Green and Blue Bubbles Again

Some disreputable right-wing rag is pushing the Google-paid-ad conspiracy theory that Apple promotes bullying to get kids to prefer blue bubbles and iMessage to green bubbles in Android trash. Whenever this comes up, the mainstream rags never mention the real difference: Security vs. insecurity, encryption vs. everyone in the world able to read your messages.

Preferring blue bubbles is good behavior, whether kids know it or not. It has end-to-end encryption, it never even touches Apple’s servers in plaintext. Anything you send, you know only the person you sent it to can ever read it. (note: You should not use iCloud backups, because those WILL store logs in plaintext)

A green bubble means it’s insecure SMS; it can be read by cops, the phone company, anyone with a “Stingray” radio packet decoder in the area, and anyone who’s SIM-cloned your device, which can be as simple as a single phone call to the carrier. Google is criminally negligent still shipping SMS as their “IM” in 2022.

Use iMessage if you can, Signal, Telegram, LINE if not.

Don’t use WhatsApp, it’s owned by Facebook and just as bad spyware as anything owned by Google.

Verizon Spyware

Verizon’s just turned on something they call “Custom Experience”, which is tracking everything you do over their connection.

So you want to go into your account, and you’ll have to do this on the web because the mobile site just dumps you back to home page, and then Privacy Settings and disable every last switch in there.

Living in a post-apocalyptic dystopia is getting less and less comfortable every day. Pretty soon we’re gonna have to burn every corp to the ground and shoot the scatterlings as they flee. Ha ha. (Plausible deniability that that’s just a morbid joke, and not an action plan for New Year’s. See you there.)

When View Source is Outlawed…

… only outlaws will have View Source.

  • mhoye post: Google is pushing thru disabling View Source in Chrome.

I’m impressed but unsurprised that nobody at Google said “wait, is this the right thing to do?”, because of course they didn’t, they’re at Google, they already failed any moral test.

Like every nerd of a certain age, I learned web dev by doing View Source, and to this day it’s my basic tool for finding out how/why/stop doing a thing on a site. Safari’s inspector hasn’t been crippled yet; given Little Timmy “Apple” Cook’s bullshit about platform lockdown lately, I’m concerned.

So, this aggression will not stand, man.

I have a View Source bookmarklet which works fine in Mobile Safari and Chromium. It’s only inline, and you have to copy-paste into a real editor to do much, but it gives you the site’s content. They can’t stop you.

wget or curl are useful ways of grabbing a page and all its resources.

Of course the real l33t h4xx0rz know:

% telnet foo 80
GET / HTTP/1.1
Host: foo<ENTER><ENTER>

Or you can make stelnet for https sites (thanks to @feld for the )

% echo 'openssl s_client -connect "$1:$2"' >bin/stelnet
% chmod 755 bin/stelnet
% stelnet foo 443
GET / HTTP/1.1
Host: foo<ENTER><ENTER>

Fuck those guys.

Keychain Access Regression

In OS X before Mojave, Keychain Access had a full Preferences screen, and let you put an icon in the menu bar. Most importantly, from that icon you could Lock Screen instantly and securely.

Well, here’s the Preferences now:

keychain_access-mojave

And there’s no way to restore this or get equivalent functionality.

I noticed this because the screen saver didn’t engage in its hot corner, so went to look for a safe lock, and now… what am I supposed to do?

Goddamn it, Apple. Did you rewrite some shit in Swift and that’s why nothing works and security has been job NaN since Leopard?

[Update: As noted by @tewha, There is now a lock screen entry under  menu, where nobody ever looks for anything, and it has a shortcut, which is an improvement. I take back nothing about Keychain Access being wrecked.]

Bruce Schneier r/IAmA, and Five Eyes Backdoor Bullshit

This “just give us a secure backdoor!” bullshit is just infuriating to anyone who can think.

Any programmer can write a new crypto program without the officially mandated backdoor. Even if the Stasi5 banned all existing interpreters and compilers (and watch the economy burn when we can’t write any programs), we could rewrite a crypto program in assembly, type character codes into a text editor, save it and run it with a buffer overflow, and now we could communicate securely, while everyone else was completely exposed. Banning all computers? You’d also have to ban all electronics that could be used to make a new computer. Starting a new Dark Age with a Butlerian Jihad burning all computers is literally the only way to stop people from having strong cryptography.

The only purpose of the “secure backdoor” is to let governments spy on law-abiding citizens. It can serve no other purpose. Time for us to end the “intelligence” agencies and set up something new.

That_one_Pizza: “Your opinion on pineapple on pizza?”
BruceSchneier: “The 1973 Council of Naples authorized fourteen pizza toppings, and pineapple was not one of them.”

Hawaiian Pizza: The pizza of rebels. Never let the Man tell you what you can have on your ‘za.

The Wolf

These are amazing. The most overwrought, insane, semi-plausible haxxoring through shitty wireless printers. Great production values, reasonably well scripted. I’m always inclined to favor Slater’s side in a movie, especially as a prankster/villain. ★★★★½ and I’m excited to watch more of these ads.

Their previous “The Fixer” series with Mike from Breaking Bad was awful, he can’t even pronounce half the technology.

Obviously, no sane person would run a wireless printer and expect it to be safe. Also no sane person would run an immune-deficiency Windows box, HP or not, and expect it to be safe. Get a Mac, or install FreeBSD, OpenBSD, or OpenIndiana in lieu of Solaris, or if you really hate yourself, Linux (inevitable comment: “well, actually, it’s GNU/Linux ahem may I show you my fedora collection”). At one time HP-UX was good, but that was a long time ago.

ESLint Security Incident

Happily, the version my installed eslint contains is later:

% npm info eslint|grep scope
eslint-scope: ^4.0.0

Interesting attack: Collect one bad password, use that to get someone’s npm credentials, push a virus that uploads more peoples’ npm credentials. Soon they could have had every package infected. Only being watchful prevented catastrophe.

Repeating my Password lesson: Use strong passwords. Do not ever reuse passwords.

The HTTP Sky Is Falling, Says Chicken Little

Dave’s explanation is just absolutely wrong, and he has to know this, he’s lying to frighten you away from security; I don’t know why. Google’s not planning censorship, just a warning being provided that a site taking your personal information is not secure.

Will this break plain HTTP sites?
No. HTTP sites will continue to work; we currently have no plans to block them in Chrome. All that will change is the security indicator(s).
Chromium: Marking HTTP as Non-Secure

Even if Google Don’t Be Evil was Evil, you could still use Free-as-in-Drugs Firefox or whatever, and can just use curl to archive sites, or even by hand:

% telnet example.com 80
GET / HTTP/1.1
Server: example.com
(hit return twice, ctrl-D to end)

But you shouldn’t be trusting anything you see or entering anything on an HTTP page.

If you connect to a site over HTTP and you do not fully control the wires from your computer to the server, that site can be spoofed and spied on. If you use public wifi to talk to HTTP, your logins and credit cards WILL be stolen. Guaranteed, some jackass in your Starbucks is wiresharking your connection.

Even if you think you have a secure connection, anyone on the routers between you and the server can read your connection. Routers are not secure, they have been routinely compromised.

The only protection you have against these “Man in the Middle” attacks is TLS (successor to SSL), using HTTPS instead of HTTP, SSH instead of telnet, SFTP instead of FTP, emailing with MIME and SMTP over TLS instead of unsecured ports, iMessage or Signal instead of IRC or Twitter & Facebook “direct messages” (which have bever been hidden from their staff).

In the early days of the ARPAnet and Internet, there was no security and we couldn’t do much about it, but to resist warning people about insecure sites now is irresponsible.

Password

So first, and most importantly, never reuse passwords, no matter how trivial. Eventually any company will screw up or be hacked, and your password exposed, and then someone can try it on every other site.

Second, use a password manager for every password. I use 1Password, but other options are available. Don’t write passwords on paper, unless that paper is stored in a safe (and then where do you store the combination?). Never write your passwords on a whiteboard! Never speak your passwords aloud!

Third, use a strong password, not 12345. 1Password will offer to generate a three-word password for you. I take that and often modify it, then save.

Fourth, keep your password vault safe: Put a good password (not just a number code) on your phone, always lock it and set it to autolock immediately, put a good password on 1Password, memorize that, write it NOWHERE.

Fifth, secure your devices. TouchID is a great convenience and a “tinsel lock” to keep semi-honest people from poking around in your phone, but it can be used against your will. When I go out, I turn off TouchID so pigs or other armed criminals can’t force me to unlock my phone, and from there get to my password vault. If it’s on, you can restart the iPhone quickly by holding power and home, and then TouchID is turned off.

On your computer, 1Password should always ask for a password, but it’s also a good idea to lock the screen whenever you’re away from it. On the Mac, open Keychain Access with Spotlight, Preferences, turn on “Show keychain status in menu bar”. Now you can just click the lock in the menu bar, Lock Screen, and you’re safe.

So you end up with defense in depth here: A strong unique password on each site. A secure password vault. And a secure device holding that vault. That’s not paranoia, it’s how you secure your data.