Tuesday, April 10, 2018

Privacy in the age of implied consent

I'm quite amused by cries about FB's onslagutht on privacy (all in all, you *did* give your consent, didn't you?) while more interesting things are happening.

...so I bought a new phone. Been methodically transferring working pieces from the old one, and found myself driving with the old phone connected to BT monitoring hardware in the car with the new one running navigation.

...and in the middle of the trip the old phone (now without a SIM card) says: "Psst! Dude! It looks like you configured tethering on your new phone, why don't you turn it on and give me some Internet?"

Wait.
What?

Quick introspection shows that in order do to that

  • both phones need to have a list of my devices' MAC addresses
  • sniff the air to detect their presence (turns out this is pretty easy to do)
  • most importantly, *know* that I have a hotspot configured.
Now, first two things are annoying, but widespread, there's not much you can do about that. But the third... I do have a hotspot configured, but I never ever turned it on. Moreover, I don't think I *ever* gave any explicit or implicit content about sending the information about my hotspot details to Google.

Your privacy is dead. Deal with it.

Saturday, October 7, 2017

Why I prefer to hire DIYers

The curse of any DIY job is: you have to do it right the first time. You have no idea what to do, and you can't afford a mistake. You must become as proficient as professionals are, in a fraction of the time, at a fraction of the cost.

So what you do is you learn to learn. You learn how to solve problems the very existence of which you never knew. You think outside of the box, you work beyond limits.

That beats someone who does only the things they were taught to do any time of day.

Thursday, October 5, 2017

In times like these, big monies are lost... and made

tl;dr: life after Equifax fiasco.

Service companies do not sell services. They sell comfort and satisfaction. Equifax was selling comfort to banks, which were glad to pay a little coin for an assurance that the loan they're issuing will be paid back.

Now the confidence is gone. Not just from Equifax, TransUnion, and Experian. The chain of trust had been broken. There is no assurance that a good and valid information is not used by a fraudster. It's just not all of us are screwed, banks are screwed too.

What now?

The business model of "credit rating" is going to be broken for a while. Like I said elsewhere the day Equifax breach happened, SSN as ID will be dismantled - it'll take time, but it is inevitable (it was obvious for a long time that a non-secure system that doesn't support revocation will be broken by a first major leak, which we just witnessed happening). It will be replaced by a system that does support revocation, and that looks painfully similar to good old cryptography. This will cause emergence of whole new classes of tasks, and jobs to solve them - but one will have to be a rocket scientist or at least proficient with cryptography to get one of those jobs. And we will have to pay for all that, because nobody else will.

Buckle up. Study cryptography.

Thursday, September 24, 2015

Identity Theft Made Easy

So, I call $company. The automated system guides me through the hoops, in particular, asking for my "secure credentials", normally "the last four". Then it connects me to a representative.

And the first thing the representative says is: "What are your last four"?

WHAT?

I just identified myself to your automated system.
It authenticated me.
Why do *you* need to hear it again?

If this is a part of the $company's protocol, it's redundant.
If this is an unscrupulous employee harvesting personally identifiable information, it's a vulnerability.

The problem is, you cannot distinguish between the two. So either way, we're screwed.