Musings tagged as privacy

In the latest version of Chrome, you are automatically logged into the cloud portion of your chrome browser whenever you log into any Google website. Matthew Green has written a detailed blog post (see link above) outlining the resulting privacy concerns.

I do differ from him in one crucial bit though. In the end he states that he rejects the argument that goes along the lines of “Captain Obvious strikes again, it’s Google, something like this was bound to happen.”. He said he believes that for 10 years Google managed to provide good open source software without massively violating user privacy and there was no way to see this coming. Seriously? I mean, come on! All the location snooping with Android? Even though the settings were turned off? The preset synchronization options? Forcing G-Apps onto everyone? Google has been on a privacy violating spree for a long time already. One of the main reasons I have never used Chrome. Something like this was bound to happen! They are an ad company. They can make more money if their ads are even more personalized and can be targeted even better. In a world where shareholder value has the last say and is regarded as the ultimate decision maker, of course companies like Google will fuck with your privacy if it means more revenue. This is so blatantly obvious that “I did not see it coming.” is no valid defense.

Snake oil vendor Avast has pulled v5.45 of its CCleaner suite over privacy controversy. Apparently the latest update made some “minor” changes which resulted in a bit of an outcry. Active monitoring - which translates to yes please send information about me and my system to your servers - could no longer be switched off. Also you could no longer shut down CCleaner anymore. You had to kill the process as there was no way to exit the software normally. Free users got another special treat as sharing your data with 3rd parties could no longer be disabled and was mandatory.

According to ungleich.ch, Mozilla is planning to introduce a new method for resolving DNS queries that could actually end up negatively impacting your privacy.

Dubbed Trusted Recursive Resolver (TRR) this new resolving method actually results in Firefox ignoring your DNS server and instead uses Cloudflares DNS servers instead. This is awesome, especially because Cloudflare is a company from the US and they then know which sites you connect to. Essentially this would mean that one company has all the information on all users of Firefox.

This is utterly stupid. Collecting data in one place makes Cloudflare a prime target for surveillance and it also stores your connection metadata in the US. Essentially they are adding a single point of failure for the whole Firefox ecosystem.

Thankfully, ungleich.ch offers some advice:

  • enter about:config in the address bar
  • search for network.trr
  • set network.trr.mode = 5 to completely disable this feature

The other modes for network.trr.mode are described in usejournal.com.

Apparently Mozilla wants to set the new resolver feature as a default beginning with the September patch. Be sure to check your settings again then. Oh and why the fuck does Mozilla insist on fucking up Firefox?

FileZilla, the formerly easy-to-recommend FTP/SFTP client for private and enterprise use has fallen from grace and included adware in their installers. With security professionals already recommending uninstalling FileZilla, its author Tim Kosse is trying hard to reframe the issue, claiming that ad-supported installers are necessary and have been around for a long time.

This does not change the fact, however, that some of the “offers” available via the ad-laden installer are downloading unsigned executables to your pc. Including some really shady ones that download seperate data files which later get concatenated into an executable. The best guess is that this would be an attempt at avoiding detection by malware blockers.

This is a terrible move by FileZilla and I too suggest uninstalling it if you still use it. A good alternative for Windows users is WinSCP. Free, open source, what is not to like?

Remember the urgent public safety issue from not too long ago? Turns out the FBI has repeatedly overstated figures in connection to the so-called encryption threat to the Congress and public. Among others the FBI claimed they were locked out of nearly 7,800 devices connected to crimes when, in reality, the actual number was more between 1,000 and 2,000. Apparently a “programming error” is to blame which lead to miscounting of the devices. Yeah … right …

PGP Vulnerabilities Discovered

Mon, May 14, 2018

Security researchers have discovered vulnerabilities within implementations of PGP and S/MIME. Now, apparently the GnuPG team was not contacted beforehand and they dismiss the recommendation of the researchers, to immediately stop using anything PGP or S/MIME related, as overblown.

While the researchers refused to immediately disclose the exact nature of the vulnerabilities the GnuPG team has released a statement. The gist of the vulnerabilities seems to be using malicious scripts to exploit broken MIME parsers. This also means that you are only vulnerable if you are using HTML mails, in which case you are evil anyway. ;)

1
2
3