ appended.

So the MacBook now appears to be happily downloading all the files from iCloud regardless of the fact they are already there in this archive. All 21Gb! Thanks.

There is a twist in this tale. Photos has also been disconnected. It now gives me the option once more of sending all photos to iCloud (they are all there already and can be seen on the iPhone and iPad!) and also storing them locally. Only its says there is insufficient space! yes, because you made a 21Gb archive and are now downloading the 21Gb again so that’s 42Gb and that’s more than the free space you numpty.

I am wary of deleting the archive, and anyway the photo library may have its own, as-yet undiscovered archive too. Apparently my photo library is 51Gb… good job we have unlimited broadband.

On the plus side, when I logged into iCloud again on the iPhone and iPad the photo app now uses iCloud. I had intended to switch over to this but never did. So at least those work… I just need to sort the MacBook because, being old school I really want a local copy of the photos just in case.

And it’s probably time to fix the NAS so it can be used by Time Machine again, or get a plug-in disk. You can never have too many copies when you are old school!

Google cloud

There is a story about how Google blocked access to a load of documents in their cloud provision because an automated check determined they are in breach of Google’s terms of service. Of course, everyone reads these don’t they (actually they are written in a fairly easy to understand language unlike many, so no excuse really)

But my interest here is how Google (or any such provider) can protect itself given it can automatically check stuff in the cloud. If something got to court I wonder if a judge would request that Google somehow prove that it did not know a given document was illegal, and how it could prove this.

Paypal and eBay woes (updated 20/Jun/17)

I occasionally sell valves on eBay and their Global Shipping Program has been useful, taking away the need for me to figure out postage to individual countries. For a very small trader like me this save a lot of hassle. Or it did.

But here’s the issue. Paypal has become ubiquitous and makes for an easy way to add payments to various things, Uber for example. As Paypal’s own adverts tell you by using them you do not need to lodge any personal information with all the various websites and apps you may use. But there is a huge issue. I currently have someone in China who, after taking over two weeks to pay me for two valves then lodged a dispute with Paypal for non-delivery after just a few days. The tracker shows it is stuck in their Global Shipping Centre here in the UK. Anyway, this person is no longer communicating with me but Paypal transferred the money out of my account leaving a negative balance.

And guess what… now I have a negative balance Paypal transactions are failing. So in one fell swoop this dispute means that Paypal is effectively useless to me. I have already taken it out of Uber as I will need to use them. I found this out the I tried to purchase something on eBay. It added the negative amount and then told me that if I pay by card, which is my only payment method, then it counts as a cash advance and thus I will pay interest from day one. I don’t pay interest on anything. Yes, I can add my bank details and transfer money that way but I don’t want to, and anyway Paypal say this takes 5 to 7 days.

Oh, as to the valves they are marked as undeliverable. No idea why yet. In such a case, eBay will refund the buyer, so no need for Paypal to get involved. But the person has not yet closed the case or even bothered to answer my messages about it and so Paypal is still lost to me. And I suspect this will be permanent because as I change away from it as a payment method what reason is there for me to return?

Update 29/5/17 – I now notice as a seller I cannot leave negative feedback for a buyer! I can leave positive feedback or nothing. How useless. eBay is totally buyer friendly and seller unfriendly now. I only sell a few items a year – I can’t imagine the hassle major traders must face… I expect they simply have to write stuff off. Anyway, given the eBay fees, including charring a fee for postage (why?!), plus the Paypal fees this has probably done me a favour as I will now list valves on the museum site open for offers and just trade p2p. Well done Paypal, because of this eBay will not be getting any more commission from me.

Update 2/6/17 – after Paypal found in my favour and put the funds back the buyer changed the appeal to ‘not as described’. At first I though this meant the valves finally tuned up, but it seems they have not (nor will they ever thanks to the GSP) and so he has fraudulently changed it to try to get a refund via Paypal (eBay, remember, will apparently refund the buyer anyway if the item cannot be delivered so it’s not a Paypal claim even though Paypal will need to actually do the refund). So once again Paypal have left me with a negative balance but fortunately I have now stopped using it so it makes little difference to me!

Update 18/6/17 – Apparently Paypal has sent an email on the 14th that I never received and there is something now about having to wait for a refund. But I’m not waiting for a refund? So, whatever the e-mail said it was 12 days since the fraudulent claim that the item was not as described (it never arrived,  remember? It got trapped by eBay). Equally annoying is that because this person took over two weeks to pay me in the first place the seller bill from eBay arrived before the funds. I paid that straight away of course, but because I made a payment to eBay I cannot now close my eBay account until 30 days have passed in case I do to them what this person has done to me and claim the money back!

Of course, now time has passed I am reminded just how easy it is to not have to use Paypal, given just about everything else I need to pay takes cards directly and my various subscriptions have been switched from Paypal to bank transfers.

Update 20/6/17 – Well Paypal tell me they refunded 0.00 to the buyer and have once again put the funds back into my Paypal account, meaning I was able to pay the one thing I still needed Paypal for (a club membership, but future payments can go via Direct Debit). I have removed my credit card details prior to shortly closing my Paypal account. Yes I know I will probably then want to buy something from eBay but I… will… resist!

And so my Paypal account, which I have had for a very long time now, is closed. Gone. Bye. They are apparently sorry to see me go. Hmmm…

URL shortener problems

I noticed today that the BBC uses bbc.in as a URL shortener. I wanted to see a story posted by the local BBC outfit on Twitter that carried such a link. But the bbc.in link redirected to bit.ly… trouble is bit.ly is currently blocked by Sky Broadband Shield for phishing or malware. Actually there’s not surprise there given what bit.ly et al do.

Later on the redirect from bbc.in went to trib.al which is not blocked and that then took me to a BBC page.

So… given the BBC owns bbc.in why not put a URL shortener there and avoid these external, uncontrolled ones? I mean, these externals are bound to continue to cause issues.