Ben Tasker's Blog

Breaking the Google Addiction one step at a time

Google isn't your friend. Google isn't my friend. Google is, and always has been, a data-whore.

But, still we use them and allow them to slurp up more and more data about us.

They're a bit like Amazon in that respect - you know they're an increasingly terrible company, but they're just so convenient and you keep on using them whilst ignoring the power they're amassing over the market.

But, it is something that's been concerning me more and more over the years.

We install adblockers, no-script and other extensions to add a fig-leaf to our privacy, or to try and avoid Google's user-hostile changes, yet we keep on using the same services. Even when they completely change the UI around on us, for no good reason, we still keep using their services.

I decided, quite a while ago, it was time I made a change, but then did very little, at least until recently.

As great as a "clean-break" might sound, going cold turkey off Google's services is never going to work - no model of user behaviour supports making massive jarring changes.

So I decided to start with the most obvious interaction with Google - their search engine. I don't have Google Home or similar, so my most frequent interaction with Google is search.

Read more ...

Twitter Jail: My Memoirs

Sometimes life throws you an opportunity. A quick search on the net suggests that whilst many celebrities have written about their time inside bricks and bars prison, no-one's had the foresight to document their time in something more modern.

I've been thrown in Twitter Jail, with all privileges withdrawn pending appeal. In physical jail, you can still watch the other inmates, but in Twitter jail if you have the temerity to appeal they blind you until the appeal is concluded.

This is a tongue-in-cheek record of my time in Twittertraz - with some very strong language within

Read more ...

Last Nights Storm

We had an awesome double thunderstorm last night, it ran for well over an hour.

I'd been drinking so couldn't drive out to stand and watch from a field, but this post has some gifs of what I did capture

Read more ...

A small reminder of Legitimate URLs for my content

I've had some reports come in of my site not loading correctly  via an onion (tor) address.

Upon further inspection, it's not actually an address operated by me, but is someone trying to ride on the back of my content to extract ad revenue. For avoidance of doubt 6zdgqjwwmjiphye3.onion is not legitimate.

 

Read more ...

The Curious Case of BitFi and Secret Persistence

For some slightly obscure reasons I've recently found myself looking at the Bitfi hardware wallet and some of the claims the company make, particularly in relation to whether or not it's actually possible to extract secrets from the device.

The way the device is supposed to work is that, in order to (say) sign a transaction, you use an onscreen keyboard to enter a salt, and a >30 char passphrase.

The device then derives a private key from those two inputs, uses it and then flushes the key, salt and passphrase out.

Each time you want to use the device, you need to re-enter salt and passphrase - the idea being that if it never stores any of your secrets, then there's nothing to extract from a seized/stolen device. 

From Bitfi's site we can see this wrapped up in marketing syntax:


The Bitfi does not store your private keys. Ever. Your digital assets are stored on the Blockchains, when you want to make a transaction with your assets (move them, sell them, etc.) you simply enter your 6-character (minimum) SALT and your 30-character (minimum) PASSPHRASE into your Bitfi Legacy device which will then calculate your private key for any given token “on-demand” and then immediately expunge that private key.

For various reasons (see Background) I was somewhat dubious about the veracity of this claim, and ultimately ended up looking over their source code in order to try and verify it.

This post details the results of that examination, the following items should be noted

  • Although not explicitly vulnerabilities, the issues noted below have been submitted in advance to the Bitfi dev team (I did ask previously via email whether email or Bitfi.dev was preferable for raising issues).
  • Incomplete sources are published on Bitfi.dev - example here, so although I include code snippets in this post, it's updated versions of code that's already public - I'm not simply publishing their code on the net :)
  • I probably will make some mistakes: I've been ill, so focusing is hard, and I dislike C# so it's more than possible something's changed without me realising.
  • This is the result of a fairly short code review, and in no circumstances should be viewed or characterised as a full audit
  • In the sources, code version shows as v112

The result is a long analysis, so some may prefer to jump to the Conclusion.  

Read more ...