Tag Archives: microsoft

What you really accept when you use How-Old.net

 

ToU for How-Old.net

Microsoft had an apparently unexpected hit on their hands with the unveiling of the “How Old Do I Look?” service at the Microsoft Build conference last week. By the weekend my Facebook feed was filling up with friends from all over the globe sharing the results of their own submissions to the service. For the three of you that haven’t come across this viral hit recently, “How Old Do I Look” allows a user to upload a photo and will attempt to correctly guess the age of the subject of the picture, with the results ranging from the spectacularly awful to the incredibly accurate.

My vanity drove me to the website to upload a picture of my ageing mug. Before uploading though, unlike most users it would seem, I paused to read the Terms of Use linked from the landing page of the service. After being initially reassured by the clear and unambiguous “P.S. We don’t keep the photo”  right below the upload button, the ToU told a very different story…

From the “Materials Posted on this Website” section of the ToU (my own bolding):

“[…] by posting, uploading, inputting, providing, or submitting your Submission, you are granting Microsoft, its affiliated companies, and necessary sublicensees permission to use your Submission in connection with the operation of their Internet businesses (including, without limitation, all Microsoft services), including, without limitation, the license rights to: copy, distribute, transmit, publicly display, publicly perform, reproduce, edit, translate, and reformat your Submission; to publish your name in connection with your Submission; and to sublicense such rights to any supplier of the Website Services

These are actually the standard ToU for Microsoft’s Azure cloud services, they are broadly similar to the ToU of many, many other online services. While I am not trying to insinuate that Microsoft have some sneaky photo-stealing agenda, these ToU do really serve to illustrate a couple of perennial problems in information security.

– The scale of customers’ unwillingness to inform themselves of what exactly they are agreeing to when making use of information technology.

These terms were not hidden away, they were clearly linked from the front page of the service, yet not one of the people I spoke to had bothered to click through. Perhaps we have been educated into apathy. Many companies are certainly guilty of producing reams and reams of agreements and terms that a customer could never reasonably be expected to digest (*cough*iTunes*cough*) but this was not an example of that. These Terms were relatively clear and concise and not overly long.

The cult of overasking.

It seems that the developers of the How Old service had no intention at any time of storing your images, or of “publishing your name in connection with your submission”, but instead of crafting a Terms of Use document specifically for their own service, potentially one that could have been far more brief, human-readable and accessible, they fell back on the default Microsoft Azure ToU.

These kinds of clauses help no one.  In most cases the motivation behind such a broad legal definition of rights is a technical one. The service provider needs to cover the processing, caching,  and publishing of user submitted data. They need to legally define the normal operation of their service. However, the legal eagles, in attempting to define that service, grant themselves such a broad swathe of rights, going on to qualify them with phrases such as “without limitation” that the end result is Orwellian in scope.

When the rights reserved by the operators of “How Old” are pointed out to the users of the service they are clearly concerned, often to the extent that they wish they had never used the service. This isn’t fear-mongering, this is a natural and understandable reaction to the feeling that a faceless corporation is “taking liberties” with their data or duping them with a “bait and switch” scam. “We don’t keep the photo (but we can if we want to)”.

These things must end. It is our own responsibility to keep ourselves informed of the content of agreements that we make. Whether that’s a pen and ink signature on an agreement of a digital click of acquiescence. We need to reject terms with which we are uncomfortable and push back on overly greedy legal documents.

At the same time, the legal officers, particularly of the global mega-vendors have a duty to become more tech-savvy. To be able to better define the technical rights necessary for the operation of a service accurately, without the need for land-grabbing phrases such as “without limitation”

Superfish (and chips) or Super Phish?

 

Image credit: seekeraftertruth[.]com

UPDATE: The private key and associated password which enable 3rd party (i.e. attacker) MITM attacks have successfully been extracted. This means that an attacker on the same network as a compromised machine will be able to intercept any supposedly SSL encrypted traffic.

UPDATE 2: Trend Micro detects the associated files as ADW_LOADSHOP and ADW_SUPERFISH. Compromised machines where a detection is made will still need to manually remove the Superfish certificate as detailed at the end of this post.

UPDATE 3: Lenovo have now posted their own advisory on the “Superfish vulnerability” containing details of which models are affected and removal instructions for both the application and the associated certificate.

UPDATE 4: Lenovo have made support tools available to remove both the Superfish application and the certificate

___________________________________________________________________________________________________

When the bad-guys get into the production line it’s really bad news, and rightly so. We’ve already seen stories about the e-cig charger that ships with malware preinstalled, the digital photo frame and many others. But what about when the manufacturers themselves start acting like bad-guys, whether out of malice or ignorance?

User reports are now emerging online that PC manufacturer Lenovo is shipping certain versions of its consumer laptops with the ironically named software “Superfish Visual Discovery” preinstalled at the factory, and that this software has capabilities far beyond the simple “adware” that you may have (unfortunately) come to expect from some manufacturers out there.

This spyware (we’ll discuss my use of that term in a second) has been shipping with Lenovo laptops for some time, in fact back in January a Social Media Program Manager at Lenovo confirmed that Lenovo was putting a “temporary” hold on shipping this spyware, due to “some issues”. Of course that doesn’t stop units already in the distribution chain from shipping pre-compromised.

What does Superfish do that is SO worrying?

Among it’s bag of usual adware type tricks, Superfish also installs its own self-signed Root Certificate Authority. In layman’s terms this means that Superfish can generate any certificate it wants, which will be trusted by your browser as entirely legitimate, allowing it to impersonate any destination on the internet. These sites are normally protected by strong encryption for your security,  and usually only the other party in the conversation, your bank, facebook, your email account or an online store for example, is able decrypt this privileged content.

By generating self-signed certificates, Superfish is able to perform a Man-in-the-Middle attack, masquerading as any of these secure destinations, and intercepting otherwise privileged communications. All this without ringing a single visual (or other) alarm bell on your PC or in your browser because it is acting as a “trusted” root certificate authority. Worse still, the certificate they install uses SHA-1 (deprecated since 2011) and 1024 bit RSA keys (outdated since 2013), and it uses the same Root CA private key on *every* Lenovo laptop opening up the possibility of attacks against the certificate itself for widespread criminal abuse.

Images are already cropping up on Twitter showing the potential implications of this functionality.

Worse still it seems that a simple removal of Superfish does not remove this associated root certificate, leaving the computer open to further compromise such as eavesdropping or phishing, though misuse or misappropriation of the certificate’s private key.

Affected users will need to first manually remove the Superfish application and subsequently to revoke and remove the Superfish root certificate, Here is a list of root certificates that are necessary for Windows and a link to certificate removal instructions.

Longer term, I believe manufacturers should be obliged to offer the option of buying all PCs as a bare-metal option i.e. with no operating system pre-installed. Not only would this reduce cost to the user, it would also increase freedom of choice of Operating System and hand full control back to the owner of the device.

It’s not my birthday

Flickr image by andrewmalone used under Creative Commons

I arrived in the office this morning to find a slew of birthday greetings awaiting me, both on Skype and even in direct message form on Twitter, where I was told that my birthday was appearing in someone’s calendar and they had no idea why. For a second I was confused, until my other half told me of her moment of abject fear that she had forgotten my birthday when she logged into Skype, the the proverbial penny dropped.

Like the queen, I have two birthdays each year, my real one and my Skype birthday and there is a good reason for this. Skype decided long ago that certain parts of your Skype profile information should be publicly available and Microsoft have continued this tradition. The privacy settings of these data items are non-configurable, this data comprises your first and last names, gender, detailed location and date of birth which taken together easily constitute “Personally Identifiable Information” under whichever jurisdiction you care to mention.

Whilst is is not compulsory to enter your date of birth on Skype in order to operate an account you are certainly encouraged to do so, whether that be by the “Profile completeness” tips (you get and extra 10% for your birthday!) or the bald invitation to “Add your birthday”. However it is not made clear when you add this data that it will only ever have a privacy setting of “Public”. Once you discover this, no doubt you will want to remove your date of birth, but the interface seems designed to fool you into thinking that this is nether possible nor wise

Skype Date of Birth

“It’s a Security Thing”… It sure is!

Nonetheless it is entirely possible, and advisable to reset this information to read simply “Day”, “Month” & “Year” and to remove your birthdate from the public domain. Either that or elect to have a second alternate birthday, just like I did. I haven’t got any presents yet, but the attention on this Monday morning is lovely.

Of course your friends and people you trust need to know your birthday, otherwise how are you ever going to get the full set of Iron Maiden reissues as birthday presents (true story) but unfortunately information such as date of birth is still all too often used as important security information or qualifying information to apply for identity documents and should not be broadcast so widely. In the words of the New York State Police

“All an identity thief needs is any combination of your Social Security number, birth date, address, and phone number.”

We can argue the pure logic of their claim (“any combination?” surely not) but the fact remains any information given freely, particularly in context increases your risk of identity theft or fraud. If you think that enterprising online criminals are not really interested in this stuff, think again, as much as five years ago they were already referring to Facebook as a “Free DOB Lookup Service”, of course that got resolved but we all know that scammers actively solicit contacts on Skype already and accepting the connection request is all it takes to give away your personal information.

Criminal forum post from 2009

Criminal forum post from 2009

We live in an age where everything is increasingly connected to everything else; accounts, applications, APIs, credentials devices and personal details and more. The less you broadcast, the more you can begin the long process of reclaiming ownership over your own identity. A process which for most of us, is long overdue.