You have become the new currency

I was alerted to the contents of the privacy policy for Google Payments by an episode of the BBC series – Billion Dollar Deals and How They Changed Your World – in which the presenter Jacques Peretti makes a rather astonishing (for me at least) discovery …

Take Apple Pay, there’s a small amount of money they make in each transaction. But with Android Pay, which is run by Google, they don’t take anything. So what’s going on?

The answer lies in the small print of the terms and conditions: “we may collect information about the transaction, including: Date, time and amount of the transaction, the merchant’s location and description, a description provided by the seller of the goods or services purchased, any photo you choose to associate with the transaction, the names and email addresses of the seller and buyer (or sender and recipient), the type of payment method used, your description of the reason for the transaction, and the offer associated with the transaction, if any.”

Remember that space in the transaction, the space where business makes money? Now that space is about data. You have become the new currency.

This piqued my interest as I have been using Android Pay for a few months. In doing so had I also given my consent for my personal financial transaction data to be harvested by Google?!

For the uninitiated, Apple Pay and Google Pay let you create a digital copy of your payment cards, which are held in a secure virtual wallet on your mobile phone. You can then make contactless payments using your phone instead of the physical cards.

The Apple Pay security and privacy overview states: “Apple Pay doesn’t collect any transaction information that can be tied back to you. Payment transactions are between you, the merchant (or developer for payments made within apps and on the web), and your bank“. That sounds perfectly fair and reasonable, but what about Google?

The current Terms of Service for Android Pay includes the line: “Your use of Android Pay is subject to these Android Pay Terms of Service and the Google ToS (which together, for purposes of these Android Pay Terms of Service, we refer to as the “Terms”), as well as to the Google Privacy Policy.

The Google Privacy Policy includes a link to the specific privacy practices with respect to Payments, which contains the aforementioned small print concerning Google’s collection of payment transaction information.

So yes, by virtue of using their product I did unwittingly give Google permission to ‘spy’ on my spending habits. This financial transaction data has intrinsic value and it’s obvious why Google would like to get their hands on it, but I didn’t expect the banks to be so lax as to allow it to be shared in this way.

This revelation left me wrestling with a dilemma. There is no denying that the simplicity of making small payments with a quick tap of my phone is really handy, but I value my privacy more than the convenience factor.

I just can’t abide my personal data being exploited in this way and so have reluctantly removed my payment and loyalty cards from Android Pay and I won’t be using it again. Sorry Google, but how I choose to spend my hard-earned moolah will be kept between myself, the retailer and my bank from now on.

Advertisements

Sky Hub syslogging to Mac OS

The standard issue Sky Broadband SR102 ADSL router includes the capability to send syslog messages to a remote host.

Unfortunately the plucky little SR102 doesn’t send syslog messages in entirely the right format (checked using ‘syslog -F raw’):

[ASLMessageID 303320877] [Time 1463491448] [TimeNanoSec 0] [Level 2]
 [PID 4294967295] [UID 4294967294] [GID 4294967294] [ReadGID 80] [Host
 1] [Sender 2016-05-17T14] [Facility daemon] [Message 24:08.000Z
 skyhub.ihr syslog - - [skySDID@32666 mac="7C4CA5D9E148"
 sn="A502141D002081"]  Administrator login successful from IP:
 192.168.0.100 .]

You can however still use Mac OS’s syslog daemon to receive these messages, but first you’ll need to enable the socket listener:

cd /System/Library/LaunchDaemons
sudo /usr/libexec/PlistBuddy -c "add :Sockets:NetworkListener dict" com.apple.syslogd.plist
sudo /usr/libexec/PlistBuddy -c "add :Sockets:NetworkListener:SockServiceName string syslog" com.apple.syslogd.plist
sudo /usr/libexec/PlistBuddy -c "add :Sockets:NetworkListener:SockType string dgram" com.apple.syslogd.plist

To restart the syslog daemon:

sudo launchctl unload /System/Library/LaunchDaemons/com.apple.syslogd.plist
sudo launchctl load /System/Library/LaunchDaemons/com.apple.syslogd.plist

Next go into the Sky Hub web interface, click on the Security tab (default admin credentials are admin / sky), select Logs and then enter the IP address of your Mac in the Syslog server address.

You can check for Sky Hub syslog entries in /var/log/system.log

To filter out the Sky Hub messages into a separate log file, add these two lines to /etc/asl.conf and then restart the syslog daemon again:

# Sky SR102 broadband router saved to skyhub.log
? [S= Message skyhub.ihr ] file skyhub.log mode=0640 format=bsd rotate=seq compress all_max=50M

The query-action rule tells syslogd to match on the “skyhub.ihr” substring in the Message key and then save those entries to /var/log/skyhub.log. The options are for log file rotation, retaining up to 50MB of files.

Typical Sky Hub log entries will include connection retraining, web interface logins and NTP synchronisations.

EncFS for OS X Yosemite

securecloud It’s about time I updated my instructions for installing and running an EncFS filesystem on Mac OS X, synchronised to Dropbox. Use a combination of FUSE for OS X, EncFS, Dropbox and DropSec to create and maintain a super-secure filesystem which syncs with the cloud, while maintaining

  1. Download and install FUSE for OS X (the MacFUSE compatibility layer is not required)
  2. If you don’t have it already, install the Homebrew package manager
  3. Download and install EncFS (v1.7.5_1 at time of writing) and any dependencies, it’s as easy as ‘brew install homebrew/fuse/encfs
  4. Download DropSec, extract DropSec.app from the archive and copy it to your Applications folder

To create a new encrypted volume (stored locally at first to prevent your EncFS key from being synchronised with Dropbox):

encfs ~/Desktop/_Encrypted ~/Documents/_DropSec

Answer ‘yes’ when prompted to create the new folders and choose ‘p’ for pre-configured paranoia mode (256-bit AES encryption). Enter a secure EncFS password when prompted and you’re done. Now the filesystem has been created we can deal with securing the key.

umount ~/Documents/_DropSec
mkdir ~/.keys
mv ~/Desktop/_Encrypted/.encfs6.xml ~/.keys/dropsec.xml

The commands above move your key from the EncFS filesystem into a hidden folder in your (local) home directory Now move the entire ~/Desktop/_Encrypted folder (minus your key) into your Dropbox:

mv ~/Desktop/_Encrypted ~/Dropbox/

To mount the secure filesystem run the DropSec app from your Application folder. The first time you run DropSec it will prompt you for your EncFS password which it stores in your local login keychain. The password must match the secure password you set earlier.

When the secure volume is mounted a DropSec folder with a padlock icon will appear on your desktop. If it doesn’t, check that you have ‘Show Connected servers’ checked in Finder preferences.

To mount or unmount the encrypted volume simply run the DropSec app. For convenience copy it to your Mac OS dock for quick access.

Smart bins are watching you

timthumb

It’s intriguing how news stories can bubble under the surface for a while and then explode into the public eye, with significant consequences for everyone involved.

Today’s example is the case of the Renew London waste recycling bins, which have been appearing on City of London streets since January 2012. As well as being a regular waste bin they are equipped with a large screen on each side for displaying digital advertising.

Up until recently that’s all we thought they did, until an article in Quartz magazine brought a darker side to the public attention.

Up to a dozen of these smart bins have been secretly scanning for passing mobile devices and storing this data to compile a database of the movement of individuals around the City of London. All of this was done without consent, although the trial details have been published on the Renew London web site.

How do they do this you might be wondering? Every device capable of using Wi-Fi has a permanent hardware (MAC) address which uniquely identifies the device and often even the make and model. If your mobile device has Wi-Fi enabled then your unique MAC address is broadcast periodically when your device scans for access points.

The Renew London smart bins can listen out for these signals and record the MAC addresses that it ‘sees’. According to the published trial data they captured nearly a million devices on just one day in June!

They would probably still been doing this if it wasn’t for the sensationalist claims from the Renew London CEO Kaveh Memari, who went a little too far in explaining just what his technology is capable of.

Memari said he was working on a proposal for a bar that would install five tracking devices: one by the entrance, one on the roof, one near the cash register, and one in each of the bathrooms. That would allow the bar to know each person’s gender (from the bathroom trackers), how long they stay (“dwell time” is the official metric), and what they were there for (a drink outside or a meal inside). And targeted advertising for the pub could follow those people around London on Renew’s omniscient recycling bins.

It would seem that the City of London Corporation was not aware of exactly what Renew London had been up to and the adverse publicity has caused them to swiftly deal with the situation.

THE collection of data from phones and devices carried by people passing sophisticated waste bins in Square Mile streets should stop immediately, says the elected City of London Corporation, which provides local authority services to the global business district around St Paul’s.

A spokesman said (Monday): ‘We have already asked the firm concerned to stop this data collection immediately and we have also taken the issue to the Information Commissioner’s Office. Irrespective of what’s technically possible, anything that happens like this on the streets needs to be done carefully, with the backing of an informed public.’

The bombproof waste and recycling bins, which also carry TV screens with public information, were installed as a way of re-introducing waste bins to City streets.

‘This latest development was precipitate and clearly needs much more thought – in the meantime data collection – even if it is anonymised – needs to stop,’ added the spokesman.

An official statement from Mr Memari has also confirmed a cessation of the ‘trial’:

During our initial trials, which we are no longer conducting, a limited number of pods had been testing and collecting annonymised and aggregated MAC addresses from the street and sending one report every three minutes concerning total footfall data from the sites.  A lot of what had been extrapolated is capabilities that could be developed and none of which are workable right now.  For now, we no longer continue to count devices and are able to distinguish uniques versus repeats. However, the process is very much like a website, you can tell how many hits you have had and how many repeat visitors, but we cannot tell who, or anything personal about any of the visitors on the website.  So we couldn’t tell, for example, whether we had seen devices or not as we never gathered any personal details.

Future developments will, however, not just depend on technology, but also, most importantly, on people being comfortable with interactive technology – much as has happened over the course of the weekend on the internet.

This is a somewhat less ebullient statement than one of Memari’s previous quotes:

“The chances are, if we don’t see you on the first, second, or third day, we’ll eventually capture you,” he said. “We just need you to have it on once.”

What can you do to protect yourself from this gross invasion of privacy? Disable Wi-Fi (and Bluetooth) if you aren’t actively using it when you’re out and about. Doing this will help save your battery too. You can also register your MAC address and opt-out of data collection via the Presence Orb web site.

It’s interesting to note that since this story broke the Renew London bin screens have been conspicuously devoid of any advertising. Evidently advertisers don’t want to be associated with this trial either.

Renew London waste bin


Dumb binUpdate: 12-Feb-2015

London’s ‘smart’ bins have been unceremoniously decommissioned, as you’ll see in this photo.

The RenewLondon.com domain name was sold in June 2014 and it now resolves to an accounting blog.

The former Renew London business seems to have disappeared without a trace, disproving the theory that where there’s muck there’s brass!

Apps Publishing Security Policy

BSkyB has become the latest high-profile victim of a security blunder which has caused them to suspend all their Sky Android applications from the Google Play app store.

The hackers would appear to have used a combination of phishing and social engineering techniques to compromise a trusted computer and steal corporate login details for third-party sites such as Google and Twitter.

The storefront for Sky’s Android mobile apps was defaced, with the app descriptions changed and screenshots replaced.

Sky Go defaced

To make a bad situation even worse for Sky, one of their official Twitter accounts was also compromised and the hackers used it to draw more attention to their handywork.

skyhelpteam

Fuelled by the ‘official’ Twitter misinformation, customers were led to believe that the apps had also been tampered with, although this has been subsequently denied by Sky on their Help Forum:

We have temporarily removed our Apps from the Google Play store following a security alert.

All Sky Apps were unaffected and any Sky Android apps previously downloaded by customers are safe to use. There is no need to remove them from your android device.

As soon as we have restored the apps on Google Play we will post up an update.

In a related security breach, Twitter has locked access to @SkyHelpTeam, which is why we are currently unable to tweet from this account. However, help and info is available via @SkyHelpTeam1Facebook and here on the Sky Help Forum.

The tweet that was made from the @SkyHelpTeam twitter, in the early hours of Sunday morning, advising customers to unistall their apps was NOT an official tweet from Sky. Twitter security immediately detected this vogue messaging and locked account as part of agreed standard security process.

Sky have suffered this humiliation as a result of sloppy security practices. With a robust security policy the damage from this attack could have be limited or prevented entirely.

My recommendations for an apps publishing security policy:

  • Use a dedicated Google account for the Google Play Developer Console, not an account used for other Google services. Do not divulge the email address of this account.
  • Enable 2-Step Verification on your Google account and use Google Authenticator to login. Make sure that you properly sign out of your Google account when you have finished each session.
  • Only use a bookmarked https link to access the Developer Console. Never click on links contained in emails or on other web sites.
  • Tightly limit access to the Developer account. Only permit access to those directly involved with apps publishing, usually just the Apps Manager and their deputy.
  • Wherever possible use discrete private keys to sign each application – see the Signing Strategies section of Android Developer Tools. This limits the damage should the private key for an individual app be compromised.
  • Store your signing keys securely, preferably using a hardware-encrypted USB flash drive (such as an IronKey). Physically store the keys in a locked safe.
  • Use a standalone computer for code signing and never connect it to a network. Treat all networks as untrusted, even your corporate LAN.
  • Have a well rehearsed contingency plan to ensure business continuity if the worst does happen.

EvoCam vs SecuritySpy

The options for network camera recording software are a bit limited on Mac OS. The two most popular products in this space are Evological’s EvoCam and Bensoftware’s SecuritySpy.

So which is best?

On price alone you might be tempted by EvoCam as it costs just $30 (under £20) for an unlimited number of cameras, while SecuritySpy will set you back £30 for a single camera license and a whopping £500 for unlimited camera support.

I’ve had an opportunity to evaluate both products and have come to the conclusion that you really do get what you pay for.

EvoCam does the job well enough and has a more polished user interface, but it also suffers from a major problem that lets it down badly, almost to the point of being unusable. For reasons unknown it ties up the processor for even a simple one camera recording setup.

Activity Monitor output taken for identical recording sessions is below:

In these examples (from a Mac Mini 2.26GHz Intel Core 2 Duo with 4GB RAM), EvoCam consumes 85% CPU and 90MB real memory, while in comparison SecuritySpy consumes a meagre 6% CPU and 21MB real memory. That’s quite a difference and it’s very noticeable when you try to use the same host machine for other work.

So if you have the luxury of a dedicated powerful server for your camera recording then EvoCam is probably the most cost effective option, but if you want something that works reliably and doesn’t take over your machine then SecuritySpy is well worth the extra investment.

Remote SSH using Back To My Mac

One of the less well publicised features of Apple’s iCloud service is Back To My Mac.

This service provides a private IPv6 network which you can use to securely connect all your Mac hosts.

To use BTMM you will need to upgrade all your Macs to OS X Lion and sign them all into the same Apple iCloud account. You will also need your unique BTMM account number.

When you are signed into iCloud you can discover your BTMM account number as follows:

$ dns-sd -E
Looking for recommended registration domains:
Timestamp     Recommended Registration domain
12:07:46.550  Added     (More)               local
12:07:46.550  Added                          icloud.com
                                             - > btmm
                                             - - > members
                                             - - - > 123456789

The final line shows your individual BTMM account number.

For example, if you Computer Name (set in System Preferences > Sharing) is mymac and your BTMM account number is 123456789, then the fully qualified domain name of the host is mymac.123456789.members.btmm.icloud.com.

If you have spaces in your Computer Name then replace them with dashes, e.g. “My Mac” becomes the hostname my-mac.

To test connectivity to your remote host use ping6, e.g.

ping6 mymac.123456789.members.btmm.icloud.com

To list all the SSH enabled hosts on your domain:

dns-sd -B _ssh._tcp

You would SSH into your host using this command:

ssh -2 -6 username@mymac.123456789.members.btmm.icloud.com

Note that you will only be able to communicate with the other hosts on your iCloud private network if the Mac you are using is also signed into the same iCloud account.

You can also use an open SSH connection to access your non-Apple hosts on your internal network by using SSH port forwarding. This tunnels the destination traffic over the BTMM private network via your remote Mac.

For example, if you have a web server running on a host with the IP address 192.168.1.2 then you can use this SSH command to set-up a forwarded port:

ssh -2 -6 -L 8080:192.168.1.2:80 username@mymac.123456789.members.btmm.icloud.com

To access the remote host from your local machine you would go to http://127.0.0.1:8080/