coffeeClean

joined 11 months ago
sorted by: new top controversial old
1
Captive portals have become an agent of forced obsolescence (infosec.pub)
 

cross-posted from: https://infosec.pub/post/11021006

The red padlock (at a cafe)

The captive portal of a cafe simply rendered a red padlock on with a line through it. Essentially, it was apparently telling me I am being denied access arbitrarily without using any words. There was no other screen before that. Immediately after wifi handshaking Android’s built-in captive portal detection app just went straight to a padlock. I have never been in that cafe in my life and never use my device maliciously.

Showed the screen to the staff who said “works for me on my phone”, who then noticed the airplane on my status bar and said “oh, you got the little airplane, that’s the problem”. Shit; so then I had to explain that wi-fi works in airplane mode. It was just a distraction for them. I couldn’t really convince them that the problem isn’t anything I’m doing wrong. There is no tech support for this situation -- like pretty much all captive portal scenarios. Being the customer of the customer is a very weak position to be in when the direct customer doesn’t really give a shit if it works or not.

So, has anyone seen this kind of behavior? I run into shitty broken captive portals often enough that I guess I really need to get a better understanding of them, and ways to bypass them.

TLS-encumbered captive portal (transit service)

A transit service offered wi-fi but the network forcibly redirected me to a captive portal that triggers this error:

net::ERR_SSL_VERSION_OR_CIPHER_MISMATCH

I tried a couple browsers and tried rewriting the https:// scheme as http:// but SSL redirect was forced consistently. The error apparently implies my phone’s browser can’t do TLS 1.3.

It seems like a shitty move for a transit service to require passengers to use TLS 1.3 just to tick a fucking box that says “I agree” (to the terms no one reads anyway). Couple questions:

  • I’m generally in the /protect everything by default/ school of thought. But I cannot get my head around why a captive portal where people just tap “I agree” would warrant disclosure protection that could hinder availability. In reality, I don’t really know what the captive portal at hand requests.. maybe it demands people’s phone# or email, in which case it might make sense (though I would object to them collecting that info in a GDPR region in the 1st place).

  • Is there a good reason for a captive portal to require TLS 1.3? It seems either the network provider does not trust their own network, or they’re simply incompetent (assumes everyone runs the latest phones). But if I’m missing something I would like to understand it.

I still have to investigate what limitation my browser has and whether I can update this whilst being trapped on an unrooted Android 5.

Bypass methods

I guess I need to study:

  • ICMP tunnel (slow, but IIUC it’s the least commonly blocked)
  • SSH tunnel
  • others?

Are there any decent FOSS tools that implement the client side of tunnels without needing root? I have openvpn but have not tested to see if that can circumvent captive portals. I’ve only found:

  • MultiVNC - VNC over SSH
  • AVNC - VNC over SSH
  • ConnectBot - Can all traffic be routed over this SSH tunnel, or just a shell session?
  • VX ConnectBot - same as connectBot but expanded

I’m curious if the VNC clients would work but at the same time I’m not keen to bring in the complexity of then having to find a VNC server. Running my own server at home is not an option.

My to-do list of things to tinker with so far:

Legal options

If a supplier advertises Wi-Fi but then they render it dysfunctional by imposing arbitrary tech requirements after consumers have already bought the product/service it was included with (coffee, train/bus/plane fare, etc), then they neglect to support it, doesn’t that constitute false advertising? Guess this is out of scope for the community but I might be ½ tempted to file false advertising claims with consumer protection agencies in some cases.

And when a captive portal demands email or phone number, it would seem to be a GDPR violation. Some public libraries make wi-fi access conditional on sharing a mobile phone number which then entails an SMS verification loop.

Google Allows Creditors to Brick Your Phone in c/privacy@lemmy.ml
[–] coffeeClean@infosec.pub 1 points 6 months ago* (last edited 6 months ago)

Isn’t this more easily fixed?

$ adb shell 'pm disable --user 13 com.google.android.gms'

grapheneOS and the like might work for the OP and anyone with a mainstream phone, but there are a lot of unsupported cheap obscure phones which are stuck with stock Android.

Google Allows Creditors to Brick Your Phone in c/privacy@lemmy.ml
[–] coffeeClean@infosec.pub 34 points 6 months ago* (last edited 6 months ago)

The fun aspect to this is that some banks have forced customers to use an Android for all their banking ops. So:

① You’re late paying a bill
② Creditor locks your phone
③ You cannot access your bank to make the payment because your phone is locked

Brilliant.

Google Allows Creditors to Brick Your Phone in c/privacy@lemmy.ml
[–] coffeeClean@infosec.pub 6 points 6 months ago (1 children)

You can check it’s installed (stock android) Settings > Apps > All Apps > three dot menu, Show system > search “DeviceLockController”.

Is that just a “feature” of recent AOS versions? AOS 5’s triple dot menu has nothing like “show system”.

Act now to stop WordPress and Tumblr selling your content to AI firms in c/privacy@lemmy.ml
[–] coffeeClean@infosec.pub 1 points 6 months ago* (last edited 6 months ago)

Is Wordpress a service? It seems to be software that is apparently runs on other people’s property. So this is what I’m confused about. I write a blog that is served by a non-profit org and the software is apparently Wordpress. I don’t understand how the copyright on my work in this context would exempt Wordpress in any way.

(edit) This article clears it up → https://lifehacker.com/tech/the-difference-between-wordpress-and-wordpresscom

Reddit sent me invitations to their IPO to my "deleted" accounts! That's a GDPR violation! in c/reddit@lemmy.ml
[–] coffeeClean@infosec.pub 8 points 7 months ago* (last edited 7 months ago)

You might want to crosspost your story to !uklaw@feddit.uk. But if you do that be clever with your phrasing so as to not seem to be asking for advice, but rather for information. E.g. is there any case law for this situation..

(I’m assuming you’re in the UK because other commenters focused on UK law)

Reddit sent me invitations to their IPO to my "deleted" accounts! That's a GDPR violation! in c/reddit@lemmy.ml
[–] coffeeClean@infosec.pub 11 points 7 months ago

There really needs to be a resource where data subjects can pool their evidence and collaborate on GDPR actions against common data controllers.

Reddit sent me invitations to their IPO to my "deleted" accounts! That's a GDPR violation! in c/reddit@lemmy.ml
[–] coffeeClean@infosec.pub 3 points 7 months ago* (last edited 7 months ago)

Thanks!

The To: address in the header would be interesting. Of course, you wouldn’t want to disclose it verbatim here but it might be useful to have a rough idea. Was it Firstname.Lastname@yadayada.com or some variation of that, or was it more like commonNickname@yadayada.com? Some people here think it doesn’t matter, that it’s inherently personal info, but the European Commission says it matters. It’s not hard and fast; there are varying shades of gray here. Maybe they kept logs of your IP address and maybe that makes a difference. You might want to read WP136 (I have yet to read that).

I would love to see action taken against Reddit, if anything just to burden their lawyers and create some costs for them. But I doubt it will go anywhere. GDPR enforcement is such a shit-show in Europe. Even dealing with clearly blatant violations that are wholly internal to Europe which should irrefutably incur penalties, simple obvious cases are being ignored by DPAs. So I have little confidence that this cross-border case against a non-EU data controller would actually get results when the law is not really concrete. The one factor in your favor is that Reddit is somewhat high-profile which might take a DPA’s interest.

I don’t think a “delete my account” button constitutes an Article 17 request. It removes the purpose of processing to some extent, which then relies on the data minimization principle (Art.5). Reddit can do a bit of hand-waving to make excuses like needing to retain your email address in case one of your posts sparks a legal inquiry. Your case would be stronger if you had submitted an explicit Art.17 request to Reddit.

From the email:

Per our lawyercats, we are not able to respond to further inquiries or questions.

I wonder if that statement might be actionable. Art.12 and 13 require Reddit to identify a data controller with a point of contact and to tell you your GDPR rights (IIUC). And here they are outright stating in effect “we don’t want to hear from you”. I would stress that in your GDPR complaint, not just the misuse of your email which you expected to be deleted. But note they do provide an address at the bottom of that msg. Although that angle of attack might require Reddit having a way to know you have ties to a GDPR region after the supposedly “deleted” your acct.

Also, I would look into any anti-spam laws your country has. There may be a higher degree of legal actionability there.

Reddit sent me invitations to their IPO to my "deleted" accounts! That's a GDPR violation! in c/reddit@lemmy.ml
[–] coffeeClean@infosec.pub 1 points 7 months ago* (last edited 7 months ago) (1 children)

I’m trying to get to the bottom of this because a chunk of my data & activity is tied to nothing but my email address which always deliberately excludes personal identifiers and I do everything over Tor.

GDPR recital 26 seems the most relevant. It’s complicated but note that the GDPR clearly does not apply to legal persons (aka moral persons aka companies). So a data controller must at a minimum have a way of knowing the account belongs to a natural person. Which IMO requires being linked to other data like IP address. Though even that is a fuzzy because IP databases on whether an IP address is residential boils down to guesswork.

Tempting to read wp136 which predates the GDPR but seems quite relevant. It’s possibly the most exact answer unless there is a closely related CJEU ruling.

Reddit sent me invitations to their IPO to my "deleted" accounts! That's a GDPR violation! in c/reddit@lemmy.ml
[–] coffeeClean@infosec.pub 8 points 7 months ago* (last edited 7 months ago)

Right, so e-mail address together with IP address would then make the e-mail that of an identifiable user under Art.4(1). So the OP needs to find out if an IP address was logged and retained in connection with the email address.

Reddit sent me invitations to their IPO to my "deleted" accounts! That's a GDPR violation! in c/reddit@lemmy.ml
Reddit sent me invitations to their IPO to my "deleted" accounts! That's a GDPR violation! in c/reddit@lemmy.ml
[–] coffeeClean@infosec.pub 2 points 7 months ago* (last edited 7 months ago) (3 children)

That phrase (“user identifying information”) does not appear in the GDPR text that I have. Do you have a page or section reference?

According to the Commission, “an email address such as name.surname@company.com;” is an example of “personal data” [presumably from Art.4(1)]. But it’s interesting to note that that example obviously ties the address to an identifiable person. Is that the OP’s case? (I can’t see their Cloudflare-jailed screen shot)

The EC also says “an email address such as info@company.com” is not an example of personal data.

This should really be covered by an EDPB Guideline, but I’m not finding one.

Reddit sent me invitations to their IPO to my "deleted" accounts! That's a GDPR violation! in c/reddit@lemmy.ml
[–] coffeeClean@infosec.pub 2 points 7 months ago* (last edited 7 months ago)

If I create an anonymous account but put what looks like a real name in the username field, and sign all posts with that real-looking name, who’s to say it’s really my name? Then suppose I lose my internet connection but want to exercise my right to be forgotten. The GDPR enables people to make an Art.17 request in writing but the GDPR also mandates that data controllers identify who the request comes from (so Mallory does not request deletion of Alice’s records). If a user ad hoc puts their name on everything then mails a request with a copy of their ID card which matches the name they put on everything, it’s a bit off because a company who does not ID users would not normally have the infrastructure in place to support GDPR requests. (and that’s a good thing.. it’s good that there’s incentive to support the practice of offering anonymous accounts) But here’s the other problem: the ID mechanism itself must be minimal. A data controller cannot demand a full copy of your ID card if they can verify using something less intrusive like date of birth to verify you. Perhaps in this case a copy of the ID card would be necessary. OTOH, names are not generally unique, which would mean I could use my ID card to request deletion of all records of other people who have the same name.

As a practical matter, we also have to figure that DPAs are extremely lazy. I’ve filed many Art.77 reports with strong irrefutable evidence and the cases just sit for years. I cannot see a DPA being motivated to work on a case that Reddit can easily defend. OP’s best move is to look at local anti-spam laws (I’m guessing it’s spam.. I do not have access to the Cloudflared image the OP posted).

(edit) more clarity here, hopefully → https://infosec.pub/comment/6975469

355
(Canada) An M&M vending machine error revealed facial recognition was used to illegally snoop on students (boycott Mars if you aren’t already!) (infosec.pub)
submitted 7 months ago* (last edited 7 months ago) by coffeeClean@infosec.pub to c/pbsod@lemmy.ohaa.xyz
35 comments fedilink
 

“Only because of that official investigation did Canadians learn that ‘over 5 million nonconsenting Canadians’ were scanned into Cadillac Fairview's database”. Wow.

This Wired article is contradictory. The spokesperson says:

“an individual person cannot be identified using the technology in the machines. The technology acts as a motion sensor that detects faces, so the machine knows when to activate the purchasing interface”

I suppose it’s possible that a sloppy developer would name an executable Invenda.Vending.FacialRecognitionApp.exe which merely senses the presence of a face. But it seems like a baldfaced lie when you consider that:

“Invenda sales brochures that promised ‘the machines are capable of sending estimated ages and genders’ of every person who used the machines—without ever requesting consent.”

Boycott Mars

I already boycott Mars because they are a GMA member and they spent ~$500k lobbying against #GMO labeling -- and they have been blackballed for using child slave labor -- and Mars supports Russia. This is another good reason to #boycottMars.

Update

Apparently a LemmyBug replaced the article URL with a picture URL. The article is here:

https://www.wired.com/story/facial-recognition-vending-machine-error-investigation/

The vending machine pic is here:

https://infosec.pub/pictrs/image/2041d717-7cd7-4393-94f3-96aa87817aa7.jpeg

5
using coffee to clean grease off your hands -- and for showering (infosec.pub)
submitted 11 months ago* (last edited 11 months ago) by coffeeClean@infosec.pub to c/zerowaste@slrpnk.net
4 comments fedilink
 

After working on a bicycle or an engine, hands covered in grease, I can confirm that coffee does the job. Spent coffee grounds are gritty like sand so they work amazingly well to get the grease off. I use a bar of soap at the same time which causes coffee grounds to get embedded in the bar. It’s a good thing too because it always helps to have the soap bar a bit gritty.

That much is proven for me.. been using coffee for years to wash greasy hands instead of buying the special purpose heavy-duty hand cleaners.

Coffee is now being used to make clothing and one of the claims is that it gives odor control. I’ve cut back to showering once per WEEK (a pandemic side-effect that became a habit). Even though I’m back to leaving the house regularly the shower habit did not change. So my armpits get quite rank after a week. 💡 If coffee grounds have a deodorizing effect, why not use them on arm pits? I’ve not heard of anyone doing this but thought it’d be worth a test.

So I brought spent coffee grounds into the shower and after one scrubbing with them my armpit odor was gone. Coffee grounds work better than shower gel. Normally I scrub with shower gel, rinse, & sniff. The first iteration is usually not enough.. I have to repeat that process 2 or 3 times with shower gel to get the stink off. Coffee grounds worked on just one iteration. I think what happens is the deodorant is sticky & waxy which then gets coated with sweat then the sweat-loving bacteria. The abrasive grit from the coffee grounds scrapes the sticky waxy nasties away faster than soap can dissolve it.

Coffee seems to work on its own but I only did this experiment once so far so I followed with shower gel anyway for good measure.

(stop reading at this point)

nsfw begin

Of course arm pits aren’t the only area that stinks after a week. The groin doesn’t smell too good either. What develops to maturity is what’s called cock cheese¹. I’m not flexible enough to do a proper scientific test. The nose-crotch proximity is what it is. It stunk before the coffee treatment but not after. So it worked at least to the extent that I could confirm. I guess my next partner will have the noble scientific task of assisting with the close proximity sniff test mid-shower and indicate whether shower gel is still needed.

footnotes:

  1. Sorry folks. Indeed it’s not the most elegant nomenclature. IMO there’s a language deficiency here. That’s the only name the stuff has AFAIK. Be sure to forget that term whenever you’re eating cheese. Or alternatively it may not be a bad idea to just cut cheese out of your diet at this point.¯\_(ツ)_/¯ You were warned.

nsfw end

view more: next ›