Barclays Online Banking gives 3rd Parties access to login pages

Banks aren't exactly known for living on the bleeding edge - even where good security practice moves on, they tend to be years behind. For better or worse, they lean toward preferring stability and consistency over chasing the latest and greatest.

However, this issue doesn't really fall under that traditional niche of "well, banks will be banks".

Barclays bank (and others) are giving 3rd party scripts access to their Internet Banking login pages - the result is that a compromise or mistake at their supplier could compromise their customer's login credentials.

I highlighted this issue a few months back, and Barclays replied with "deliberate, not an issue" (paraphrasing a bit there), so I'm now getting around to writing it up.

 

Read more…

Amazon Blocks FLoC across most sites

Google's Federated Learning of Cohorts (FLoC) isn't exactly noted for it's popularity.

The company claims that FLoC will improve privacy, though various researchers disagree (and there are issues that have remained unaddressed for years).

For those who're not up to date: the stated aim of FLoC is to replace tracking via 3rd party cookies with an engine within the browser that profiles your browsing habits and adds you into a cohort of users with similar behaviour - advertisers then advertise to you based on your cohort ID (I wonder why the idea of a browser tracking your habits for advertising purposes hasn't won hearts and minds in the way they wanted...).

News has broken (via Digiday) that Amazon have blocked FLoC from operating on (most of) their domains - the exception seems to be Abebooks.

Because it's driven by a HTTP response header, we can trivially confirm for individual domains:

curl -v -o/dev/null https://www.amazon.co.uk 2>&1 | grep permis
< permissions-policy: interest-cohort=()

 

Read more…

Privacy Policy - 20210615

This page serves as the GDPR Privacy Notice for www.bentasker.co.uk.

The controller of the data collected is Ben Tasker.

You have the right to object to processing, either by objecting to a specific mechanism as described below, or by Contacting Me. If you feel your objection has not been appropriately handled, or that the processing does not have a lawful basis, you also have the right to complain to a supervisory authority.

As an overall summary of the policy - I collect some data in order to run and improve the site, but will not share that data with third parties unless I'm legally compelled to do so

Where I'm performing a service for you (i.e. you're a customer rather than simply visiting the site), our contract will include sections as needed to cover any additional elements I may encounter whilst working for you.


Compliance with a Legal Obligation

The following data is processed/retained in order to comply with Legal Obligations - GDPR Section 6(1)(c)

Tax Records

If you purchase a product or service for me, then you will have been issued with an invoice containing some or all of the following personal data

  • Your Name
  • Your Address
  • Your Email Address
  • Your Telephone Number

A copy of your invoice will be filed with my Tax records, which in order to fulfil HMRC's requirements must be retained for up to 7 years.

Because this data must be available in order to comply with a legal obligation, the GDPR rights of erasure and objection cannot be exercised for this data.

The data is retained on isolated systems with very strong access controls, and will not routinely be passed to any third party. In the event of an audit by HMRC, however, the data may be provided to them when formally requested.


Legitimate Interests

The following data is processed/retained based upon the Lawful Basis of GDPR Section 6(1)(f) - Legitimate Interests. In accordance with GDPR, all have been subjected to a Legitimate Interest Assessment (LIA) in order to balance your rights with the legitimate needs.

Read more…

Sparkler Bombs...

Firstly, to deal with the obvious: the term sparkler bomb is a bit of a misnomer, the burst isn't contained -  there's no explosion, just a large woosh. There are, of course, ways to contain them and make a bang, but doing so is (frankly) twattish and far, far less fun (even before it goes wrong and puts you in A&E).

Secondly: this post is offered as a bit of fun, not as an instructable - if you're silly enough to try and recreate (or better) my mischief, then the consequences lie with you and you alone.

Anyway, moving on...

One of my earlier memories of being on the internet, was delight at finding pages talking about creating sparkler bombs. Pages much like this post (in fact, I'm all but certain that was one of them, I remember the humour and definitely remember the imagery).

Much like any obsession on the earlier web, I only had photos to go on (Youtube wouldn't be created, let alone mainstream, for years - even where videos were recorded, they were shared as framegrabs).

The photos, though, showed some fairly spectacular results:

Sparkler Bomb Picture from www.dansdata.com

That blue line is an artefact of the CCD in the camera the image was captured on (i.e. it's not really there), but it does nothing but add to the effect.


At the time, I couldn't possibly have built a sparkler bomb myself - being too young to buy the things was a surmountable obstacle, but not having the funds to buy them in the first place was not. And so, some things that should not have been forgotten were lost - at least for a time.

Actually, I have periodically thought about them - usually when handed a sparkler - but the thought's slipped from my mind well before being able to act on it.

Recently though, I had need for a couple of small sparklers (think of things you put on a cake), and had the rest of the pack left over. Being mini sparklers it was never going to be anything near as spectacular as the image above, but nowadays we do have an availability of cheap video cameras to watch things in slow-mo so I figured it'd still be interesting to try.

 


 

Read more…

Making my books freely available

Nearly a decade ago, I self-published a couple of books on the Kindle store: Linux for Business People and A Linux Sysadmin's guide to mischief.

Since then, I'd largely forgotten about them, until sorting through some files today.

They're pretty outdated (and weren't that great back then), but I figured as they've served their original purpose, I'd make them freely available:

 

Linux for Business People A Linux Sysadmin's guide to Mischief

Both come from those happy, happy days before SystemD inserted itself onto our systems...

FLoC disabled on my sites

Cookies have been viewed as the enemy for quite some time, with the result that 3rd party cookies are (quite rightly) being treated with high levels of suspicion.

Unfortunately, the focus being on cookies rather than the tracking/profiling that they enable has left an opening for the unscrupulous to offer a cookie-less alternative.

Enter Google, who a while back announced they were building something called Federated Learning of Cohorts (FLoC) into Chrome. The basic underlying idea of FLoC is that it assigns the browser a cohort ID - grouping it in with other browsers who have a similar browsing history.

The browser's history never leaves the browser, with the cohort ID being calculated locally (updating once per week, based on the previous week's browsing), websites can then query the browser for it's cohort ID (by calling document.interestCohort()) and serve appropriate ads based on the ID returned.

However, deeper inspection has shown that rather than solving privacy issues, FLoC simply presents new ones - in fact there's an obvious vector in the paragraph above - your cohort ID is the same across all sites you visit...

Plus, although I say new, some of these issues were highlighted in 2019 and remain unaddressed.

 

Multiple groups have identified that FLoC can be used in fingerprinting, for example:

  • A site that a user logs into can link their credentials and cohort ID
  • A government site may identify a cohort ID that commonly contains dissidents and can link this ID to the IP of any cohort member who visits a government site
  • Users with a specific medical condition may get grouped into a cohort - while it may not be possible to identify the users it's fairly likely they wouldn't consent to being targeted based on that condition

There are many, many writeups on the issues with FLoC (many linked to from here) that do a better job of covering this that I can here.

To summarise, though, Google's only defence is to prevent a false dichotomy - they argue that FLoC is better for privacy than 3rd party cookie based tracking. This rather ignores that that tracking is being killed by browsers - we could instead opt for a world without either (not so secret option c).

 

Read more…

Removing Ads from my Sites

(It occurs to me that publishing this on 1 Apr isn't the best move - rest assured this is genuine)

I've long felt uncomfortable with the privacy trade-offs of having advertising on my sites.

Shortly before GDPR came into effect, I wrote a post detailing how I was, once again, revisiting the decision of having ads on my site.

The decision then, as before, was that the ads were a necessary evil as the revenue they generate contributes something to the running costs of this site, helping keep over a decade's worth of work online.

Today, however, I'm changing that decision and removing Google's Adsense from all of my sites

Read more…