A curious little data leak, but one I struggle to care about. Perhaps useful for a bit of fingerprinting? Websites can access your system's camera and microphone. That's how modern video conferencing works in the browser. In an effort to retain user privacy, the browser asks the user for permission to use the camera and mics. No audio or video will be sent until the user agrees. But some metadata gets shared before you agree! Visit the WebRTC Detection Experiment site. You'll notice that…
Continue reading →
Without your permission, or even your awareness, tech companies are harvesting your location, your likes, your habits, your relationships, your fears, your medical issues, and sharing it amongst themselves, as well as with governments and a multitude of data vultures. They're not just selling your data. They're selling the power to influence you and decide for you. Even when you've explicitly asked them not to. And it's not just you. It's all your contacts too, all your fellow citizens.…
Continue reading →
I hate the Internet of Things. It's a load of overpriced junk, which abuses your privacy and demands a monthly fee in return. That's why I was pleasantly surprised to see this fall out of the eufyCam 2C box. There's no monthly fee. The recordings stay in your home. The batteries last for ages. I can get on board with this! The package costs around £220 (discount of £40 if you use my code) and you get a smart-hub, two cameras, mounting points, and some flat ethernet cable. Set-up was easy. I…
Continue reading →
Last year, when doing some digital spring-cleaning, I realised that I had 800 different passwords. I tried going through them, removing long-dead websites, closing old accounts, and deleting anything incriminating. I now have 891 accounts. Arse. I also went through my 31 different 2FA accounts. Getting rid of old employers' email tokens, failed crypto wallet providers, Club Penguin etc. I now have 40 different TOTP tokens. So, about 4% of my accounts have 2FA security. I don't know if…
Continue reading →
My mate Dom was moaning to his ISP on Twitter. They sent him a private message so they could look into his account. Blimey! Thankfully, that was a pretty brazen and inept attempt at phishing. Anyone asking for all your card details like that should set the alarm bells ringing. Of course, phishers often target credulous people who don't understand that they're being scammed. By sending an email that repels all but the most gullible the scammer gets the most promising marks to self-select, …
Continue reading →
Once in a while, I'll see someone Tweet a "link" to file:///C:/users/... - that's the Microsoft Windows way of representing a location on a filesystem. Usually this means that the user has tried to either drag 'n' drop something, or copied a link from their file explorer. There are some (mild) infosec risks you should be aware of. Find local user names - this shows you what their username is for their computer: D. Gordon Smith@professor_smithTo help people understand why this sad painting…
Continue reading →
Every so often, I get a glimpse into the thought processes of someone who has a very different view of the world to me. I don't deal with people's personal information often. So I was surprised to receive an email with a multi-megabyte spreadsheet called "Pay and Bonuses 2020". The email contained this doozy of a sentence: “Due to GDPR the attached file is password protected, I will send the password in a separate email” I shit you not. I checked the sender. They didn't work for my org…
Continue reading →
I stared at my TOTP generator. Surely this must be a bug? Leap Year related? Or a cold-start error? Or some freaky prank? How could my login code be 000000?!?! A standard TOTP code is normally 6 digits long. There are a million combinations, from 000000 to 999999. A million isn't a particularly big number. A million seconds is about 12 days. A TOTP code changes every 30 seconds. Assuming the codes are evenly distributed (a big assumption!) we should see every combination in half-a-million…
Continue reading →
The HTML5 specification is complicated. I've been an author on it, and even I couldn't tell you all the weird little gotchas it contains. Between that and "idiosyncratic" browser engines, it's a wonder the world wide web works at all. Let's talk about the humble <meta> element. As its name suggests, it contains metadata about the document. A typical element might look like this: <meta name="description" content="Search our shop for great deals!"> What can the content tag contain? Text!…
Continue reading →
Here's something I didn't know - but should have, because it's obvious... Your screen's auto-brightness depends on your webcam. If, like me, you have a privacy cover - this happens: https://shkspr.mobi/blog/wp-content/uploads/2020/02/WebCamp-Cover.mp4 The MacBook I'm using doesn't have any lux sensors that I can see - most phones have a separate sensor which means the camera isn't in use all the time. What I find curious is that the camera's hardware light isn't on. It turns on when an…
Continue reading →
tl;dr Google forgot to renew a domain used in their documentation. It was mildly embarrassing for them. And possibly a minor security concern for some new G-Suite domain administrators Background Choosing a good example domain, to use in documentation, is hard. You want something which is obviously an example, so that users understand they have to substitute it for their own details. But it also needs to be a validly formatted domain, and shouldn't be used for anything important, and -…
Continue reading →
Thames Water seem to love giving me a new account number each month. That would be fine, but each time they do, I have to manually add that number to my online account. I'm bored of being their data-entry monkey. So, when they rang today, I told them that I expected them to update my account. We had the normal back-and-forth and "let me speak to your manager" that accompanies anything deviating off-script. A manager called back, we went though account verification, I confirmed I was…
Continue reading →
