It's a wise idea even beyond that, considering that Comcast routers routinely turn themselves into public wifi hotspots (and will periodically re-enable this setting if you disable it).
It's worse now. It's nearly impossible to turn off that feature now (my brother and friend both have the routers). Which is why they have "largest wifi network" or whatever bullshit in their marketing. It's also hilariously stupid.
I can't confirm but I believe their cell phone service uses those open points similar to Project Fi.
One the neighbors to our office is broadcasting an xfinitywifi point.
If I don't actively disable it or move it down the priority list, most client machines will prefer it to our wifi to the point that even after connecting successfully to our AP, it will try to reconnect to xfinity instead on reboot or resetting network components.
It is the bane of my entire existence.
Every time the "Sign in with your xfinity account!" portal pops up, I die a little bit more inside.
+2
Options
ShadowfireVermont, in the middle of nowhereRegistered Userregular
One the neighbors to our office is broadcasting an xfinitywifi point.
If I don't actively disable it or move it down the priority list, most client machines will prefer it to our wifi to the point that even after connecting successfully to our AP, it will try to reconnect to xfinity instead on reboot or resetting network components.
It is the bane of my entire existence.
Every time the "Sign in with your xfinity account!" portal pops up, I die a little bit more inside.
I move it down for all my clients. Saves the return trip when they complain that their printer doesn't work.
FBI issuing a warning that there's a foreign-manufactured malware targeting routers worldwide, called VPNFilter. The extent of the infection is still unknown, as well as the source. Their best recommendation is to reboot your router to potentially disrupt it for a time.
FOREIGN CYBER ACTORS TARGET HOME AND OFFICE ROUTERS AND NETWORKED DEVICES WORLDWIDE
SUMMARY
The FBI recommends any owner of small office and home office routers power cycle (reboot) the devices. Foreign cyber actors have compromised hundreds of thousands of home and office routers and other networked devices worldwide. The actors used VPNFilter malware to target small office and home office routers. The malware is able to perform multiple functions, including possible information collection, device exploitation, and blocking network traffic.
TECHNICAL DETAILS
The size and scope of the infrastructure impacted by VPNFilter malware is significant. The malware targets routers produced by several manufacturers and network-attached storage devices by at least one manufacturer. The initial infection vector for this malware is currently unknown.
THREAT
VPNFilter is able to render small office and home office routers inoperable. The malware can potentially also collect information passing through the router. Detection and analysis of the malware’s network activity is complicated by its use of encryption and misattributable networks.
DEFENSE
The FBI recommends any owner of small office and home office routers reboot the devices to temporarily disrupt the malware and aid the potential identification of infected devices. Owners are advised to consider disabling remote management settings on devices and secure with strong passwords and encryption when enabled. Network devices should be upgraded to the latest available versions of firmware.
Netgear and Linksys have issued statements downplaying it and saying they believe it's using vulnerabilities that have already been patched so only old unupdated firmware is affected, but it kinda sounds like bullshit to save face given the FBI made it a point to talk about it, and particularly as Cisco's Talos blog lays out the danger.
For several months, Talos has been working with public- and private-sector threat intelligence partners and law enforcement in researching an advanced, likely state-sponsored or state-affiliated actor's widespread use of a sophisticated modular malware system we call "VPNFilter." We have not completed our research, but recent events have convinced us that the correct way forward is to now share our findings so that affected parties can take the appropriate action to defend themselves. In particular, the code of this malware overlaps with versions of the BlackEnergy malware — which was responsible for multiple large-scale attacks that targeted devices in Ukraine. While this isn't definitive by any means, we have also observed VPNFilter, a potentially destructive malware, actively infecting Ukrainian hosts at an alarming rate, utilizing a command and control (C2) infrastructure dedicated to that country. Weighing these factors together, we felt it was best to publish our findings so far prior to completing our research. Publishing early means that we don't yet have all the answers — we may not even have all the questions — so this blog represents our findings as of today, and we will update our findings as we continue our investigation.
Both the scale and the capability of this operation are concerning. Working with our partners, we estimate the number of infected devices to be at least 500,000 in at least 54 countries. The known devices affected by VPNFilter are Linksys, MikroTik, NETGEAR and TP-Link networking equipment in the small and home office (SOHO) space, as well at QNAP network-attached storage (NAS) devices. No other vendors, including Cisco, have been observed as infected by VPNFilter, but our research continues. The behavior of this malware on networking equipment is particularly concerning, as components of the VPNFilter malware allows for theft of website credentials and monitoring of Modbus SCADA protocols. Lastly, the malware has a destructive capability that can render an infected device unusable, which can be triggered on individual victim machines or en masse, and has the potential of cutting off internet access for hundreds of thousands of victims worldwide.
The type of devices targeted by this actor are difficult to defend. They are frequently on the perimeter of the network, with no intrusion protection system (IPS) in place, and typically do not have an available host-based protection system such as an anti-virus (AV) package. We are unsure of the particular exploit used in any given case, but most devices targeted, particularly in older versions, have known public exploits or default credentials that make compromise relatively straightforward. All of this has contributed to the quiet growth of this threat since at least 2016.
...
VPNFilter is an expansive, robust, highly capable, and dangerous threat that targets devices that are challenging to defend. Its highly modular framework allows for rapid changes to the actor's operational infrastructure, serving their goals of misattribution, intelligence collection, and finding a platform to conduct attacks.
The destructive capability particularly concerns us. This shows that the actor is willing to burn users' devices to cover up their tracks, going much further than simply removing traces of the malware. If it suited their goals, this command could be executed on a broad scale, potentially rendering hundreds of thousands of devices unusable, disabling internet access for hundreds of thousands of victims worldwide or in a focused region where it suited the actor's purposes.
While the threat to IoT devices is nothing new, the fact that these devices are being used by advanced nation-state actors to conduct cyber operations, which could potentially result in the destruction of the device, has greatly increased the urgency of dealing with this issue. We call on the entire security community to join us in aggressively countering this threat.
We will continue to monitor VPNFilter and work with our partners to understand the threat as it continues to evolve in order to ensure that our customers remain protected and the public is informed.
Using old tricks that were patched out in newer firmware, huh? Good thing Netgear and Linksys automatically do firmware updates.
Except even with the option checked, it rarely works.
0 days are becoming quite common even on patched newer IoT devices. A lot of it has to do with the implementation of busy box, and it's not implemented uniformly amongst vendors.
0
Options
TetraNitroCubaneThe DjinneratorAt the bottom of a bottleRegistered Userregular
edited June 2018
So this latest news is a bit tangential to the thread, but I was hoping it might start a bit of a discussion.
Recently, a number of high profile games have been found to include tracking software and/or perform tracking of the end user. The software/company doing the tracking in question is called Red Shell, and this has come under scrutiny most prominently on Reddit's /r/Steam - Notably in a thread here, with regard to certain Steam Games.
According to varied reports, Red Shell does the following - If a user clicks on an advertisement for a game, that data is logged via a specific identifier generated against the user's hardware and other device specifics. When any Red Shell containing game then runs, it sends this same specific identifier back to Red Shell's servers. Ostensibly, when a match is found between the ad-click through log and identifiers reported by the game itself, that data is then reported to the developers/publishers of the game in order to gauge advertisement efficacy. In other words, it says "Oh, you looked at an ad for this game, and now you're playing it, the ad must've worked".
Red Shell has apparently also admitted to collecting IP addresses, albeit in hashed format.
The list of games carrying Red Shell is currently as follows:
Civilization VI,
All Total War games,
Kerbal Space Program,
Warhammer: Vermintide I & II,
My Time At Portia, (Pledged to remove it)
Dead by Daylight, (Pledged to remove it)
Battlerite, (Pledged to remove it)
AER Memories of Old,
Guardians of Ember,
The Onion Knights,
Realm Grinder,
Heroine Anthem Zero,
Warhammer 40k Eternal Crusade,
Magic the Gathering Arena (closed beta & not on Steam),
Krosmaga
Secret World Legends
Hunt: Showdown
Escapists 2
The debate at present is essentially boiling down to "Is Red Shell really Spyware?" with the underlying discussion of "What is Spyware, anyway"? I've seen many people saying that this is blowing privacy out of proportion, as the collected data is "harmless" and because Red Shell doesn't collect anything that would be considered sensitive. In wake of the debate, some developers have been recently scrambling to distance themselves from Red Shell. This includes the developers of Dead by Daylight, who are currently pledging to remove Red Shell from their game entirely.
For my part, I'll admit to a certain amount of bias. Just because Red Shell is claiming not to collect that data, doesn't mean they aren't - or more importantly that in the future they won't. The additional layer of subterfuge involved here, that the games in question are reporting this information without consent or notification, is also a troubling concern to me.
So this latest news is a bit tangential to the thread, but I was hoping it might start a bit of a discussion.
Recently, a number of high profile games have been found to include tracking software and/or perform tracking of the end user. The software/company doing the tracking in question is called Red Shell, and this has come under scrutiny most prominently on Reddit's /r/Steam - Notably in a thread here, with regard to certain Steam Games.
According to varied reports, Red Shell does the following - If a user clicks on an advertisement for a game, that data is logged via a specific identifier generated against the user's hardware and other device specifics. When any Red Shell containing game then runs, it sends this same specific identifier back to Red Shell's servers. Ostensibly, when a match is found between the ad-click through log and identifiers reported by the game itself, that data is then reported to the developers/publishers of the game in order to gauge advertisement efficacy. In other words, it says "Oh, you looked at an ad for this game, and now you're playing it, the ad must've worked".
Red Shell has apparently also admitted to collecting IP addresses, albeit in hashed format.
The list of games carrying Red Shell is currently as follows:
Civilization VI,
All Total War games,
Kerbal Space Program,
Warhammer: Vermintide I & II,
My Time At Portia, (Pledged to remove it)
Dead by Daylight, (Pledged to remove it)
Battlerite, (Pledged to remove it)
AER Memories of Old,
Guardians of Ember,
The Onion Knights,
Realm Grinder,
Heroine Anthem Zero,
Warhammer 40k Eternal Crusade,
Magic the Gathering Arena (closed beta & not on Steam),
Krosmaga
Secret World Legends
Hunt: Showdown
Escapists 2
The debate at present is essentially boiling down to "Is Red Shell really Spyware?" with the underlying discussion of "What is Spyware, anyway"? I've seen many people saying that this is blowing privacy out of proportion, as the collected data is "harmless" and because Red Shell doesn't collect anything that would be considered sensitive. In wake of the debate, some developers have been recently scrambling to distance themselves from Red Shell. This includes the developers of Dead by Daylight, who are currently pledging to remove Red Shell from their game entirely.
For my part, I'll admit to a certain amount of bias. Just because Red Shell is claiming not to collect that data, doesn't mean they aren't - or more importantly that in the future they won't. The additional layer of subterfuge involved here, that the games in question are reporting this information without consent or notification, is also a troubling concern to me.
This is from Civ VI (which was one of the early unlocks for a recent Humble Monthly). I'm pasting the relevant part of a Steam review that has the relevant language:
Just to recap:
"INFORMATION COLLECTION & USAGE
By installing and using the Software, you consent to the information collection and usage terms set forth in this section and Licensor's Privacy Policy, including (where applicable) (i) the transfer of any personal information and other information to Licensor, its affiliates, vendors, and business partners, and to certain other third parties, such as governmental authorities, in the U.S. and other countries located outside Europe or your home country, including countries that may have lower standards of privacy protection; (ii) the public display of your data, such as identification of your user-created content or displaying your scores, ranking, achievements, and other gameplay data on websites and other platforms; (iii) the sharing of your gameplay data with hardware manufacturers, platform hosts, and Licensor's marketing partners; and (iv) other uses and disclosures of your personal information or other information as specified in the above-referenced Privacy Policy, as amended from time to time. If you do not want your information used or shared in this manner, then you should not use the Software."
and of course:
"The information we collect may include personal information such as your first and/or last name, e-mail address, phone number, photo, mailing address, geolocation, or payment information. In addition, we may collect your age, gender, date of birth, zip code, hardware configuration, console ID, software products played, survey data, purchases, IP address and the systems you have played on. We may combine the information with your personal information and across other computers or devices that you may use."
0
Options
TetraNitroCubaneThe DjinneratorAt the bottom of a bottleRegistered Userregular
I'll be honest, I'm not sure how much of that is standard boilerplate in a EULA, and how much is exceptional. That last bit is enough to make me disconcerted for sure, though.
Personally I'm not terribly comfortable with taking these companies at their word. Particularly not after recent hullabaloo regarding the haphazard and unauthorized harvesting of personal information. Also, one question no one seems to ask is, even if these companies are holding to their word, how long until another party finds a way to intercept or exploit this stuff?
Regardless, I've been hearing that this may run afoul of the GDPR. Not entirely sure how that pans out for these companies in the long run, because I can certainly see a case being made there.
That is a ridiculous Eula. At the very least it is enough meta data to uncover quite a bit about a persons life. Maybe not quite as much as cell phone meta data, but for a heavy gamer it might be close.
I wish we could get regulations passed to force the sale of a tracking free option for this stuff. I’m sure there are lots of people willing to let developers have their information in return for a cheaper produxt, but I would happily pay more to stay anonymous.
"The world is a mess, and I just need to rule it" - Dr Horrible
Red Shell is just advertising retargeting; nothing surprising in itself. I’m not thrilled with it, but it’s nothing new. Websites do this to track users whose browsers block 3rd party cookies. It’s downright SOP on mobile to try to link app installs to ad clicks.
The first thing more surprising to me is that Red Shell is the first service discovered on Windows to offer retargeting. There’s no way that it can possibly be the only one used by game developers.
The second thing more surprising to me is that Steam doesn’t expose install clicks driven by ads to developers. What is Valve even doing?! They could expose ad efficiency to developers in a way that offers much more privacy to users than what Red Shell is doing.
Red Shell is just advertising retargeting; nothing surprising in itself. I’m not thrilled with it, but it’s nothing new. Websites do this to track users whose browsers block 3rd party cookies. It’s downright SOP on mobile to try to link app installs to ad clicks.
The first thing more surprising to me is that Red Shell is the first service discovered on Windows to offer retargeting. There’s no way that it can possibly be the only one used by game developers.
The second thing more surprising to me is that Steam doesn’t expose install clicks driven by ads to developers. What is Valve even doing?! They could expose ad efficiency to developers in a way that offers much more privacy to users than what Red Shell is doing.
The majority (all?) of the games using it are violating the GDPR. On top of that, the games that are implementing it are using incredibly liberal EULAs that grant them access to a disturbing amount of personal information. Regardless of what it is doing right now, it has the potential to do a hell of a lot more with the degradation of privacy that goes along with it. Additionally, ad networks tracking user behavior outside of web pages is disturbing and a worrying trend.
I don’t like any of this, but I feel like it’s important to be accurate.
I’m not sure that Red Shell is violating GDPR. The two bits of data the quoted Reddit post says they collect are a unique identifier and a hashed IP address. While both of these things were generated from what can be argued is personal information, that personal information cannot be derived from them, and thus it seems like they’re GDPR complaint? Feel free to correct me on this; GDPR isn’t the most straightforward regulation I’ve seen.
The stuff in the Civilization EULA is way less okay! But I don’t know if we can accurately attribute it to Red Shell, since that’s substantially more info than Red Shell says they’re collecting.
CambiataCommander ShepardThe likes of which even GAWD has never seenRegistered Userregular
Our company uses Symantec for 2FA. The 2FA is not working. Internal team working with Symantec has labeled this issue "not customer impacting." WE CAN'T FIX ANYTHING FOR CUSTOMERS IF WE CAN'T LOG IN YOUR DOLTS. I hope our customers weren't expecting to get anything done tonight.
"If you divide the whole world into just enemies and friends, you'll end up destroying everything" --Nausicaa of the Valley of Wind
I don’t like any of this, but I feel like it’s important to be accurate.
I’m not sure that Red Shell is violating GDPR. The two bits of data the quoted Reddit post says they collect are a unique identifier and a hashed IP address. While both of these things were generated from what can be argued is personal information, that personal information cannot be derived from them, and thus it seems like they’re GDPR complaint? Feel free to correct me on this; GDPR isn’t the most straightforward regulation I’ve seen.
The stuff in the Civilization EULA is way less okay! But I don’t know if we can accurately attribute it to Red Shell, since that’s substantially more info than Red Shell says they’re collecting.
The GDPR applies to ‘personal data’ meaning any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier. This definition provides for a wide range of personal identifiers to constitute personal data, including name, identification number, location data or online identifier
The identifier they generate is explicitly unique, which means it's covered by the GDPR.
the request for consent must be given in an intelligible and easily accessible form, with the purpose for data processing attached to that consent - meaning it must be unambiguous. Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it.
I mean, it's pretty clearly in violation when it takes a bunch of people on reddit investigating what is even happening, and then public statements from companies clarifying what they are doing with red shell.
From my research, albeit only semi-professional, the GDPR doesn't actually specify what types of data are protected other than "personally identifiable" right?
"To determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly. To ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, taking into consideration the available technology at the time of the processing and technological developments."
A unique random identifier which can't be used to identify the actual person's identity would not be a violation, unless there's a way to connect with another system which can then cause that identifier to be traceable to an actual person's identity.
From my research, albeit only semi-professional, the GDPR doesn't actually specify what types of data are protected other than "personally identifiable" right?
"To determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly. To ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, taking into consideration the available technology at the time of the processing and technological developments."
A unique random identifier which can't be used to identify the actual person's identity would not be a violation, unless there's a way to connect with another system which can then cause that identifier to be traceable to an actual person's identity.
The identifier is a fingerprint-type identifier, not some random UUID. It's a fingerprint of that person's exact hardware configuration. That's why it's able to tell if a person who clicked a link in a browser later on bought a completely unrelated piece of software.
From my research, albeit only semi-professional, the GDPR doesn't actually specify what types of data are protected other than "personally identifiable" right?
"To determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly. To ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, taking into consideration the available technology at the time of the processing and technological developments."
A unique random identifier which can't be used to identify the actual person's identity would not be a violation, unless there's a way to connect with another system which can then cause that identifier to be traceable to an actual person's identity.
The identifier is a fingerprint-type identifier, not some random UUID. It's a fingerprint of that person's exact hardware configuration. That's why it's able to tell if a person who clicked a link in a browser later on bought a completely unrelated piece of software.
Yes, but there's no way to trace back the fingerprint to a personal identity. It's not random in the sense that it's randomly generated, but it's impossible to extract their name or other identifying information from it.
What is this I don't even.
0
Options
Inquisitor772 x Penny Arcade Fight Club ChampionA fixed point in space and timeRegistered Userregular
edited June 2018
If they can link the hardware configuration to a physical location or an IP address, or if they are tracking other information such as the name the Windows Account is linked with or a Steam Account which can then be linked to a name or email of some kind, then it becomes much murkier as to whether or not the tracking constitutes PII. However, if all they are doing is assigning a PC configuration some kind of system ID and are associating it with something like gameplay patterns, then it probably doesn't constitute PII.
From my research, albeit only semi-professional, the GDPR doesn't actually specify what types of data are protected other than "personally identifiable" right?
"To determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly. To ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, taking into consideration the available technology at the time of the processing and technological developments."
A unique random identifier which can't be used to identify the actual person's identity would not be a violation, unless there's a way to connect with another system which can then cause that identifier to be traceable to an actual person's identity.
The identifier is a fingerprint-type identifier, not some random UUID. It's a fingerprint of that person's exact hardware configuration. That's why it's able to tell if a person who clicked a link in a browser later on bought a completely unrelated piece of software.
Yes, but there's no way to trace back the fingerprint to a personal identity. It's not random in the sense that it's randomly generated, but it's impossible to extract their name or other identifying information from it.
‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
That is the exact definition from the text. Relevant factors bolded. A natural person can be identified by that number. They explicitly are identified by that number as part of red shells successful operation. They take an individuals behavior (clicking on an ad link or running a purchased video game), they bind it to a unique identifier, and then at a later date associate additional behavior to that identity.
Yes, it's not linking that number to a specific name and address, but that doesn't mean it's not covered by the GDPR. In fact, the number could be a completely random token (such as a UUID) and it would still be in violation, because it's being used to uniquely identify an individual. This is why everyone and their mother had to amend their privacy policies to be GDPR compliant. It isn't that everyone was tracking your real-life identity, but because simply tracking user behavior and binding it to an 'anonymous' identifier cookie means they are under the GDPR umbrella and need to be compliant (which involves having explicit and clear language that states exactly what information they collect and how they intend to use it, and to provide an immediately available opt-out option that operates without reducing functionality).
Red shell and sites that use it can (and probably do) have compliance with the GDPR via their privacy policy updates, but the games themselves need it too and I have seen zero GDPR compliant privacy releases in any of the games that I play the use it. They need to be compliant separately from the ad networks themselves because people have the potential to buy and use the game without ever having interacting with a red shell affiliated ad cdn.
You're missing the part in the middle, "who can be identified, directly or indirectly." If you can't be identified from the data then it's effectively a random assignment and not applicable.
You're missing the part in the middle, "who can be identified, directly or indirectly." If you can't be identified from the data then it's effectively a random assignment and not applicable.
You are being identified. When you visit a website and click an ad, it generates an identity that represents your behavior (showing interest in an ad for a product). When you then buy and install/run the related game it explicitly identifies you as that unique identity and links your new behavior to it. This is exactly what the GDPR was designed to cover.
That is not in line with the bulk of things that I've read. You need to consolidate enough information about a person that you could extract their identity in order for pseudonymized data to bring you toward breach.
The fact that you have an ongoing identifier number and some behavior information isn't inherently identifiable, but if there's a chance it'd be tied to, say, your facebook account, or your first name and profession you'd start getting towards a possible breach.
That is not in line with the bulk of things that I've read. You need to consolidate enough information about a person that you could extract their identity in order for pseudonymized data to bring you toward breach.
The fact that you have an ongoing identifier number and some behavior information isn't inherently identifiable, but if there's a chance it'd be tied to, say, your facebook account, or your first name and profession you'd start getting towards a possible breach.
That article is either misinformed and/or only talking about article 9. Article 9 covers what I would call 'hard personal information', and the GDPR has additional language identifying that data and laying down additional privacy requirements. The often misquoted "Privacy policies must be opt-in" only applies to information covered under article 9, for instance.
Simply having a unique identifier that represents a single individual is exactly the situation the broad application of the GDPR was created to cover.
Taken directly from the GDPR website's natural language faq on what constitutes personal information:
This definition provides for a wide range of personal identifiers to constitute personal data, including name, identification number, location data or online identifier, reflecting changes in technology and the way organisations collect information about people.
0
Options
Inquisitor772 x Penny Arcade Fight Club ChampionA fixed point in space and timeRegistered Userregular
There's a difference between Personally Identifiable Information and the general GDPR framework.
GDPR covers a whole host of scenarios. Whether or not something constitutes PII is a specific issue within the GDPR. Something being covered by the GDPR doesn't mean that it's PII or subject to PII regulations within the GDPR.
It's also worth pointing out that red shell itself has a privacy policiy that is compliant with the GDPR (so they obviously feel that it applies to them), but games that integrate it do not provide that policy in a GDPR complaint way.
Also, red shell collects a lot of information and according to their privacy policy it is not hashed (not even the IP address; also, keep in mind, that a 'hashed' ip address is not even a little anonymous. IP addresses are only 4 bytes long, it would take literal seconds to calculate the hash for every ip address in existence and use that data to 'reverse' the hash and derive the original ip).
The data collected by the SDK includes information such as IP address, SDK version, anonymized User ID, timestamp, Developer API Key, OS version, screen resolution, timezone, system language, installed fonts, installed web browsers, and in-game events.
Included in our cookie or digital fingerprint we collect IP address, User agent string, timestamp, browser language, screen resolution, system time zone, referral url, session_id, and an id for the particular ad seen
I might have asked this before, but it irks me every time I run into it.
The reason Apple always gives for pairing their home buttons with the logic boards in their phones is "Security"
And every article I can find is always just like "Oh yep. That's important. I use that for my Apple Pay. That's gotta be secure, sure."
But now with the solid-state home buttons, un-paired replacements don't even work as home buttons, let alone fingerprint sensors.
So from a purely theoretical standpoint..
If I were to create and install a "malicious" home button on a phone, and somehow get the phone to be okay with it, what could I do that we would be worried about?
It isn't like authentication happens on the sensor, so I couldn't just make a button that tells the phone "Yep, this fingerprint is OK!" every time.
Can someone explain to me why security is a valid reason, instead of just trying to lock down the third party repair market?
I might have asked this before, but it irks me every time I run into it.
The reason Apple always gives for pairing their home buttons with the logic boards in their phones is "Security"
And every article I can find is always just like "Oh yep. That's important. I use that for my Apple Pay. That's gotta be secure, sure."
But now with the solid-state home buttons, un-paired replacements don't even work as home buttons, let alone fingerprint sensors.
So from a purely theoretical standpoint..
If I were to create and install a "malicious" home button on a phone, and somehow get the phone to be okay with it, what could I do that we would be worried about?
It isn't like authentication happens on the sensor, so I couldn't just make a button that tells the phone "Yep, this fingerprint is OK!" every time.
Can someone explain to me why security is a valid reason, instead of just trying to lock down the third party repair market?
I mean that's the only thing that makes sense to me.
It's just weird to see all the tech magazines/blogs just 100% buying the security argument without question.
Like every article you find, whether the publication is typically apple-happy or not, is always like "Yeah, it sucks, but there is a reason! It's for security!"
I'm not sure how exactly Apple does it, but IIRC the Synaptics FP sensors create a hash of the FP in a secure enclave inside the sensor and then present that to the OS for comparison to the stored FPs.
Assuming Apple is similar, your replacement button wouldn't work without an Apple-derived Secret anyway.
I'm not sure how exactly Apple does it, but IIRC the Synaptics FP sensors create a hash of the FP in a secure enclave inside the sensor and then present that to the OS for comparison to the stored FPs.
Assuming Apple is similar, your replacement button wouldn't work without an Apple-derived Secret anyway.
The secure enclave in Apple's phones is separate from the button. The button itself has a hardware ID that it submits along with the FP (probably hashed) to the enclave to unlock the phone. If the button is replaced the ID is different and it won't work to unlock the phone. But:
1. All that needs to happen is for the user to authenticate in another way, and for the new serial number to be pushed to the enclave. There is nothing that a 3rd party 'malicious' FP sensor could do to extract any information out of the enclave (unless there is something really wrong with Apples security model, and I doubt there is).
2. Apple is capable of generating that secret, and touchID is not the foundation of trust on an iphone (the users apple account password is). There's no reason why ios couldn't authenticate a new button once the phone was unlocked, online, and the user supplied their apple password.
3. There is no reason to brick the phone just because of a 3rd party repair. In fact, in the past it was possible to do a 3rd party repair of just the button, with the only caveat being that touch ID wouldn't work afterwards. It wasn't until a ios update that replacing the button would brick the phone (and did so retroactively, likely because there were a lot of button failures in the iphone 6 and apple wanted to stamp out 3rd party repairs).
4. There is zero reason why paying Apple to replace a touch sensor should cost $200.
+1
Options
kaliyamaLeft to find less-moderated foraRegistered Userregular
I'm not sure how exactly Apple does it, but IIRC the Synaptics FP sensors create a hash of the FP in a secure enclave inside the sensor and then present that to the OS for comparison to the stored FPs.
Assuming Apple is similar, your replacement button wouldn't work without an Apple-derived Secret anyway.
The secure enclave in Apple's phones is separate from the button. The button itself has a hardware ID that it submits along with the FP (probably hashed) to the enclave to unlock the phone. If the button is replaced the ID is different and it won't work to unlock the phone. But:
1. All that needs to happen is for the user to authenticate in another way, and for the new serial number to be pushed to the enclave. There is nothing that a 3rd party 'malicious' FP sensor could do to extract any information out of the enclave (unless there is something really wrong with Apples security model, and I doubt there is).
2. Apple is capable of generating that secret, and touchID is not the foundation of trust on an iphone (the users apple account password is). There's no reason why ios couldn't authenticate a new button once the phone was unlocked, online, and the user supplied their apple password.
3. There is no reason to brick the phone just because of a 3rd party repair. In fact, in the past it was possible to do a 3rd party repair of just the button, with the only caveat being that touch ID wouldn't work afterwards. It wasn't until a ios update that replacing the button would brick the phone (and did so retroactively, likely because there were a lot of button failures in the iphone 6 and apple wanted to stamp out 3rd party repairs).
4. There is zero reason why paying Apple to replace a touch sensor should cost $200.
It's a shame nobody can design hardware as good. I'd be off of apple phone hardware in a heartbeat. The only phone that's been truly enjoyable to use for me besides an iphone has been Nokia windows phones. It's a shame those didn't take off. Everything about those phones were great, including enterprise support, except for the app environment.
I'm not sure how exactly Apple does it, but IIRC the Synaptics FP sensors create a hash of the FP in a secure enclave inside the sensor and then present that to the OS for comparison to the stored FPs.
Assuming Apple is similar, your replacement button wouldn't work without an Apple-derived Secret anyway.
The secure enclave in Apple's phones is separate from the button. The button itself has a hardware ID that it submits along with the FP (probably hashed) to the enclave to unlock the phone. If the button is replaced the ID is different and it won't work to unlock the phone. But:
1. All that needs to happen is for the user to authenticate in another way, and for the new serial number to be pushed to the enclave. There is nothing that a 3rd party 'malicious' FP sensor could do to extract any information out of the enclave (unless there is something really wrong with Apples security model, and I doubt there is).
2. Apple is capable of generating that secret, and touchID is not the foundation of trust on an iphone (the users apple account password is). There's no reason why ios couldn't authenticate a new button once the phone was unlocked, online, and the user supplied their apple password.
3. There is no reason to brick the phone just because of a 3rd party repair. In fact, in the past it was possible to do a 3rd party repair of just the button, with the only caveat being that touch ID wouldn't work afterwards. It wasn't until a ios update that replacing the button would brick the phone (and did so retroactively, likely because there were a lot of button failures in the iphone 6 and apple wanted to stamp out 3rd party repairs).
4. There is zero reason why paying Apple to replace a touch sensor should cost $200.
It's a shame nobody can design hardware as good. I'd be off of apple phone hardware in a heartbeat. The only phone that's been truly enjoyable to use for me besides an iphone has been Nokia windows phones. It's a shame those didn't take off. Everything about those phones were great, including enterprise support, except for the app environment.
I'm not personally sold on the quality of Apple's hardware design. They cut a lot of corners when it comes to how they build the pcbs for their products, and they make a lot of anti-consumer design choices like batteries you can't replace without removing the screen (or completely disassembling the laptop).
As for high build quality alternatives, I really like my og google pixel. I'm don't like some of the hardware changes of the pixel 2 though. Nokia is starting to get into making android phones, too, so you might want to look into those (the one they have now is reviewed to be very good, although it is distinctly mid-range).
There are actually quite a few android phones that I like better than apple, hardware-wise.
But I hate android. It feels so clunky compared to iOS.
And I don't think that's an "Oh apple design is just so polished!" thing.
I think OSX is gross and clunky too. Even compared to some linux distros. I just think the iOS team did a pretty good job, and their competition did a terrible job. (Not that android is objectively BAD, just that it has bad mouth-feel)
But yes, LD50. Your list of points is basically my thought process.
There are actually quite a few android phones that I like better than apple, hardware-wise.
But I hate android. It feels so clunky compared to iOS.
And I don't think that's an "Oh apple design is just so polished!" thing.
I think OSX is gross and clunky too. Even compared to some linux distros. I just think the iOS team did a pretty good job, and their competition did a terrible job. (Not that android is objectively BAD, just that it has bad mouth-feel)
But yes, LD50. Your list of points is basically my thought process.
I understand why users like iphones. It's a pretty nice ecosystem for users (developers, not so much, but devs aren't apples customers). I just can't support their anti-consumer tactics.
I agree that android can be clunky, especially 3rd party UI modifications from phone vendors. It's steadily improving though, and it has some features I wouldn't want to live without in another software ecosystem. The android experience on my pixel is pretty smooth now (especially after Oreo), but I'm probably not the average user, as I don't use a lot of apps beyond google provided ones.
Posts
It's worse now. It's nearly impossible to turn off that feature now (my brother and friend both have the routers). Which is why they have "largest wifi network" or whatever bullshit in their marketing. It's also hilariously stupid.
I can't confirm but I believe their cell phone service uses those open points similar to Project Fi.
If I don't actively disable it or move it down the priority list, most client machines will prefer it to our wifi to the point that even after connecting successfully to our AP, it will try to reconnect to xfinity instead on reboot or resetting network components.
It is the bane of my entire existence.
Every time the "Sign in with your xfinity account!" portal pops up, I die a little bit more inside.
I move it down for all my clients. Saves the return trip when they complain that their printer doesn't work.
https://www.ic3.gov/media/2018/180525.aspx
Netgear and Linksys have issued statements downplaying it and saying they believe it's using vulnerabilities that have already been patched so only old unupdated firmware is affected, but it kinda sounds like bullshit to save face given the FBI made it a point to talk about it, and particularly as Cisco's Talos blog lays out the danger.
https://blog.talosintelligence.com/2018/05/VPNFilter.html
so it's russia, right?
Except even with the option checked, it rarely works.
0 days are becoming quite common even on patched newer IoT devices. A lot of it has to do with the implementation of busy box, and it's not implemented uniformly amongst vendors.
Recently, a number of high profile games have been found to include tracking software and/or perform tracking of the end user. The software/company doing the tracking in question is called Red Shell, and this has come under scrutiny most prominently on Reddit's /r/Steam - Notably in a thread here, with regard to certain Steam Games.
According to varied reports, Red Shell does the following - If a user clicks on an advertisement for a game, that data is logged via a specific identifier generated against the user's hardware and other device specifics. When any Red Shell containing game then runs, it sends this same specific identifier back to Red Shell's servers. Ostensibly, when a match is found between the ad-click through log and identifiers reported by the game itself, that data is then reported to the developers/publishers of the game in order to gauge advertisement efficacy. In other words, it says "Oh, you looked at an ad for this game, and now you're playing it, the ad must've worked".
Red Shell has apparently also admitted to collecting IP addresses, albeit in hashed format.
The list of games carrying Red Shell is currently as follows:
The debate at present is essentially boiling down to "Is Red Shell really Spyware?" with the underlying discussion of "What is Spyware, anyway"? I've seen many people saying that this is blowing privacy out of proportion, as the collected data is "harmless" and because Red Shell doesn't collect anything that would be considered sensitive. In wake of the debate, some developers have been recently scrambling to distance themselves from Red Shell. This includes the developers of Dead by Daylight, who are currently pledging to remove Red Shell from their game entirely.
For my part, I'll admit to a certain amount of bias. Just because Red Shell is claiming not to collect that data, doesn't mean they aren't - or more importantly that in the future they won't. The additional layer of subterfuge involved here, that the games in question are reporting this information without consent or notification, is also a troubling concern to me.
This is from Civ VI (which was one of the early unlocks for a recent Humble Monthly). I'm pasting the relevant part of a Steam review that has the relevant language:
Personally I'm not terribly comfortable with taking these companies at their word. Particularly not after recent hullabaloo regarding the haphazard and unauthorized harvesting of personal information. Also, one question no one seems to ask is, even if these companies are holding to their word, how long until another party finds a way to intercept or exploit this stuff?
Regardless, I've been hearing that this may run afoul of the GDPR. Not entirely sure how that pans out for these companies in the long run, because I can certainly see a case being made there.
I wish we could get regulations passed to force the sale of a tracking free option for this stuff. I’m sure there are lots of people willing to let developers have their information in return for a cheaper produxt, but I would happily pay more to stay anonymous.
Nintendo Network ID: AzraelRose
DropBox invite link - get 500MB extra free.
The first thing more surprising to me is that Red Shell is the first service discovered on Windows to offer retargeting. There’s no way that it can possibly be the only one used by game developers.
The second thing more surprising to me is that Steam doesn’t expose install clicks driven by ads to developers. What is Valve even doing?! They could expose ad efficiency to developers in a way that offers much more privacy to users than what Red Shell is doing.
The majority (all?) of the games using it are violating the GDPR. On top of that, the games that are implementing it are using incredibly liberal EULAs that grant them access to a disturbing amount of personal information. Regardless of what it is doing right now, it has the potential to do a hell of a lot more with the degradation of privacy that goes along with it. Additionally, ad networks tracking user behavior outside of web pages is disturbing and a worrying trend.
I’m not sure that Red Shell is violating GDPR. The two bits of data the quoted Reddit post says they collect are a unique identifier and a hashed IP address. While both of these things were generated from what can be argued is personal information, that personal information cannot be derived from them, and thus it seems like they’re GDPR complaint? Feel free to correct me on this; GDPR isn’t the most straightforward regulation I’ve seen.
The stuff in the Civilization EULA is way less okay! But I don’t know if we can accurately attribute it to Red Shell, since that’s substantially more info than Red Shell says they’re collecting.
The identifier they generate is explicitly unique, which means it's covered by the GDPR.
I mean, it's pretty clearly in violation when it takes a bunch of people on reddit investigating what is even happening, and then public statements from companies clarifying what they are doing with red shell.
"To determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly. To ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, taking into consideration the available technology at the time of the processing and technological developments."
A unique random identifier which can't be used to identify the actual person's identity would not be a violation, unless there's a way to connect with another system which can then cause that identifier to be traceable to an actual person's identity.
The identifier is a fingerprint-type identifier, not some random UUID. It's a fingerprint of that person's exact hardware configuration. That's why it's able to tell if a person who clicked a link in a browser later on bought a completely unrelated piece of software.
Yes, but there's no way to trace back the fingerprint to a personal identity. It's not random in the sense that it's randomly generated, but it's impossible to extract their name or other identifying information from it.
That is the exact definition from the text. Relevant factors bolded. A natural person can be identified by that number. They explicitly are identified by that number as part of red shells successful operation. They take an individuals behavior (clicking on an ad link or running a purchased video game), they bind it to a unique identifier, and then at a later date associate additional behavior to that identity.
Yes, it's not linking that number to a specific name and address, but that doesn't mean it's not covered by the GDPR. In fact, the number could be a completely random token (such as a UUID) and it would still be in violation, because it's being used to uniquely identify an individual. This is why everyone and their mother had to amend their privacy policies to be GDPR compliant. It isn't that everyone was tracking your real-life identity, but because simply tracking user behavior and binding it to an 'anonymous' identifier cookie means they are under the GDPR umbrella and need to be compliant (which involves having explicit and clear language that states exactly what information they collect and how they intend to use it, and to provide an immediately available opt-out option that operates without reducing functionality).
Red shell and sites that use it can (and probably do) have compliance with the GDPR via their privacy policy updates, but the games themselves need it too and I have seen zero GDPR compliant privacy releases in any of the games that I play the use it. They need to be compliant separately from the ad networks themselves because people have the potential to buy and use the game without ever having interacting with a red shell affiliated ad cdn.
You are being identified. When you visit a website and click an ad, it generates an identity that represents your behavior (showing interest in an ad for a product). When you then buy and install/run the related game it explicitly identifies you as that unique identity and links your new behavior to it. This is exactly what the GDPR was designed to cover.
https://www.itgovernance.eu/blog/en/the-gdpr-what-exactly-is-personal-data
The fact that you have an ongoing identifier number and some behavior information isn't inherently identifiable, but if there's a chance it'd be tied to, say, your facebook account, or your first name and profession you'd start getting towards a possible breach.
That article is either misinformed and/or only talking about article 9. Article 9 covers what I would call 'hard personal information', and the GDPR has additional language identifying that data and laying down additional privacy requirements. The often misquoted "Privacy policies must be opt-in" only applies to information covered under article 9, for instance.
Simply having a unique identifier that represents a single individual is exactly the situation the broad application of the GDPR was created to cover.
Taken directly from the GDPR website's natural language faq on what constitutes personal information:
GDPR covers a whole host of scenarios. Whether or not something constitutes PII is a specific issue within the GDPR. Something being covered by the GDPR doesn't mean that it's PII or subject to PII regulations within the GDPR.
Also, red shell collects a lot of information and according to their privacy policy it is not hashed (not even the IP address; also, keep in mind, that a 'hashed' ip address is not even a little anonymous. IP addresses are only 4 bytes long, it would take literal seconds to calculate the hash for every ip address in existence and use that data to 'reverse' the hash and derive the original ip).
Included in our cookie or digital fingerprint we collect IP address, User agent string, timestamp, browser language, screen resolution, system time zone, referral url, session_id, and an id for the particular ad seen
The reason Apple always gives for pairing their home buttons with the logic boards in their phones is "Security"
And every article I can find is always just like "Oh yep. That's important. I use that for my Apple Pay. That's gotta be secure, sure."
But now with the solid-state home buttons, un-paired replacements don't even work as home buttons, let alone fingerprint sensors.
So from a purely theoretical standpoint..
If I were to create and install a "malicious" home button on a phone, and somehow get the phone to be okay with it, what could I do that we would be worried about?
It isn't like authentication happens on the sensor, so I couldn't just make a button that tells the phone "Yep, this fingerprint is OK!" every time.
Can someone explain to me why security is a valid reason, instead of just trying to lock down the third party repair market?
I have some bad news for you.
It's just weird to see all the tech magazines/blogs just 100% buying the security argument without question.
Like every article you find, whether the publication is typically apple-happy or not, is always like "Yeah, it sucks, but there is a reason! It's for security!"
Assuming Apple is similar, your replacement button wouldn't work without an Apple-derived Secret anyway.
The secure enclave in Apple's phones is separate from the button. The button itself has a hardware ID that it submits along with the FP (probably hashed) to the enclave to unlock the phone. If the button is replaced the ID is different and it won't work to unlock the phone. But:
1. All that needs to happen is for the user to authenticate in another way, and for the new serial number to be pushed to the enclave. There is nothing that a 3rd party 'malicious' FP sensor could do to extract any information out of the enclave (unless there is something really wrong with Apples security model, and I doubt there is).
2. Apple is capable of generating that secret, and touchID is not the foundation of trust on an iphone (the users apple account password is). There's no reason why ios couldn't authenticate a new button once the phone was unlocked, online, and the user supplied their apple password.
3. There is no reason to brick the phone just because of a 3rd party repair. In fact, in the past it was possible to do a 3rd party repair of just the button, with the only caveat being that touch ID wouldn't work afterwards. It wasn't until a ios update that replacing the button would brick the phone (and did so retroactively, likely because there were a lot of button failures in the iphone 6 and apple wanted to stamp out 3rd party repairs).
4. There is zero reason why paying Apple to replace a touch sensor should cost $200.
It's a shame nobody can design hardware as good. I'd be off of apple phone hardware in a heartbeat. The only phone that's been truly enjoyable to use for me besides an iphone has been Nokia windows phones. It's a shame those didn't take off. Everything about those phones were great, including enterprise support, except for the app environment.
I'm not personally sold on the quality of Apple's hardware design. They cut a lot of corners when it comes to how they build the pcbs for their products, and they make a lot of anti-consumer design choices like batteries you can't replace without removing the screen (or completely disassembling the laptop).
As for high build quality alternatives, I really like my og google pixel. I'm don't like some of the hardware changes of the pixel 2 though. Nokia is starting to get into making android phones, too, so you might want to look into those (the one they have now is reviewed to be very good, although it is distinctly mid-range).
But I hate android. It feels so clunky compared to iOS.
And I don't think that's an "Oh apple design is just so polished!" thing.
I think OSX is gross and clunky too. Even compared to some linux distros. I just think the iOS team did a pretty good job, and their competition did a terrible job. (Not that android is objectively BAD, just that it has bad mouth-feel)
But yes, LD50. Your list of points is basically my thought process.
I understand why users like iphones. It's a pretty nice ecosystem for users (developers, not so much, but devs aren't apples customers). I just can't support their anti-consumer tactics.
I agree that android can be clunky, especially 3rd party UI modifications from phone vendors. It's steadily improving though, and it has some features I wouldn't want to live without in another software ecosystem. The android experience on my pixel is pretty smooth now (especially after Oreo), but I'm probably not the average user, as I don't use a lot of apps beyond google provided ones.