Subject: General Tech | January 28, 2016 - 02:25 PM | Jeremy Hellstrom
Tagged: Privacy, microsoft, edge
Microsoft is revisiting an old issue with private browsing which we have seen too many times unfortunately. In 2010 Firefox's private browsing broke and left site visits on your computer and in 2013 Chrome went through the same issue. More recently it was discovered that when Chrome interacted with an NVIDIA GPU, sites could also be retrieved. Now it is Edge's turn, the browser stores your page visits in tables under <user>\appdata\local\microsoft\windows\history even when using InPrivate Mode. This will be resolved soon but for now if you are secretly ... ah, shopping for a loved one you might want to use a different browser, VPN or other measure. There is more info over at The Inquirer.
"BURGEONING ORWELLIAN nightmare corporation Microsoft has once again been found lacking in the security department, this time for the new and improved Edge browser in Windows 10."
Here is some more Tech News from around the web:
- Windows 10: Preloaded TripAdvisor app could open doors to a world of crap @ The Inquirer
- Apple recalls some iPad and MacBook chargers due to electric shock risk @ The Inqurier
- Production of new 4K iPad Air to begin in 2Q16, say Taiwan makers @ DigiTimes
- Windows Mobile users suffer backup super-slurp as Redmond forgets Wi-Fi switch @ The Register
- GitHub falls offline, devs worldwide declare today a snow day @ The Register
- Brit censors endure 10-hour Paint Drying movie epic @ The Register
- Computer Beats Go Champion @ The Inquirer
Subject: General Tech | December 30, 2015 - 11:48 PM | Scott Michaud
Tagged: valve, steam, security, Privacy
On Christmas Day, Valve had a few hours of problems. Their servers were being overloaded by malicious traffic. The best analogy that I could provide would be a bad organization who sent a thousand people to Walmart, to do nothing but stand in the check-out line and ask the cashier about the time. This clogs up the infrastructure, preventing legitimate customers from making their transactions. This was often done after demanding a ransom. Don't pay? Your servers get clogged at the worst time.
A little too much sharing...
There are two ways to counter-act a DDoS attack: add hardware or make your site more efficient.
When a website is requested, the server generates the page and sends it to the customer. This process is typically slow, especially for complicated sites that pull data from one or more database(s). It then feeds this data to partners to send to customers. Some pages, like the Steam Store's front page, are mostly the same for anyone who views it (from the same geographic region). Some pages, like your order confirmation page, are individual. You can save server performance by generating the pages only when they change, and giving them to relevant users from the closest delivery server.
Someone, during a 20-fold spike in traffic relative to the typical Steam Sale volume, accidentally started saving (caching) pages with private information and delivering them to random users. This includes things like order confirmation and contact information pages for whatever logged-in account generated them. This is pretty terrible for privacy. Again, it does not allow users to interact with the profiles of other users, just see the results that other users generated.
But this is still quite bad.
Users complained, especially on Twitter, that Valve should have shut down their website immediately. From my position, I agree, especially since attempting to make a purchase tells the web server to pull the most sensitive information (billing address, etc.) from the database. I don't particularly know why Valve didn't, but I cannot see that from the outside.
But again, I don't work there. I don't know the details.
Subject: General Tech | November 17, 2015 - 08:55 PM | Scott Michaud
Tagged: windows 10, Privacy, microsoft
UPDATE (Nov 19th, 12pm EST): Ed Bott emailed me to clarify a few points. First, PINs for BitLocker are not required and will not be backed up to OneDrive. I knew that PINs were not required, but I was trying to say "would there be a way that a user could use BitLocker without giving all the necessary bits to OneDrive". Apparently, using PINs is one of those ways. He also claims that you can manage your own keys by changing them and storing them locally.
He also commented on the HIPAA remark. He claims that Windows 10 is HIPAA compliant, and the reason why it was not included in the statement is because the question wasn't asked. Again, if applicable, check with your vendors and other support.
Okay so one of the major concerns with Windows 10 is how it handles your private data. I gave my thoughts on the topic a couple of weeks ago, which was a bit critical of Microsoft. I said that there are definite concerns that should be disclosed, but it is not enough of a concern to stop using it and switch to Linux or something. At least, not yet.
Image Credit: Wikipedia
The foremost change is that Microsoft specified that only OneDrive, Outlook, and Skype files and content, private or public, are subject to disclosure to law enforcement. The previous wording looked like it applied to all files on Windows 10. Full access to all files sounds like something the law enforcement would want, but Windows 10 does not provide it.
Another change involves BitLocker. Recovery keys are synchronized to OneDrive “to allow recovery on personal devices”. I am not sure if this also includes PINs, for devices configured to use those, but it would be crappy if it did. Regardless, the privacy statement now says “Microsoft doesn't use your individual recovery keys for any purpose.” This raises two concerns: Why did they specify “Microsoft” and why did they qualify “recovery keys” with “individual”? My assumption is that this is just an awkward trait of the English language, but it could exempt sending batches of keys to third parties, such as governments, especially if it counts as a OneDrive personal file. Again, it is probably just an awkward wording though.
A final point for me is that Telemetry, when set to “Basic”, satisfies FINRA, SEC, and FTC regulations. Oddly they don't specify HIPAA, but you probably shouldn't be listening to tech reporters (yes including me) for advice about securing health insurance and patient data. You should have more reliable channels for that sort of inquiry.
Subject: General Tech | February 18, 2015 - 01:06 PM | Jeremy Hellstrom
Tagged: irony, Privacy, google, gigabit broadband, AT&T
Kansas City got Google Fiber back in 2012 and not surprisingly a lot of users jumped to this ~$70 service from their current ISPs the moment they could. Two of the incumbent ISPs suddenly came to the realization that there was demand for broadband at this speed and turned on some of their already laid and configured fiber connection so they could start to offer actual broadband and now several years later AT&T discovered that they would need to do the same to be able to attract customers in that market. The fiber has lain dormant for quite some time as most ISPs have argued that there was no demand for that level of connectivity; at least until Google offered it and customers left them in droves proving that the demand had always been there.
From The Register we hear that AT&T now offers $70 for a1Gbps connection, an additional $50 will get you TV and you can even bundle home service into the deal if you wish. For an additional $29 per month AT&T also offers not to log everything you do on the web over their connection, something which Google does not offer. This makes for an interesting discussion as most surfers no longer blink at Google the search engine tracking what they do online, but what about Google the ISP; does that create a different gut reaction? Then again considering AT&T's loose definition of unlimited, what do they mean by privacy or even gigabit for that matter?
"We've moved quickly to bring more competition to the Kansas City area for blazing-fast Internet speeds and best-in-class television service," said John Sondag, president of AT&T Missouri, without apparent irony."
Here is some more Tech News from around the web:
- The TR Podcast 170: What the kids put in their PCIe slots these days
- Collaboration Summit Keynotes Will Stream Live on Wednesday, Feb. 18 @ Linux.com
- Qualcomm, ARM: We thought we had such HOT MODELS... @ The Register
- Lenovo is building ARM-based servers to improve energy efficiency @ The Inquirer
Subject: General Tech | October 14, 2014 - 06:28 PM | Jeremy Hellstrom
Tagged: predix, Cisco, Intel, GM, verizon, Privacy, security
GM's Predix asset management platform has been used for a while now, after they came to the realization that they were in the top 20 of the largest software developers on the planet. They found that by networking the machines in their factories as well as products that have been shipped to customers and are seeing active use that they could increase the efficiency of their factories and their products. They were aiming for 1% increase, which when you consider the scale of these industries can equate to billions of dollars and in many cases they did see what they had hoped for.
Now Cisco and Intel have signed up to use the Predix platform for the same results, however they will be applying it to the Cloud and edge devices as well as the routers and switches Cisco specializes in. This should at the very least enhance the ability to monitor network traffic, predict resource shortages and handle outages with a very good possibility of a small increase in performance and efficiency across the board. This is good news to those who currently deal with the cloud but it is perhaps worth noting that you will be offering up your companies metrics to Predix and you should be aware of any possible security concerns that may raise because of that integration to another system. You could however argue that once you have moved to the cloud that this is already happening.
"GE, Intel, Cisco, and Verizon have announced a big data deal to connect Predix — GE’s software platform — to machines, systems, and edge devices regardless of manufacturer."
Here is some more Tech News from around the web:
- Flexible FinFETs work at high temperatures @ Nanotechweb
- Firefox 33 Arrives With OpenH264 Support @ Slashdot
- Intel 'underestimates error bounds by 1.3 QUINTILLION' @ The Register
- Linux Foundation announces Dronecode alliance for open source Drone ware @ The Inquirer
- NETGEAR AC750 WiFi Extender @ HardwareHeaven
- Apotop Wi-Copy @ Phoronix
Subject: Editorial, General Tech | July 31, 2013 - 08:03 PM | Scott Michaud
Tagged: Privacy, mozilla, DNT
Mozilla Labs is researching a new approach to the problem of privacy and targeted advertising: allow the user to provide the data that honest advertisers intend to acquire via tracking behavior. The hope is that users who manage their own privacy will not have companies try to do it for them.
Internet users are growing concerned about how they are tracked and monitored online. Crowds rally behind initiatives, such as Do Not Track (DNT) and neutering the NSA, because of an assumed promise of privacy even if it is just superficial.
DNT, for instance, is a web developer tool permitting honest sites to be less shy when considering features which make privacy advocates poop themselves and go to competing pages. Users, who were not the intended audience of this feature, threw a fit because it failed to satisfy their privacy concerns. Internet Explorer, which is otherwise becoming a great browser, decided to break the standard by not providing the default, "user has not specified", value.
Of course, all this does is hands honest web developers a broken tool; immoral and arrogantly amoral sites will track anyway.
Mozilla Labs is currently investigating another solution. We could, potentially, at some point, see an addition to Firefox which distills all of the information honest websites would like to know into a summary which users could selectively share. This, much like DNT, will not prevent companies or other organizations from tracking you but rather give most legitimate situations a fittingly legitimate alternative.
All of this data, such as history and geolocation, is already stored by browsers as a result of how they operate. This concept allows users to release some of this information to the sites they visit and, ideally, satisfy both parties. Maybe then, those who actually are malicious, cannot shrug off their actions as a common industry requirement.
Subject: General Tech | May 2, 2013 - 02:01 AM | Tim Verry
Tagged: Privacy, eff, data privacy, consumer rights
The Electronic Frontier Foundation (EFF) released its annual Who Has Your Back report, which highlights Internet companies that (do or do not) defend user’s online privacy rights. The EFF looks at the policies and actions of several major Internet companies, including ISPs, cloud storage, email, and social networks (among others). The companies are graded on various criteria such as whether the companies require a subpoena or warrant before releasing information, lobby congress for stricter data privacy laws, and defend their users’ privacy rights in court.
This year, the EFF found some surprising results. Google is no longer the leader of the pack due to no longer providing transparent data requests to users on the same level that it did in the past. Twitter and ISP Sonic.net are actually the top ranked companies. In a less surprising twist, Verizon is actually the worst company of the bunch along with MySpace with failing grades in each category! And that is just the tip of the spear, with companies like Apple and AT&T being worse than I thought and Foursquare and WordPress doing better than I expected.
Data privacy is of supreme importance, and i hope that these EFF reports prod all companies to do better (and note the companies that are doing right by their users). It is definitely worth a read. You can find the full report in PDF form here.
Do you use any of these services, and are you happy with their data privacy efforts?
Subject: General Tech | February 26, 2013 - 03:29 AM | Tim Verry
Tagged: tracking cookie, Privacy, firefox 22, cookies
Mozilla’s Firefox web browser continues to add new features. A recent patch submitted by Jonathan Mayer proposes an interesting change to the way the browser handles third party cookies. The patch is suggested to be rolled into Firefox 22, and should it be approved, the open source browser would adopt Safari-like behavior by blocking third party cookies by default. Specifically, the patch would change the default behavior to block third party cookies by default unless the user has visited the website themselves at some point. Users will also be able to tweak the setting via a UI menu item and choose whether to always block third party cookies, only allow cookies from previously visited sites, or allow all third party cookies (for comparison, Google Chrome goes with this option as its default).
This is a positive move for consumer privacy, but it is also a disruptive strike at online advertisers. So called third party cookies are tidbits of code that sites can utilize to identify and track users on other sites. The uses of cookies can range from a shopping site using cookies for shopping carts or coupons to ad networks that track you across the internet to deliver targeted advertising and gather information about users. Safari has managed to get away with blocking third party cookies by default so far, but Firefox has a great deal more market share. Should Firefox move to a block-by-default model, advertisers are not likely to be pleased considering they think that Do Not Track is bad enough (heh). I think it may need to be relaxed somewhat, but the proposed patch’s behavior is closer to a fair balance between privacy and tracking than the current arrangement.
Currently, you can choose to accept all or block all (with accept all being the default). The new patch would add a new option to the GUI menu to only allow cookies from previously visited sites.
Interestingly, this is not the first time that changes to Firefox’s cookie handling behavior has been proposed. A few years ago, developers considered a similar patch but found that it caused too many problems with websites. It is worth noting that Jonathan Mayer's patch is not as strict in what it blocks as that previous patch attempt, so it is more likely to be approved--and break fewer sites out of the box. Then again, the more browsers that adopt a block-by-default policy for third party cookies, the more websites will be pressured into finding workarounds such as poxy-ing the third party ad cookies from their own domain (making the cookies first party as far as the browser is concerned). In the end, the battle between consumers and advertisers will rage on with websites/publishers caught in the middle tryng to find an acceptable balance.
It will be interesting to see whether this patch goes through and what the fallout (if any) will be.
What do you think about the proposed change to the default cookie handling setting? Are you already using a third party browser plugin with a white list to block them by default anyway?
Also Read: Firefox 19 Includes Built-In PDF Viewer @ PC Perspective.