Blog

Are WiFi Network Names Protected by the First Amendment?

Posted by Dave Cahill on Apr 23, 2018 in Internet | 0 comments

Are WiFi Network Names Protected by the First Amendment?

Written by Catalin Cimpanu / Courtesy of Bleeping Computer

Michigan police were called at a Planet Fitness gym earlier this month to investigate a bomb threat that ended up being only a prank after a naughty user named his WiFi network “Remote Detonator.”

The gym patron spotted the suspicious WiFi network name and called the police, following the gym’s normal procedures. The gym re-opened the same day, three hours later, after bomb-sniffing dogs swept the building without finding any explosive devices.

“Everything is perfectly legal from a police standpoint,” Saginaw Township Police Chief Donald Pussehl told a local paper.

“There was no crime or threat. No call saying there was a bomb,” the chief said, revealing there would be no legal repercussions on the prankster, as the WiFi name falls under what is considered “protected speech” under the First Amendment.

WiFi network names and the First Amendment

But we at Bleeping Computer wanted to confirm the Saginaw Township Police Chief’s statement and discover if WiFi network names do really fall under the First Amendment. So we asked one of the leading law firms specialized in free speech cases, the Walters Law Group, the firm behind the FirstAmendment.com website.

“All speech that is intended to convey a message is presumed to be protected by the First Amendment,” a spokesperson for the Walters Law Group told Bleeping Computer earlier this week via email.

“This can get complicated with identifiers like telephone numbers, addresses, or domain names, which typically do not enjoy First Amendment protection,” the spokesperson said. “But there are exceptions.”

“A domain name could be both convey a message and identify a location at the same time. The same goes for a WiFi network name,” he said. “While typically used to identify a network, the chosen name could be used to convey a message of humor, politics, or even danger.”

There are limitations to WiFi network names

“While I am aware of no case that specifically addresses WiFi network names, I believe that each situation would turn on the facts, to determine whether the First Amendment applied,” the spokesperson told us regarding cases where pranksters take WiFi network naming a little bit too far.

Situations like these happened in the past. For example, in 2016, a passenger on a Qantas flight had named his WiFi hotspot “Mobile Detonation Device,” which grounded a flight for hours before it was cleared to take off.

In 2017, a Turkish Airlines airplane made an emergency landing at a Sudan airport after a passenger discovered a WiFi network created by another passenger named “Bomb on board.”

Individuals can create personal WiFi networks on devices such as laptops and mobile phones, and name them what they want. Authorities weren’t able to identify any of the pranksters behind the 2016 and 2017 incidents.

But pranks like these, in places like airplanes and airports, can lead to legal consequences, despite being just jokes.

“Even if constitutional protection was afforded, there are limits imposed on speech which constitutes a true threat, or incites imminent lawless action,” the Walters Law Group spokesperson said. “But the simple naming of a WiFi network would not likely rise to the level of a threat or incitement.”

So, all in all, the First Amendment does apply to WiFi network names. You can use them to convey a message, as long as you don’t use them for threats.

Nonetheless, it’s an extremely bad idea to name a WiFi network “detonation device” on an airplane, because if identified, you can still stand criminal charges or a civil lawsuit from the airline wanting to recoup losses from lost business caused by flight delays. In the end, the DBAD rule applies.

Read the original article over at BleepingComputer.com.

Apple memo warning employees about leaking gets leaked

Posted by Dave Cahill on Apr 14, 2018 in Mac / Apple | 0 comments

Apple memo warning employees about leaking gets leaked

Apple warns leakers that “they’re getting caught faster than ever.”

Written by Cyrus Farivar / Courtesy of ArsTechnica

Apple recently sent a lengthy memo warning employees about leaking. As you might have guessed, that memo got leaked.

On Friday, Bloomberg News published what it described as an “internal blog” post in full. The memo warned that Apple “employees, contractors, or suppliers—do get caught, and they’re getting caught faster than ever.”

The post also reportedly noted that, “in some cases,” leakers “face jail time and massive fines for network intrusion and theft of trade secrets both classified as federal crimes,” adding that, in 2017, “Apple caught 29 leakers, and of those, 12 were arrested.”

It is not clear what precise charges those arrested face.

Leaks are nothing new for Apple or any other Silicon Valley firm, but they have been particularly abundant at Apple of late. As recently as February 2018, Apple’s iBoot code was posted to GitHub. Last September, iPhone X specs were also leaked. In June 2012, an AT&T executive admitted to leaking Apple-related information to investors. Many leaks, like news about Apple working on its own processors and developing a way to make macOS and iOS software interoperable, have appeared in Bloomberg, which published this leak as well.

Also in 2012, Ars spoke with anonymous Apple employees, one of whom suggested that fully protecting against leaks is practically a losing battle.

“You’ve got thousands of people working on manufacturing something who have no vested interest in keeping it secret,” one employee said, adding that he believes leaks will continue to increase as Apple ramps up overseas manufacturing operations. “It will be increasingly hard to hide the industrial design we do because we manufacture things overseas. Since we don’t do it in the US, it may be hard to surprise people over anything in the future.”

Way back in 2006, Ars reported on a California state appellate court decision that found in favor of Apple-leaking sites—the company could not force them to reveal their sources, citing California’s journalist shield law.

Apple did not immediately respond to Ars’ request for comment.

The US Attorney’s Office for the Northern District of California did not immediately respond to Ars’ request for comment either.

“I have reached out to our high-tech crimes unit for additional information, and I will be happy to relay that to you upon receipt,” Terry Lynn Harman, an assistant district attorney in Santa Clara County (where Apple is based), emailed Ars.

Read the original article over at ArsTechnica.com.

Forget Facebook — your body emits data that could be used to read your emotions, check your health, and track aggression

Posted by Dave Cahill on Apr 13, 2018 in Privacy, Technology | 0 comments

Forget Facebook — your body emits data that could be used to read your emotions, check your health, and track aggression

Spy cameras could soon know what we’re thinking and feeling simply by scanning our BODIES – and there may be no way to opt-out

Written by Ariel Schwartz / Courtesy of Business Insider

• Forget Facebook’s data-sharing. New technologies could soon make it possible for companies and institutions to passively track your emotions and health.
• Poppy Crum, the chief scientist at Dolby Labs, discussed these technologies during a talk at the annual TED Conference in Vancouver, Canada.
• “Imagine a high-school counselor realizing that outwardly cheery student is having a hard time…or the authorities knowing the difference between a mental health crisis and another kind of aggression,” she said.

Even if you opt out of Facebook and all it’s data-sharing tendencies, avoid using a smartphone, and generally stay off the internet, you’re still emitting data every second of every day. As Poppy Crum, the chief scientist at Dolby Labs, demonstrated during a talk at the annual TED Conference in Vancouver, Canada, new technologies could soon make it possible for companies and institutions to track your emotions and health using this data.

While onstage, Crum showed the audience a frightening video. She then offered up a data visualization showing the carbon dioxide exhaled by people in the theater while the video played.

Crum had, it turned out, been tracking the audience’s carbon dioxide emissions. “You can see where some of us jumped as a deep red cloud. It’s our collective suspense creating a spike in CO2,” she said.

This is the kind of passive data collection technology, according to Crum, that could one day be used to reveal our inner lives to teachers, doctors, and of course, corporations.

“Imagine a high-school counselor realizing that outwardly cheery student is having a hard time…or the authorities knowing the difference between a mental health crisis and another kind of aggression,” she said.

Crum, a neurophysiologist by training, does related research in her day job. At Dolby, she studies how people watch movies using EEG caps, pulse oximeters, trackers that measure heart rate and sweat response, and thermal imaging cameras. The idea, according to The Verge, is to answer a variety of questions that could be used to change the ways films and TV shows are made, including what kinds of scenes cause people to sweat, fall asleep, or get nervous.

Crum believes this kind of technology could eventually be pervasive in our everyday lives. And while some might see it as an invasion of privacy, she thinks it will be used for good — if we let it.

When TED first approached her about doing a talk, Crum said she wanted to focus on something that isn’t talked about enough: how it’s now possible to objectify our internal states, making seemingly subjective unknowns (like emotion) quantifiable.

“Today’s talk was about sensors in the world that can pick things up without our agency. There are so many opportunities right now for tech to know these things about us, and it’s not always bad,” she told Business Insider after she got offstage.

In practice, she says, this could mean allowing healthcare providers access to speech data that could detect diseases (speech changes can be a sign of Alzheimer’s, for example) or letting teachers have access to information about how students are reacting to certain lessons.

Crum also brought up an example from her work life. “I almost never take phone meetings that don’t involve video. In a highly male workplace, it’s easy for females to be construed as aggressive and not assertive on the phone.” It could be useful, she suggested, for passive data-tracking technology to pick up emotions during these types of meetings so that nothing is misconstrued.

“It’s not that we [need to be] sharing everything, but how do you make sure people have understood you, that they’ve been able to take away the message you’re trying to share?” she said.

The privacy implications for this kind of data-tracking are enormous. Crum is an advocate for regulation — and getting out ahead of data-tracking technologies before they become pervasive.

“Your devices will know more about you than you will,” she said. “I believe we need to think about how [the technology] could be used.”

Read the original article over at BusinessInsider.com.

Gmail.com redesign leaks, looks pretty incredible

Posted by Dave Cahill on Apr 12, 2018 in Internet | 0 comments

Gmail.com redesign leaks, looks pretty incredible

Add-ons let you use Google Calendar while writing emails? Genius!

Written by Ron Amadeo / Courtesy of ArsTechnica

Red alert, people! Gmail is being redesigned. Google sent out an email to G Suite administrators warning them a “fresh, clean look” would be coming to Gmail.com soon. Shortly after the email went out, leaked pictures of the design were posted to Android Authority and The Verge, so we have a ton of pictures to obsess over. So let’s dive in.

The existing Gmail for Web design is one of Google’s oldest, dating all the way back to 2011. While some Google services seem to get a redesign every year or two (like YouTube) the lack of a redesign for Gmail always felt more like it stemmed from a “fear of screwing it up” than anything else. Some people who live inside Gmail will be very vocal if Google breaks anything. Even the 2011 redesign did not go over well.

Thankfully, one of Google’s most popular productivity apps is not turning into a whitespace-infused nightmare hellscape (like say, Google Inbox). The layout is mostly the same as the existing Gmail.com, and, just like today, there are three information density settings to choose from. The new Gmail really does seem fine on the whitespace front.

What we are getting is a lot of new functionality. Gmail is pulling in a few features from its sibling, Google Inbox. First there’s a new “snooze” feature, which lets you remove an email from your inbox for a set amount of time. Second, Gmail.com is getting Smart Replies, which offer up machine-learning-generated replies to your emails that you can send with a single click.

Next, it looks like Google is finally building some plugins for the “Gmail Add-ons” feature that was launched last October. Add-ons live in Gmail as vertical strip of icons on the right side of the window, offering pop-up panes that can pull in information from other apps. While the existing add-ons are all third-party services like Trello or Asana, with the redesign Google is adding Google Keep, Google Calendar, and Google Tasks integration.

Bringing your calendar information up right inside Gmail sounds amazing for scheduling events and meetings, and hopefully the calendar will be smart enough to automatically show any relevant dates mentioned in the email. Google Keep looks like it will just be the regular stream of Keep notes, which will be nice for updating any to-do lists you have stored on there.

Google Tasks exists today as a panel inside of Gmail and as an absolutely ancient website, but it seems like the neglected service is getting a revamp along with the Gmail redesign. The standalone website looks like it will be getting updated, too, as a new logo and some other changes were spotted by Android Police last month. The problem with Tasks is that it is just a checklist, which seems a bit redundant with Google Keep. It typically has never communicated with any other Google service (reminders and calendar integration would be nice!) and lacks a smartphone app, which makes Tasks really tough to use. We’ll have to see just how thorough this revamp is.

Other stuff

Besides the new features, there are a lot of small design changes, many of which seemingly conform with the theorized “Material Design 2” changes seen in Android P. The font for the interface is changing from Arial to Product Sans—the same font used in the Google and Alphabet logos—while messages are using Google’s Roboto font. Just like Android P, there are lots of round or pill-shaped UI elements. The compose button is a pill, along with the pink inbox selection highlight. I would have expected the search bar to change to a pill shape just like every search bar in Android P, but for now it is still a rectangle.

There’s a hamburger button in the top left, which will probably open and close the navigation panel, just like on Google Inbox. The logo is also back to “Gmail” now; currently it just says “Google.”

The next important question to be answered will be the number of options and settings that survive the redesign change. Will “labs” features be removed? Google does constantly warn that Labs features “may change, break or disappear at any time.” Will all the settings still be there? Will there still be dark themes? In its letter to G Suite admins, Google already warned some Gmail-focused Chrome extensions may break. Thankfully, the design rollout will be opt-in for some time, so hopefully everyone can get their ducks in a row before the mandatory launch.

Google says the new design will arrive “in the coming weeks.” I’d pencil it in for a Google I/O launch.

Read the original article over at ArsTechnica.com.

Thousands of hacked websites are infecting visitors with malware

Posted by Dave Cahill on Apr 11, 2018 in Privacy, Security News | 0 comments

Thousands of hacked websites are infecting visitors with malware

Unusually advanced campaign infects people visiting a variety of poorly secured sites.

Written by Dan Goodin / Courtesy of ArsTechnica

Thousands of hacked websites have become unwitting participants in an advanced scheme that uses fake update notifications to install banking malware and remote access trojans on visitors’ computers, a computer researcher said Tuesday.

The campaign, which has been running for at least four months, is able to compromise websites running a variety of content management systems, including WordPress, Joomla, and SquareSpace. That’s according to a blog post by Jérôme Segura, lead malware intelligence analyst at Malwarebytes. The hackers, he wrote, cause the sites to display authentic-appearing messages to a narrowly targeted number of visitors that, depending on the browsers they’re using, instruct them to install updates for Firefox, Chrome, or Flash.

To escape detection, the attackers fingerprint potential targets to ensure, among other things, that the fake update notifications are served to a single IP address no more than once. Another testament to the attackers’ resourcefulness: the update templates are hosted on hacked websites, while the carefully selected targets who fall for the scam download a malicious JavaScript file from DropBox. The JavaScript further checks potential marks for virtual machines and sandboxes before delivering its final payload. The resulting executable file is signed by an operating-system-trusted digital certificate that further gives the fake notifications the appearance of legitimacy.

“This campaign relies on a delivery mechanism that leverages social engineering and abuses a legitimate file-hosting service,” Segura wrote. “The ‘bait’ file consists of a script rather than a malicious executable, giving the attackers the flexibility to develop interesting obfuscation and fingerprinting techniques.”

Flying under the radar

The attackers also fly under the radar by using highly obfuscated JavaScript. Among the malicious software installed in the campaign was the Chthonic banking malware and a trojanized version of the NetSupport commercial remote access application.

Malwarebytes was unable to determine precisely how many sites have been compromised. Using a simple crawler script, researchers identified several hundred compromised WordPress and Joomla sites, leading them to estimate there were thousands of such infections. This query on source code search engine PublicWWW revealed slightly more than 900 infected SquareSpace sites earlier Tuesday. At the time this post went live, the number had fallen to 774. This post from independent security researcher BroadAnalysis shows the campaign started no later than December 20. The sites were hacked because operators failed to install available security updates or possibly didn’t follow other basic security measures, Segura said.

Other Internet posts show the campaign in action as well. This Twitter thread from last month documents two compromised SquareSpace sites. A February 28 post on a SquareSpace support forum reports yet another compromise, with another site maintainer experiencing the same thing almost two weeks later.

Campaigns that use compromised websites to prey on visitors have grown increasingly common over the past decade. Typically, they’re used in computer support scams that try to trick people into paying to fix nonexistent computer problems. More recently, compromised websites have been used to install ransomware or malware that surreptitiously mines cryptocurrency. The ability for this fake update scam to remain hidden for at least four months, coupled with its embrace of banking malware and backdoor Trojans, makes it stand out.

“The cloaking used in this campaign is what drew our attention because it sets it apart from other infection chains that are much less sophisticated and easier to identify and block,” Segura told Ars. “Another interesting aspect is the fact that such fake updates are typically distributed via malvertising, which is usually cheaper. As of recently, one of the more popular payloads from compromised sites was the tech support scams via browser lockers. We are starting to see a trend for much more serious malware, such as stealers and remote administration tools in this case.”

Read the original article courtesy of ArsTechnica.com.

Avoid Windows 10 crapware: How to get rid of Candy Crush and all the rest

Posted by Dave Cahill on Apr 9, 2018 in Windows | 0 comments

Avoid Windows 10 crapware: How to get rid of Candy Crush and all the rest

If you’ve installed a fresh copy of Windows 10 Pro lately, you’ve probably been unpleasantly surprised by the decidedly un-businesslike games and consumer apps splattered on the Start screen. Here are two ways to avoid installing Candy Crush and its companions in the first place.

Written by Ed Bott / Courtesy of ZDNet

When you install Windows 10 Pro on a new PC and sign in with a local account or a Microsoft account, you get access to all the professional features that you’d expect from a business-class PC operating system.

You also get some unexpected apps splattered onto your Start menu whether you want them or not, including Candy Crush Soda Saga, Bubble Witch 3 Saga, and March of Empires.

These apps appear when you sign into Windows 10 Home or Pro with a local or Microsoft account.

The adjacent screenshot shows the apps that were pushed to my PC after I installed a near final build of Windows 10 Pro, version 1803, and signed in with a local account.

In addition to those three games, Windows 10 downloaded Disney’s Magic Kingdoms, Autodesk SketchBook, Dolby Access (offering a free trial of the Atmos surround-sound technology, with the option to pay $15 after the trial period ends), and Spotify Music.

If you’re staring at that assortment of apps on a business PC and thinking it looks a lot like crapware, I’m not going to argue with you.

Those apps are preinstalled for purely financial reasons, with the app developers and Microsoft banking on the fact that some percentage of Windows 10 customers will run each app and pay for some sort of extra, like a Spotify music subscription. Microsoft, of course, gets a piece of the action.

Don’t say that they didn’t warn you. In every quarterly and annual report since mid-2015, Microsoft has reminded shareholders and customers that its business plan for Windows 10 includes “new post-license monetization opportunities beyond initial license revenues.”

This is a particularly in-your-face example of that monetization strategy.

It’s also unfortunate that Microsoft is resorting to some of the same behavior it criticized its OEM partners for a few years ago.

All of those apps can be uninstalled fairly easily, of course. Because they’re Store apps, they can’t install performance-damaging system files or run processes at startup. Aside from consuming a few megabytes of storage, these preinstalled apps don’t even have a trivial impact on system performance.

But it’s still annoying that those decidedly un-businesslike game icons have to be removed manually after you’ve paid a $100 upcharge for Windows 10 Pro.

So how do you avoid having that assortment of apps installed in the first place? Two options are fully supported; not surprisingly, each assumes that you’re paying Microsoft for an additional business product or service.

• Option 1: Install Windows 10 Enterprise and sign in with any account type. If you don’t have a Windows Volume License subscription, you can pay $7 per month for an E3 subscription.
• Option 2: Install Windows 10 Pro and sign in using either Active Directory credentials on a Windows domain or Azure Active Directory credentials, such as those associated with an Office 365 Business or Enterprise subscription.

Using either of those options results in a different set of additional apps being installed.

There is, of course, a theoretical anti-crapware argument that some have with any additional apps being installed as part of setting up a new account. But this assortment, at least, feels like it has more of an emphasis on productivity.

Of the eight apps, three were developed by Microsoft and are free: Remote Desktop, Bing Translator, and Office Sway. The others are a grab bag of utilities and productivity tools: Adobe Photoshop Express; Network Speed Test; Eclipse Manager, a free project tracker that offers a $1.99 a month Eclipse Pro subscription; Code Writer, a free text and code editor (shown below); and the language learning tool Duolingo.

If you have an older Windows 10 version than 1803, you might see Power BI (another Microsoft product) or Pandora.

As with the consumer-focused apps, you can uninstall or hide these extra apps with just a few clicks: Scroll through the Apps list on the Start menu until you find the icon of the unwanted app, and then right-click that icon and click Uninstall.

Of course, if you’re deploying Windows 10 Pro or Enterprise in a large organization, you have access to specialized tools that let you build a custom image with only the apps you want your users to have. Those without a crew of IT overlords will just have to stay on the lookout for new crapware variants.

Read the original article over at ZDNet.com.

The dots do matter: how to scam a Gmail user

Posted by Dave Cahill on Apr 9, 2018 in Internet, Privacy, Security News | 0 comments

The dots do matter: how to scam a Gmail user

Written by James Fisher

I recently received an email from Netflix which nearly caused me to add my card details to someone else’s Netflix account. Here I show that this is a new kind of phishing scam which is enabled by an obscure feature of Gmail called “the dots don’t matter”. I then argue that the dots do matter, and that this Gmail feature is in fact a misfeature. Finally I’ll suggest some ways the Gmail team can combat such scams in future. But first, I’ll show you the email:

“Odd,” I thought, “but OK, I’ll check.” The email is genuinely from netflix.com, so I clicked the authenticated link to an “Update your credit or debit card” page, which is genuinely hosted on netflix.com. No phishing here. But hang on, the “Update” page showed my declined card as **** 2745. A card number I don’t recognize. Checking my records, I’ve never seen this card number. What’s going on?

I finally realized that this email is to james.hfisher@gmail.com. I normally use jameshfisher@gmail.com, with no dots. You might think this email should have bounced, but instead it reached my inbox, because “dots don’t matter in Gmail addresses”:

If someone accidentally adds dots to your address when emailing you, you’ll still get that email. For example, if your email is johnsmith@gmail.com, you own all dotted versions of your address:

• john.smith@gmail.com
• jo.hn.sm.ith@gmail.com
• j.o.h.n.s.m.i.t.h@gmail.com

Netflix does not know about this Gmail “feature”. Externally, jameshfisher@gmail.com and james.hfisher@gmail.com are different identities, and should have their own Netflix accounts. I signed up for Netflix account N1 backed by jameshfisher@gmail.com in 2013. But in September 2017, someone, let’s call her “Eve”, created a new Netflix account N2, backed by james.hfisher@gmail.com.

Eve has access to account N2 because she set its password when signing up, but I also have access to the account because I own james.hfisher@gmail.com, and so I can follow the password reset process for this account. I did so.

Eve loves her TV! She’s watched 587 titles in six months, all from her “Android Device” in Alabama. She watched three seasons of Trailer Park Boys over a single day in October. She consumed nearly every day until 22nd March, when Netflix put her account “on hold” due to payment failure. Eve had paid for these shows. She paid $13.99 every month for her Premium plan, until February when her card **** 2745 (also billed to Huntsville, Alabama) was declined.

Perhaps this was all a mistake? Perhaps Eve is actually one of the twelve James Fishers in Huntsville, AL, and perhaps he typed his email address in wrong when he signed up months ago. Netflix doesn’t do any email address verification when you sign up; you can start watching shows straight away.

But perhaps this was not a mistake but a scam. I was almost fooled into perpetually paying for Eve’s Netflix access, and only paused because I didn’t recognize the declined card. More generally, the phishing scam here is:

1. Hammer the Netflix signup form until you find a gmail.com address which is “already registered”. Let’s say you find the victim jameshfisher.
2. Create a Netflix account with address james.hfisher.
3. Sign up for free trial with a throwaway card number.
4. After Netflix applies the “active card check”, cancel the card.
5. Wait for Netflix to bill the cancelled card. Then Netflix emails james.hfisher asking for a valid card.
6. Hope Jim reads the email to james.hfisher, assumes it’s for his Netflix account backed by jameshfisher, then enters his card **** 1234.
7. Change the email for the Netflix account to eve@gmail.com, kicking Jim’s access to this account.
8. Use Netflix free forever with Jim’s card **** 1234!

Where is the security flaw here? Some would say it’s Netflix’s fault; that Netflix should verify the email address on sign up. But using someone else’s address on signup only cedes control of the account to that person. Others would say that Netflix should disallow the registration of james.hfisher@gmail.com, but this would force Netflix and every other website to have insider knowledge of Gmail’s canonicalization algorithm.

Actually, the blame lies with Gmail, and specifically Gmail’s “dots don’t matter” feature. The scam fundamentally relies on the Gmail user responding to an email with the assumption that it was sent to their canonical address, and not to some other address from their infinite address set.

Some Gmail power users might claim: “The dots-don’t-matter feature is great. I get ownership of an infinite set of email addresses!” But firstly, no one wants this infinite set of email addresses. Those who really want infinite addresses already have the “plus labelling” feature: I also own jameshfisher+spam@gmail.com, jameshfisher+work@gmail.com et cetera. Plus labelling is a similar feature, but with similar scam potential, although with some legitimate use cases. But I have certainly never wanted j.ame.s.h.fis.h.e.r@gmail.com, and John Smith never wanted jo.hn.sm.ith@gmail.com. I have never asked someone for her email address only for her to reply, “it’s jane.doe@gmail.com, but feel free to add the dot wherever you like.” Each Gmail user has one email address that they think of as theirs; all the others are mistakes.

Not only do Gmail users not want these extra addresses, most are not even aware that they have these addresses. I’m sure my parents are unaware that they own an infinite set of email addresses. They won’t know this, because Google have never told them, and this is not how email works anywhere else. Even the most technically minded Gmail power user refers to “my email address”, not to “my infinite set of email addresses”.

Even those Gmail users who are aware of their infinite set of addresses are probably unaware of the scams that this exposes them to. We teach people about “phishing” due to emails from dodgy email addresses, but we don’t teach people anything about phishing due to emails to dodgy addresses. Nevertheless, the result is the same: the victim loses money to someone else.

And even in the rare case that a Gmail user is aware of their infinite set of addresses, and they’re aware of the phishing attacks that this can expose them to, this user is unlikely to pick up on it, because the user interfaces of Gmail and Inbox don’t hint anything about a possible scam. In fact it barely even acknowledges that the email was to a non-standard address. The only clue in the screenshot above is that the interface says “to james.hfisher”, instead of “to me”.

The Gmail team should combat this kind of phishing. They should officially acknowledge that dots-don’t-matter is a misfeature. Indeed, the Gmail team admitted that dots-don’t-matter is “confusing” way back when they announced the feature in 2008). Each Google account should have one variant configured as its standard address; I would set jameshfisher@gmail.com as standard, and maybe John would set john.smith@gmail.com as standard. If an email is sent to a non-standard address, it should be shown with a warning:

Finally, Gmail users should be able to opt out of dots-don’t-matter. I wish for any mail sent to james.hfisher@gmail.com to bounce instead of reaching my inbox. The dots-don’t-matter feature should be disabled by default for any new Google accounts, and eventually retired.

Read the original article over at JamesFisher.com

CenturyLink fights billing-fraud lawsuit by claiming that it has no customers

Posted by Dave Cahill on Apr 5, 2018 in Internet | 0 comments

CenturyLink fights billing-fraud lawsuit by claiming that it has no customers

CenturyLink operates via subsidiaries that enforce mandatory arbitration clauses.

Written by Jon Brodkin / Courtesy of ArsTechnica

CenturyLink is trying to force customers into arbitration in order to avoid a class-action lawsuit from subscribers who say they’ve been charged for services they didn’t order. To do so, CenturyLink has come up with a surprising argument—the company says it doesn’t have any customers.

While the customers sued CenturyLink itself, the company says the customers weren’t actually customers of CenturyLink. Instead, CenturyLink says they were customers of 10 subsidiaries spread through the country.

CenturyLink basically doesn’t exist as a service provider—according to a brief CenturyLink filed Monday.

“That sole defendant, CenturyLink, Inc., is a parent holding company that has no customers, provides no services, and engaged in none of the acts or transactions about which Plaintiffs complain,” CenturyLink wrote. “There is no valid basis for Defendant to be a party in this Proceeding: Plaintiffs contracted with the Operating Companies to purchase, use, and pay for the services at issue, not with CenturyLink, Inc.”

CenturyLink says those operating companies should be able to intervene in the case and “enforce class-action waivers,” which would force the customers to pursue their claims via arbitration instead of in a class-action lawsuit. By suing CenturyLink instead of the subsidiaries, “it may be that Plaintiffs are hoping to avoid the arbitration and class-action waiver provisions,” CenturyLink wrote.

Like other traditional phone companies, such as AT&T, CenturyLink does business through numerous local entities. In this case, the CenturyLink subsidiaries are Qwest Corporation; Embarq Florida, Inc.; Embarq Missouri, Inc.; Carolina Telephone and Telegraph Company LLC; Central Telephone Company; CenturyTel of Idaho, Inc.; CenturyTel of Larsen-Readfield, LLC; CenturyTel of Washington, Inc.; CenturyTel Broadband Services, LLC; and Qwest Broadband Services, Inc.

Internet, phone, and TV customers deal with CenturyLink, though—the old URLs for Qwest and Embarq simply redirect to CenturyLink.com, for example.

“Shell entities” are “a fiction”

CenturyLink also filed a motion to halt discovery in the case until after the arbitration question is decided by the court. CenturyLink wants to “stop the case and let us bring in these entities no one’s ever heard of,” plaintiffs’ attorney Benjamin Meiselas told Ars today. Meiselas said it is “a fiction” that CenturyLink is merely a collection of subsidiaries “that consumers don’t even know exist.”

“We reject these heavy-handed, anti-consumer tactics and the absurdity of these shell entities that CenturyLink claims to operate under,” Meiselas said.

Customers from 14 US states are involved in the putative class action against CenturyLink in US District Court in Minnesota. Nine lawsuits filed last year were consolidated into one, and the consolidated complaint says:

[C]ustomers have routinely reported: (1) being promised one rate during the sales process but being charged a higher rate when actually billed; and (2) being charged unauthorized fees, including billing for services not ordered, for fake or duplicate accounts, for services ordered but never delivered, for services that were canceled, for equipment that was properly returned, and for early termination fees.

When customers complained—and many thousands have—CenturyLink not only encouraged but rewarded its agents to deny remedying the wrongful charges and keep as much of the overcharges in the Company as possible.

The customers suing CenturyLink are from Arizona, Colorado, Florida, Idaho, Iowa, Minnesota, Missouri, Nevada, New Mexico, North Carolina, Oregon, Utah, Washington State, and Wisconsin.

Mandatory arbitration

The plaintiffs haven’t filed a response yet, but they will argue that CenturyLink is the proper defendant and that the company is trying to enforce arbitration clauses that customers never agreed to or that didn’t exist until after the lawsuit began.

CenturyLink has recently been including arbitration clauses in monthly bills, Meiselas told Ars.

“The arbitration clauses they’re trying to enforce post-date the litigation,” he said. CenturyLink frequently offered service to customers without contracts, often via door-to-door salespeople who signed up elderly customers, he said. If the customers didn’t have a contract, they couldn’t have agreed to an arbitration clause, he said.

The case also includes allegations that CenturyLink created fake accounts in order to overcharge customers. Since customers never signed contracts for those fake accounts, they couldn’t have agreed to arbitration in those instances, Meiselas said. “It logically follows that you didn’t sign a contract for something you didn’t contract for in the first place,” he said.

CenturyLink says that the arbitration clauses are not new. “The operating companies have a longstanding policy of requiring customers to agree to arbitration and class-action waivers,” CenturyLink said in another brief.

CenturyLink says that 37 of the 38 named plaintiffs “agreed to broad, all-compassing arbitration, and class-action waiver clauses in their service contracts with the Operating Companies” and that the 38th agreed to a class-action waiver.

CenturyLink said that its subsidiaries will provide evidence that the plaintiffs agreed to arbitration in a future motion to compel arbitration. So far, the operating companies have filed a “motion to intervene for the limited purposes of moving to compel arbitration.” If that motion is granted, the companies intend to follow it up with the motion to compel arbitration.

Meiselas said there are “millions of victims” in the potential class, including the named plaintiffs who “never signed arbitration clauses and certainly never agreed to any contracts on fake and fraudulent accounts. Also, CenturyLink’s recent attempts at sticking in arbitration clauses that post-date the lawsuit to deprive victims of their day in court are also unenforceable and a disgrace to consumers.”

CenturyLink has faced multiple lawsuits over its billing practices. One such lawsuit was filed by Minnesota Attorney General Lori Swanson, who obtained a court order in October 2017 that forced the company to better disclose its prices and fees at the time of sale.

Mandatory arbitration clauses are controversial; some Democratic lawmakers and consumer advocates say the clauses deprive customers of their rights to seek justice in courts. AT&T has aggressively pushed customers into arbitration clauses, but it lost a recent ruling on the issue. In a case involving AT&T’s throttling of unlimited mobile data plans, a US District Court judge in California ruled that AT&T could not force customers into arbitration because California law makes certain forced arbitration clauses unenforceable.

Read the original article over at ArsTechnica.

Cloudflare’s 1.1.1.1 DNS Service Makes the Internet More Private & Faster

Posted by Dave Cahill on Apr 2, 2018 in Privacy | 0 comments

Cloudflare’s 1.1.1.1 DNS Service Makes the Internet More Private & Faster

Written by Lawrence Abrams / Courtesy of Bleeping Computer

Today, a free DNS resolution service called 1.1.1.1 was unveiled that makes looking up Internet address not only faster, but more private. This new service was created by APNIC, who owned the 1.1.1.1 address, and Cloudflare who will use their network to host the DNS service.

They made this service because they were concerned about the speed of existing DNS resolution services and because many of these services log your queries and even sell this data to third party services. With this in mind, they teamed up to provide a new service that is not only privacy centric, but also very fast as its runs on Cloudflare’s distributed network.

1.1.1.1 promises to protect your privacy

One of the main concerns that Cloudflare and APNIC have with existing DNS services is that some of them log your IP address and associated DNS queries when you use their services. This allows them to track every single site that you visit. Even worse, some of these services may sell your data to third-parties, who can then use it for delivering targeted advertisements.

1.1.1.1 changes this by promising to never write the IP address of a client to disk and to wipe all transaction logs within 24 hours.

“We began talking with browser manufacturers about what they would want from a DNS resolver. One word kept coming up: privacy. Beyond just a commitment not to use browsing data to help target ads, they wanted to make sure we would wipe all transaction logs within a week. That was an easy request. In fact, we knew we could go much further. We committed to never writing the querying IP addresses to disk and wiping all logs within 24 hours.” – Cloudflare

They further stated that they hired KPMG to audit their code and practices in order to make sure they keep to this commitment.

1.1.1.1 speeds up DNS resolution using Cloudflare’s network

Whenever you connect to a hostname, such as www.bleepingcomputer.com, your computer must first query a DNS resolution service in order to determine the IP address that the computer will connect to. If the DNS query takes too long, it makes it slower to connect to a site.

Using Cloudflare’s network and existing DNS infrastructure, 1.1.1.1 claims that they are now 28% faster than any other DNS service as rated by DNSPerf.

Getting started with 1.1.1.1 is easy

The good news is that 1.1.1.1 is a free DNS resolution service and it’s really easy to setup on your mobile device, computer, or router.  If you are familiar with configuring a static DNS server, you can simply go into the settings of your device and configure it to use 1.1.1.1 as the DNS server.

Even better, is if you change your home router to use 1.1.1.1 as its DNS server, computers that connect to it and receive an IP address via DHCP will automatically use it as well.

For those who need some help changing the DNS server on your device, the 1.1.1.1 site has good instructions for the iPhone, Android, macOS, Windows, Linux, and a router.

Read the original article over at BleepingComputer.com.

What the @#$%&!? Microsoft bans swearing on Skype, in email, Bing and Office 365 docs

Posted by Dave Cahill on Mar 28, 2018 in Internet, Windows | 0 comments

What the @#$%&!? Microsoft bans swearing on Skype, in email, Bing and Office 365 docs

Adults-only Xbox games are OK but you can’t tell Cortana to go screw itself

Written by Simon Sharwood / Courtesy of The Register

Microsoft has advised users of upcoming changes to its services’ terms-of-use agreement that will make it a potentially account-closing offence to use offensive language on Skype or in a Word document.

The tweaked agreement, which comes into effect on May 1, 2018, includes the following new code-of-conduct item:

And if you disobey?

Microsoft lists its online services covered by the agreement here. To save you the click, the list includes:

• Skype
• Windows Live Mail
• Office 365
• Bing
• Cortana

There’s some sense behind the new rules, because the roster also includes things like Xbox Live, which has chat features that are used by morons to bully and harass fellow gamers. Smut and foul language also have no business at education.minecraft.net, the classroom-friendly edition of the uber-popular Minecraft.

The Register asked Microsoft if the new legalese was intended to stop people swearing on Skype or in Word files. A Redmond spokesperson sent us the following answer:

We are committed to providing our customers with safe and secure experiences while using our services. The recent changes to the Microsoft Service Agreement’s Code of Conduct provide transparency on how we respond to customer reports of inappropriate public content.

El Reg understands that the key part of that mostly non-answer is the language about “how we respond to customer reports of inappropriate public content,” as Microsoft’s intention is to give netizens a way to complain about nasty behaviour by other Redmond subscribers.

Microsoft told The Register it does not listen to Skype conversations, which is good to know. But the Windows giant added that it may obtain evidence of material that breaches the code-of-conduct if the biz receives a complaint from someone, be it over a Skype chat or an email, etc.

Which is a problem because the long, long list of online services covered by the updated service agreement means users of many products need to take note of the new legalese – if you subscribe to a Microsoft service, make sure you stay within the code of conduct.

Microsoft insisted it won’t actively police its services – but, beware: it will investigate complaints from people who are offended by what you do on Redmond’s platforms.

On The Register’s reading of the rules, a profanity-laden file written in Office 365, or an email with a nude selfie attached sent using Windows Live Mail, may fall on the wrong side of the code, if reported to Microsoft by someone. As would asking Bing to look up “Simon Sharwood of The Register is sh*t” or telling Cortana to “f*ck off” if it somehow caused offense.

And then there’s the absurdity of a ban of graphic violence or nudity, given that many Xbox games have attracted America’s Entertainment Software Rating Board’s Adults Only 18+ rating covering games that “include prolonged scenes of intense violence, graphic sexual content and/or gambling with real currency.” Even the board’s “mature” rating, applied to games suitable for players 17 years or older, warns that such software “may contain intense violence, blood and gore, sexual content and/or strong language.”

The Register understands that legalese needs to be broad so that Microsoft bods can step in when there’s genuine abuse or harassment being thrown around on its services.

But the new agreement is problematic because it hints at far broader and frankly creepy interventions involving rifling through people’s private files, if someone is upset at another user. Which in light of recent revelations about abuse of personal data, just isn’t a good look no matter that the agreement was probably drafted with good intentions. ®

Read the original article over at The Register.co.uk.