Category: Data security

Anti-stalking features part of major Bluetooth item-location platforms

Apple AirTag press image courtesy of Apple

Apple AirTag – one of the main item-location platforms that are supporting anti-stalking measures

Apple and Tile implement item-location platforms that are based around Bluetooth-driven locator tags that can be attached to the items that need to be located. They also work with software that “pings” these tags in order to locate them on a map or make them sound an audible signal so you can locate the object attached to them.

But some people use these tags for nefarious purposes. Typically this is about tracking people who don’t want to be tracked, typically as part of stalking or as part of abusive one-sided relationships.

But Apple and Tile have answered this problem through adding logic to their first-party mobile-platform to detect unknown or unrecognised Bluetooth trackers. It is based around the idea of a tracking device or tag that is not associatedd with your “universe” of mobile computing devices moving in the same direction as you or your mobile computing device.

In the case of Apple, this is built in to the iOS operating system and in to a first-party mobile-platform app for Android. This software identifies if the AirTag or other “Find My” device is moving with you that isn’t registered to your device or Apple ID and is separate from the registered user. As well, the AirTag makes a sound if it isn’t with its owner for a significant amount of time. It also has NFC to allow a person to use a suitably-equipped mobile platform device to identify whether the AirTag is lost, including how to contact the device’s owner and return it. This also yields instruction on how to disable the device by removing the coin-size battery.

With Tile, the software is part of their first-party companion mobile-platform app and identifies if the unknown Tile device is moving with you and separate from the registered user. But it requires that you use the mobile-platform app to instigate a “scan” process.

As well, Google has baked in to their Google Services update package for Android 6.0+ the necessary software code to detect unknown tracker devices that are following you. This includes the necessary user interface to warn you against unknown tracker devices following you and help you identify or disable these devices.

This is part of an Apple and Google initiative to establish an Internet Engineering Task Force draft specification that mandates particular anti-surveillance features in Bluetooth-driven item-location platforms that work with iOS or Android smartphones. It avoids the need for companies who want to build item-location platforms to design them responsibly without needing to reinvent the wheel.

What needs to happen to prevent covert surveillance with item-location platforms

Once the IETF specification regarding anti-surveillance features for item-location platforms is set in stone. there has to be some form of legal mandate regarding its implementation in computing platforms and computer-assisted item-location platforms. This could be through other international standards regarding radiocommunications and telecommunications devices or customs and other legislation and regulation regarding the trade in goods.

The anti-surveillance features in these item-location platform would need to be able to perform well within a crowded location especially where multiple devices of the same platform and owned by different owners are likely to be there. Think of, say a busy bar or nightclub where many people are likely to be moving around the venue.

Similarly, these features would need to work properly with situations where a passenger’s luggage is transported in the baggage hold of the same transport as its owner. This is because some passengers may use an AirTag or luggage with integrated item-finding technology in order to avoid losing their baggage.

The devices need to support universal platform-independent NFC “touch-and-go” technology to allow someone to identify lost tracking devices. This would then show up contact details about who own the device or how to return it to its owner. This is more so where a computing device that has or is connected to an NFC sensor but doesn’t run iOS or Android is used to identify the tracking device’s owner, something that would be common with laptop or 2-in-1 computers. Such a situation would come in to its own with a lost-and-found office who uses regular computers running desktop operating systems as their main office computer equipment.

As well, item-location devices should be easy to disable like removing the battery or enforcing a factory reset on the device. This would come in to its own if the device was being used to track someone and such a device was discovered by its target or someone assisting the target.

Let’s not forget that wearables like smartwatches and fitness trackers, along with headphones and similar personal-audio devices are being equipped with location-tracking functionality. This is to allow people to locate lost smartwatches or earbuds or premises owners, lost-and-found offices and the like to return abandoned devices to their owners. Here, they would have to be part of an established platform and be subject to the same conditions as tag-style devices.

There could also be one or more innovation challenges for manufacturers of various third-party devices in one or more sectors that work to detect covert surveillance of people using item-location devices. Such devices like, perhaps, turnstile-type devices could be designed to provide augmented signalling of tracker devices unrelated to a user’s smartphone but moving with the user or their possessions.

Add to this education programs for third parties like IT support, the security sector, the social-work sector and similar groups to help staff work against covert surveillance of people they work with using item-location devices. This could be about assisting with locating and defeating unwanted devices or configuring users’ personal technology for privacy.

Similarly there has to be action taken about the sale of devices that are modified to avoid detection by the person who is being tailed. This is more so where there have been AirTags sold through online marketplaces like Etsy that have their speaker removed or disconnected to avoid audible “pinging” and detection by the stalking victim. Such action could be in the form of statutory action like radiocommunications regulations regarding such devices sold on the secondary market or customs regulation regarding devices that are imported or exported.

Conclusion

What I see of this effort by Apple and Google is a significant step towards responsible secure design of item-location platforms and an example of what responsible design is about.

Phishing in the name of government

There is a strong risk of people being “phished” in the name of various local or foreign government departments.

This typically happens whenever a new legal requirement or regulation is coming in to play in your jurisdiction or another jurisdiction that you have a “footprint” within. A key example of this that has been happening frequently in some parts of Europe with “clean-air” certification requirements for motor vehicles operated in various European cities. Or there are the recent energy-efficiency or cost-of-living support programs being offered by many a government that may be relevant to you.

The phenomenon also happens around tax season where there are attempts to phish your government’s tax department in relationship to tax refunds or obligations. This becomes intense when there are significant changes to anything to do with income tax, sales tax / VAT / GST or similar taxes and how they are assessed.

Or it could be to do with an incident or transaction that happened locally or on foreign soil, such as a legal action, motor vehicle accident or a purchase. Here, it would be about having to follow through with any necessary homework to close the incident or, perhaps, facilitate a product recall.

Typically the grifters are after your email addresses and passwords for various online services. They may also be after financial details like your credit-card / bank-account numbers or authority to debit money from your main transaction account. As well they are after personal identifying information like your name, address or date of birth so as to facilitate identity theft.

Check that Web link carefully

One thing you have to do is to check the Web link that is being used to link to a resource they are wanting you to view.

Domain names

Most governments use specially-reserved domain suffixes for their online presence such as email addresses or Website addresses. This is worked out with the powers that be that regulate or offer domain names across the Internet. Examples of these include “.gov”, “.gov.au” or “gouv.fr”,

There is an exception to this rule with government-owned enterprises or outsourced government activity. But most of this kind of activity will exist under a nation’s own top-level domain like “.au, .nz, .uk, .de” that is maintained by a national organisation that manages this domain, selling them only to citizens of or organisations chartered in that nation. It also applies to countries that don’t operate a specific government-level subdomain in their Internet domain hierarchy.

On the other hand, there may be an alternative domain name representing the name of the agency or program that is communicated to the public beforehand. You will see this in advertising or public-relations activity ran by that agency or program. This may be common with government enterprises like public transport or with outsourced government efforts.

Link shorteners

Link-shortening arrangements, whether offered by the communications platform or another platform can be used to obfuscate the hyperlink’s domain name. It also affects QR-codes that are used to link to a Website. But they are used with messages sent by SMS/MMS or messaging platforms or material posted on some social media platforms due to the platform not having enough room for a full Weblink.

Typically, when you click on a shortened link, you would be redirected to the main link. Here, you may have the ability to see the full link or at least the domain name that is associated with that link.

In the case of services like Linktree, you would be shown to an intermediary Webpage that shows a list of Weblinks that point to different resources on the ‘Net. These are used for online presences that only tolerate one Weblink, or with QR codes to lead people to a menu of related resources. Clicking on these resources from a Linktree list would have you see the full link or the domain name associated with them.

Smartphones and similar devices

Similarly, mobile browsers or other browsers written for limited user interfaces don’t have an always-visible address bar that shows the URL of the Website you are visiting. Here, it may be a good idea to bring up that address bar to see the Website’s URL when you open the Website.

But the better mobile browsers like Chrome for Android are answering this problem by showing the domain name of the Website you are visiting. Here you can be sure you are visiting the correct Website for the government department.

E-mail addresses

E-mail addresses tend to have a “display address” that is visible to users and the actual email address that points to an email account on an email service. This is typically to allow a person’s or company’s name to be visible in a manner familiar to everyday users even though they have an obscure-sounding account username.

But an email phishing scam can show a display name that appears legitimate at first sight but relates to an account that is different from the display name. This can be an email account that appears to come from a government domain but actually comes from a “.com” or foreign domain.

Most email clients have the ability to show the email address in addition to the display name. Some like desktop email clients will show the email address alongside the display name whereas others may require you to hover the pointer over the display name or, in the case of a touch-based device, dwell your finger on the display name.

Websites and similar online touchpoints

Use of SSL security

Government Websites and similar online touchpoints will use SSL security, preferably with Extended Validation or Organisation Validation SSL. This will be used as a way to authenticate the Website and secure your communication with it.

You will notice this with a key or padlock symbol in the address bar or even see the address bar or address text turn green when you visit the Website. With Organisation Validation SSL, you may see the name of the government department if you, for example, click on the key icon in your browser’s address bar.

This is more so where you are filling in online forms, making payments or submitting identity numbers as part of your online interaction.

Communications standards

The text for genuine government communications will come across in your nation’s official languages including locally-accepted dialects to a standard consistent with proper business communications. This will be of importance with emails or SMS messaging. It is because the source text for a Website or message could be written in one language but translated using Google Translate or another online machine-translation service.

In some cases, a multilingual government site may show more information on one particular language compared to other languages. This may be due to the public servants being more confident with that language and resisting the want to “pump” the text through machine translation or submit more work to translation services. Similarly, there may be more relevant resources that are native to that language such as the German-speaking part of a Swiss government Web site referring to extra resources available in Germany.

The logos, colours and other trade dress on that site should be current to what the government department is using in their public communications. This is important whenever the department underwent a significant branding change or there was an official restructure that took place.

How are transactions settled

Payments to government departments are to be settled in the jurisdiction’s common legal tender i.e. the local currency used for daily transactions. That means you shouldn’t see a debt being raised in US Dollars or Euro if the country doesn’t use these currencies as local currency. Nor should you see these debts being raised in cryptocurrency units like Bitcoin.

The method of payment is to be a domestically-accepted or regionally-accepted electronic-funds-transfer mechanism where the money is directly transferred out of your bank account. This may include a similar platform like Australia’s Government EasyPay that is set up by the public service to receive government payments. You may find that some governments may implement the common payment cards as a legitimate payment means for some personal transactions.

But you shouldn’t be using payment methods like gift cards; prepaid disposable debit cards; wire transfers like MoneyGram and Western Union Money Transfer; or cryptocurrency to settle these debts. Scammers prefer these means because there is no traceability that can facilitate investigations or ability for customers to have the transactions reversed.

What do you do

Don’t click the link or use the contact details in the message that the phishers have sent you. Instead, contact the government department via their official email address or phone number if you receive a message in the name of that department in order to confirm the veracity of the situation in the message.

Don’t click the link or use the contact details in the message that the phishers have sent you.

Here, you manually enter the department’s URL in to the address bar on your Web browser or use Google or Bing to search for it if you don’t know that URL. The result you should use in the search engine is the first one that isn’t an ad. This is because scammers can buy a search ad to promote their phishing Webpage on popular search engines. You may even find that privacy-focused search engines like DuckDuckGo may yield the proper results with the official page listed at the top.

The “Contact Us” or “About Us” page will list official emails that the government department uses alongside other contact details and, perhaps, a Webform for this purpose. It may also include the phone numbers associated with that government department, typically a “wide-area” number like a toll-free, fixed=price or few-digits number, answered by a receptionist, switchboard operator or auto-attendant setup.

You may find that an e-government app that you have on your phone may come in handy for looking up contact details. Here, you would have ended up with one of these apps on your phone as part of your government’s COVID-safe measures or as part of an effort by your jurisdiction to head to a “switched-on” posture.

The government department’s Website will be likely to yield information about how you can verify the authenticity of a message you received from them or report phishing attempts. You may even see information on the government department’s site about these attacks if they have been subject to a rash of phishing attempts in their name.

If this message emanates from a foreign government, it may be something that requires consular assistance to verify its legitimacy or further the transaction, Here, you may have to check with that nation’s embassy or consulate or your government’s foreign-affairs department about what they are asking for.  They may also put you in touch with official translators when you want to translate official documents or it may be about identity verification or document authentication for international transactions.

That situation may come in to play for those of us who regularly travel between or have business dealings with different countries and leave a “digital footprint” with other countries’ governments. It would be more common where the countries have land borders or are accessible by a short affordable journey.

What can be done?

As we install e-government apps on our phones, these apps could facilitate a verification or authentication mechanism for government correspondence. Here, you could be doing something like clicking on a verification link in an email or message if you receive it on the same device as the app or scan a QR code on the message or Website in order to verify its authenticity.

Similarly, increasing the use of device-based password-free authentication in online government services could come in to its own to prevent citizens’ online accounts being phished.

Conclusion

The goal is to be patient about how you handle that message that comes in from the government and take time to verify its authenticity using the government department’s official contact points that you find from locally-respected information sources.

Mutually-verified contacts as a security feature for messaging and social media

Most of us who have used Facebook have found ourselves seeing a friend request for someone who is already our Facebook Friend. This is a form of account compromise where someone creates a doppleganger of our account as a way to impersonate our online personality.

Such “clone” accounts of our online presence can be used as a way to facilitate a “man-in-the-middle” attack especially when dealing with an encrypted communication setup. It is an issue that is becoming more real with state-sponsored cybercrime where authoritarian states are hacking computer and communications equipment belonging to journalists, human-rights activists or a democracy’s government officials and contractors.

Mutually-verified contacts

In most implementations, each contact has a code that is generated by the messaging or social media platform as a human-readable or machine-readable form. The former approach would be a series of letters and numbers while the latter would be a barcode or QR code that you scan with your computing device’s camera.

In a lot of cases, this code changes if the user installs the social-media app on a new device or reinstalls it on the same device. The latter situation can occur if your phone is playing up and you have to reinstall all of your apps from scratch.

Users are encouraged to verify each other using this authentication code either in person or through another, preferably secure, means of communication. In-person verification may take place in the form of one user scanning the other user’s machine-readable code with their phone.

This allows each user of the platform to be sure they are communicating with the user they intend to communicate with and there isn’t anything that is between each party of the conversation. It is similar to a classic contact-authentication approach of asking someone a question that both you and the contact know the answer to mutually like a common fact or simply using a nickname for example.

The feature is part of Signal but is being baked in to Apple iMessage as part of iOS/iPadOS 16.3 and MacOS Ventura 13.1. But I see this as a feature that will become part of various instant-messaging, social media and similar products as the market demands more secure conversation.

Zoom also implements this as part of its end-to-end encryption feature for videoconferences. Here, users can verify that they are in a secure videoconference by comparing a number sequence read out by the meeting host after they click on a “shield” icon that appears during an encrypted videoconference. Here, this feature could come in to play with Signal and similar apps that are used for group conversations.

Relevance

Primarily this feature is being pitched towards users who stand to lose a lot, including their lives because they engage in “high-stakes” activities. Such users are government officials, public servants and military in democratic states, vendors who sell goods and services to government or military in these states, journalists and media workers in states that value a free press along with human-rights activists and NGSs.

Here, these users become highly vulnerable due to them being of interest to authoritarian states and organisations or individuals that aid and abet these states.  It is also being applied to countries that have undergone a significant amount of democratic backsliding or are considered to be socially unstable.

Personally, I see this as being important for everyday use so you can be sure that whom you want as part of your social-media or online messaging circle is whom you actually want. Here, it can avoid you dealing with scams based on others impersonating you or others in your social circle such as the “relative in distress” scam. As well, it can also be seen as a way to be sure you are linking with the right person when you add a new person to your social-media list.

Conclusion

I would see an increasing number of communications, social media and similar platforms acquiring the “mutual contact verification” function as a security feature. This would be more so where the platform supports end-to-end encryption in any way or there is a reliance on some form of personal safety or business confidentiality.

Emiko is an example of how you can deal with online trolls

Article

Why Emiko is forgetting the trolls and passing on her love of food to her daughters instead – ABC Everyday

Previous coverage on HomeNetworking01.info

Constance Hall puts trolling and bullying in the TV spotlight on Dancing With The Stars

What can you do about people who use the Social Web to menace

Dealing with Internet trolls

How can social media keep itself socially sane?

My Comments

I had come across another personality who had to do battle with online bullies and trolls and she and her fan base turned it around for good.

Emiko Davies is a food writer of Japanese heritage who writes for newspaper lifestyle supplements as well as running an online presence about food. She has two daughters that are part of her food culture with one that has a large body frame.

There was an instance that she documented as part of an interview with Everyday, the ABC’s online lifestyle site. This was where Emiko’s large-bodied daughter was fat-shamed by online trolls, with Emiko being accused of not doing things right as a parent even though she is encouraging an enjoyment-of-food culture.

But, what I liked here was that an army of her online followers jumped in to defend Emiko, her daughters and her food culture. This took Emiko’s mind away from dealing with the perils of online life and led to most of these trolls deleting the comments they had posted.

It also led to Emiko changing her online-presence policy by limiting comment-writing privileges to followers and not sharing content about her children in the online space. Here she was able to rely on her followers as an army of defenders and to use the content-management tools and policies wisely to limit bad behaviour online.

But it also showed up an issue amongst the trolls as not having a healthy relationship with their food or bodies. This was drawing on an unhealthy culture where people who have a large body frame are frequently denigrated while their isn’t much positive content about these people, especially large-bodied children, engaging in joyful activities relating to food like cooking.

It is also driven by the diet culture and a vanity culture amongst women where the “hourglass figure” is considered the ideal look. As well, large-framed people aren’t really portrayed as significant heroes in popular fiction, especially juvenile fiction. There is a reality that some men and women who look large aren’t necessarily fat with this coming about because of ethnic origins or other factors or how one’s body shape changes over our lives.

Some of these accounts are showing up how a group of loyal followers for an online creator can act as their army especially when dealing with online bullying and harassment. It takes the heat off the online creator’s mind and allows them to continue to create good content. In some cases, it can also expose particular hurts that are taking place within our society.

Apple to support security keys as a means to protect your Apple ID

Articles

You can use security keys as a second factor for authenticating with Apple ID on your iPhone

iOS 16.3 Lets You Use a Physical Key for Added Security When Logging Into Your Apple Account (gizmodo.com.au)

Apple iOS 16.3 arrives with support for hardware security keys (bleepingcomputer.com)

Security Keys Are Now the Best Way to Protect Your Apple ID (lifehacker.com.au)

From the horse’s mouth

Apple

Apple advances user security with powerful new data protections (Press Release)

About Security Keys for Apple ID (Support article)

Use security keys to sign in to your Apple ID account on iPhone (Support article)

My Comments

Apple is making it feasible to use hardware security keys in iOS as an authentication factor for their Apple ID logon.

This is being desired as a “phish-proof” approach for secondary authentication or sole authentication due to a physical device not being easily coerced or fooled. As well, this “machine-to-machine” approach allows for stronger passkeys.

It is even seen as a preferred secondary authentication factor for online services used by journalists, human-rights defenders, the public service within democracies and others working with high-stakes information. This avoids such users being fooled in to releasing their online accounts to highly-targeted spear-phishing attacks.

Apple supports this on iPhones and iPads through the iOS/iPadOS 16.3 major feature update. This is also being written in to MacOS Ventura 13.2 for the Apple Mac regular computers whereupon you just use the security key as the secondary authentication factor. They primarily implement this as an alternative secondary authentication means to transcribing a six-digit number shown on your iPhone when it comes to two-factor authentication for your Apple ID.

In the context of the Apple Watch, Apple TV and HomePod devices, you use your iPhone that you set up with the security key authentication to provide the secondary authentication factor when you set these up for your Apple ID. Here, this is easier for limited-interface devices because another device is managing some of the authentication work with your Apple ID.

FIDO-compliant hardware security keys are supported with this update but they have to have an MFi Lightning plug or NFC “touch and go” interface to work with the current crop of iPhones in circulation. USB-C is also supported but you would need a USB-C to MFi Lightning adaptor for iOS devices except newer iPads that have this connector. You also may find that newer iPhones that are to come on the market soon will have the USB-C connector due to pressure from the European Union and some other jurisdictions.

There will be a requirement to set up two hardware keys with the same iOS device when you implement this feature. This is so you have a backup key in case the one you lose the one you regularly use or that one is damaged such as being laundered with your clothes.

Add to this that support does exist for app-level or Website-level verification with security keys within iOS. But it may allow Apple to build in and refine the necessary application-programming interfaces for third-party app developers who want to support this form of authentication.

What I see at least is the implementation of hardware security keys in the mobile platform context when it comes to multi-factor or password-free authentication for the user’s primary platform account. Who knows when Google will offer this feature for Android. Could this also be about leading towards the use of hardware security keys as a hardening factor for user account security?

Google to provide privacy-focused object blurring as an open-source tool

Article

Google is making its internal video-blurring privacy tool open source | Engadget

My Comments

There are objects you have to be careful of when you photograph them for the public Web. What I mean by that is public-facing social media accounts, blogs or similar use cases where the general public would see the content; or images being offered as stock photos for anyone to illustrate material with.

Such objects are things like vehicles with their registration (license) plates or documents that lie in the scope of a picture and they can easily be considered personally-identifiable information. Even tattoos on a person could be considered identifiable unless they are a common design.

What Google has done and is publishing as open-source is a software algorithm that follows an object like a vehicle’s number plate and blurs that object. This could happen not just in photos but in videos where that object is moving. Here, it avoids the risk of that kind of information being indexed by a search engine with optical-character-recognition abilities.

This can also come in to its own where an email address, Web link or QR code is part of an image and there is the desire to control the use of this data by people who see the image on the Internet or on TV.

It is being pitched towards creators or journalists who want to blur out personal-identifying information whether that be of themselves, their premises or people they know for content destined for the public Web. Typically this workflow will be in the form of creating and editing a “public copy” of the image they took and using that on the Website or social-media account.

But there may be some use cases where an identifier is required to be visible in the published photo. For example, when a vehicle is put on the market, having a visible registration number in the accompanying images of that vehicle in the online ad is an asset for buyers when it comes to checking that vehicle’s provenance.

What I would like to see with this software is for it to be repackaged as a free plugin for photo and video editing software. Or, better still, more photo/video editing software developer being encouraged to “bake” the privacy-blurring code in to a major version of that software.

Samsung to roll out a “valet key” for your smartphone

Article

Samsung Galaxy A52s 5G Android smartphone

Samsung smartphones will end up with a “maintenance mode” for your data protection when you have them repaired

Samsung rolls out One UI 5 ‘Maintenance Mode’ to keep your data safe during repair (9to5google.com)

New Samsung Maintenance Mode protects your data during phone repairs (bleepingcomputer.com)

My Comments

For a long time, most of the good cars came with a “valet key” arrangement of some sort. This especially benefited sedans (saloons), coupes and similar cars that had a lockable trunk (boot), but also benefited any car that had a lockable glove box.

Here, the car would come with one key that can only open the doors and start the engine but can’t open the boot or glove box. You could still open the boot or glove box with a separate dedicated key or another key that can open everything. This was about allowing you to had over your car to a mechanic’s, a valet-operated car park or a similar facility knowing that the staff at the facility can’t steal valuables from the glove box or boot.

Samsung is introducing the “Maintenance Mode” as part of its One UI 5 / Android 13 update for their recent Android smartphones. Here, it is to achieve this same goal by locking your personal data in a separate account not available to technicians who repair or service your phone. These technicians then have access to an account specifically created for testing and repairing the phone.

White Jaguar XJ6 Series 2

.. just like cars such as this Jaguar XJ6 did to limit access to the boot (trunk) and glove box when the vehicles were repaired or at valet parking

As well, they can install utility software on your phone as part of the maintenance work but once you log in to your phone again with your normal account, this software is removed. A question that can come up here is what happens if the repair requires the installation of software updates or patches, perhaps to provide driver support for replacement hardware and this has to operate with your own normal account.

Samsung are initially offering this to selected Galaxy phones sold within the USA as part of a beta-test for One UI 5 but are wanting to roll this out across the world through 2023.

Most of us would find this of benefit as we use our smartphones as the digital equivalent of our wallets, photo albums and keyrings. The well-founded fear we have with this is technicians taking advantage of our personal data especially if they see value in it for them.

I would see the “Maintenance Mode” feature being of interest to computing-device vendors and operating-system developers as something to add as a significant feature for an operating system. Here it may be offered during a major feature update cycle for the operating system or as part of a security package.

Such a feature could give all of us peace of mind when we relinquish a smartphone, tablet or laptop computer to technicians that we don’t know for repair.

European Union to establish own DNS infrastructure

Article Map of Europe By User:mjchael by using preliminary work of maix¿? [CC-BY-SA-2.5 (http://creativecommons.org/licenses/by-sa/2.5)], via Wikimedia Commons

EU wants to build its own DNS infrastructure with built-in filtering capabilities – The Record by Recorded Future

My Comments

Europe is working on another Internet-focused effort to maintain some sovereignty over its online affairs.

The DNS is the Internet’s equivalent of the traditional White Pages telephone book where when you would look up someone’s name in that book to find their phone number. Here, it is about looking up the domain name part of a Web address like “homenetworking01.info” and identifying the IP address of the Webserver that hosts the Website. This process is very similar for looking up the IP address for the email server that is listed after the “@” part of an email address.

Here, the European DNS4EU effort is about creating a network of DNS servers that are based in Europe. It is essentially about European data sovereignty where this Internet-essential function is in European hands and fully subject to European laws and norms rather than in the hands of a few non-European companies.

For example, this DNS effort is run compliant to the European Union GDPR user-privacy directive and avoids issues to do with the USA’s CLOUD Act which can place online data use subject to US authorities’ investigative requirements even if it is used overseas as long as the servers are owned by a company based in the USA.

The DNS4EU DNS service will also have powerful filtering abilities to work against cyber attacks. This can include blocking DNS name resolution for domains associated with malware or phishing sites. But there are questions about which kind of Internet user this would be mandatory for like the public sector, financial services or essential services or whether EU-based or all European based ISPs will be required to take advantage of this new DNS4EU infrastructure.

This same project also assures compliance with court orders against access to prohibited content like child-sexual-abuse imagery or pirated content. But this kind of protection may be limited to the European Union or a wider area like the Euripean Single Market or even the countries under the Council Of Europe’s scope.

Another benefit often seen with this is increased speed for European DNS queries due to the proximity of the DNS4EU servers to European citizens and businesses. It is also a way that Europe can carve out its own online identity amongst their own citizens rather than relying on other areas for its IT needs.

As I have said before, there could be questions raised about the kind of geopolitical reach that the European Union’s new DNS infrastructure would have. But it could be seen as one of many attempts for Europe to have its own IT infrastructure and work in a manner independent of countries like the USA.

FIDO Alliance closer to password-free authentication

Article

Facebook login page

FIDO Alliance could be having us move off passwords when we use online services

FIDO Alliance says it has finally killed the password • The Register

From the horse’s mouth

FIDO Alliance

Charting an Accelerated Path Forward for Passwordless Authentication Adoption – FIDO Alliance

My Comments

The FIDO Alliance and WebAuthN groups are moving towards a password-free authentication approach for online services. This is based around a device-local private authentication key associated with your username for that online service that is only released when you enter your device PIN / screen-unlock code or scan your fingerprint or face where your device supports it. A corresponding public key is stored in the user’s account record on the online service’s servers and used to “test” the private key to complete the user-verification process.

Samsung Galaxy Tab Active 8" business tablet press picture courtesy of Samsung

The smartphone will end up as a key authentication device especially if you sign in with your fingerprint or face

But there is a problem associated with the reality that most of us own multiple computing devices. This can typically manifest in us owning a smartphone, a mobile-platform tablet like an iPad and/or a regular desktop or laptop computer. There is also the fact that most of us will end up owning “connected-TV” equipment be it a smart TV, set-top device or games console that is a gateway to online video services. Or we may even end up using various smart-home platforms including Amazon Echo or Google Home.

The problem also includes lifecycle issues associated with today’s devices such as acquiring a new device or replacing a broken, lost or stolen device. Or it could include where one is using another device on a temporary basis like using a friend’s computer or a computer at a hotel business centre.

Then there is the issue of phishing even with multifactor authentication because there is no way of identifying whether a user is signing in to the real online service or not.

Solutions

Bluetooth as a means for authentication

Logitech MX Anywhere 3 mouse on glass table near laptop

Or you could authenticate online services from a laptop’s fingerprint reader or your smartphone

One factor being examined is the use of your smartphone as a roaming authentication device. Part of what will be looked at is using Bluetooth LE as a machine-to-machine link between the device you are signing in from and your phone to conditionally release online-service authentication keys.

This avoids you entering a one-time-password in to a phishing site for example because you are not transcribing information in to a site. The Bluetooth functionality is also about device proximity – your smartphone is close to the device you want to sign in from.

I also see the Bluetooth link appealing to client devices that have limited user interfaces like connected-TV devices, printers and the Internet Of Things. It avoids the need to log in to your online service to transcribe a “binding code” to use it with connected-TV devices or, at worst, “hunt and peck” a username and password to associate it an online service.

It will also support bare-bones provisioning to new devices irrespective of the platform such as when you, as an iOS or Android mobile-platform user, want to set up you Windows laptop to work with your online services.

As well, it could come in to its own with temporary-use scenarios like shared computers or equipment installed in places like hotels. It could even include adding one’s online video service account to smart TVs or set-top devices installed in hotels, holiday home or common rooms for temporary use.  I could even see this earn its keep as an alternative to cards for authentication at kiosk-type setups like ATMs.

Multi-device authentication

The multi-device approach would be on the likes of Apple, Google and Microsoft coming to the party. This is because it would be based on device operating systems and associated cloud-driven account services like Apple ID (MacOS, iOS, tvOS), Google Account (Android, ChromeOS) and Microsoft Account (Windows, XBox).

In some cases, it may extend to device vendors or other entities who run their own cloud-driven account services and want them as the login of choice for your online world. Even account services typically managed by businesses or education establishments could become “primary” account services typically for large fleets of organisation-owned devices.

Amazon Echo Show 10 press image courtesy of Amazon

Even smart displays like the Amazon Echo Show 10 could be in on the action

This approach would have the operating system create and use the authentication key and store these with your account on the cloud-driven account service. It would come in to its own if you are adding a device that works with the same platform as what you were using, for example onboarding an iPad to the same Apple ID as your iPhone.

The system can distinguish between an extant device and a newer device through another device-bound authentication key that underscores that you are authorised to use the service with that physical device. Here, it can be about deeming that particular new device as trusted and under your control or some corporate setups may use it as a way to constrain use of the service to devices they have control over.

Online services would have to support a number of authentication keys for the same username with these associated with different computing platforms an end-user is likely to use. As well, another requirement that would be expected is to have one authentication key able to work across a vendor’s different operating systems such as a mobile OS and a desktop OS. This is due to vendors architecting their mobile operating systems for battery efficiency while the desktop operating systems are maintained for performance.

Situations

Moving between devices or platforms

Apple TV 4th Generation press picture courtesy of Apple

.. as could the likes of connected-TV and set-top-box setups like the Apple TV

If you are moving your online life between devices of the same platform, the multi-device authentication would  have all the platform-level authentication keys moved across similar to what happens with a password vault app.

The Bluetooth authentication approach will come in to play if you have devices of a different platform. But you have to have one of the devices still alive and in your possession for this to work properly.

What really may happen is that you may use Bluetooth authentication to “enrol” other computing devices and have them seen as trusted devices once one or more of your devices support the necessary standards. Then, whichever one of them that is “alive” like, per se, your regular computer or your mobile-platform tablet would be used to authenticate your replacement smartphone to your secure online circle even if this was to replace a lost, stolen or damaged phone.

If you intend to completely move off a platform, you can simply delete from your online services all the credentials associated with that particular platform. This may be through account management options offered by the online service where you revise what platforms you are logged in from.

Multiple-platform setups

Most of us are likely to operate a multiple-platform setup for our online lives. This will typically range from an iPhone and a Windows or Macintosh computer through an Android phone, an iPad and a Windows computer.

Online services will be likely to keep with your username, multiple sets of access credentials for each computing platform you are using. There will still be the ability to keep a platform-specific authentication key for your devices that operate a particular platform along with another for a different platform.

Gaps yet to be filled

One gap that needs to be filled is software-to-software authentication like what is expected for email or document-contribution setups or even the Internet of Everything. Such setups typically rely on stored credentials to authenticate the user with their account on that service along with client software like email clients having continual access to that service.

This may have to be about adapting protocols like IMAP4 or XML-RPC to device-generated authentication credentials and supporting multiple sets of these credentials for one user account. This would be important where multiple client devices are being used for the same online service such as a smartphone and a laptop for an email service.

Conclusion

Even the common reality of users operating multiple devices or using a highly-portable device like a smartphone as an authentication device will not escape the goal of a password-free online-service future. Here it would primarily be about authenticating with a device-local PIN or your fingerprint

Cloudflare to work on simplified CAPTCHA

Article

CAPTCHA text

Cloudflare is intending to replace CAPTCHA authentication on Web forms with …

CAPTCHAs May Soon Go Extinct (gizmodo.com)

From the horse’s mouth

Cloudflare

Humanity wastes about 500 years per day on CAPTCHAs. It’s time to end this madness (cloudflare.com)

My Comments

The CAPTCHA is being used as a means to prevent spam emails or comments on Websites or to assure that people who register in an online context are real people.

But these measures, typically ranging from transcribing letters or identifying objects, can be very frustrating for many people. This is caused by hard-to-read or small letters or instructions relating to object identification being difficult to understand on a language or cultural context. As well, some of these CAPTCHAs don’t work well for mobile setups like smartphones which is increasingly the common way to use the Internet. That leads to abandoned registrations or online-shopping carts or people not joining in to online services for example.

HP Elitebook 2560p business notebook fingerprint reader

you scanning your fingerprint on your flaptop’s fingerprint scanner or you entering your device’s PIN code to prove that a person is entering the data

CloudFlare are working on a different approach to authenticating the personhood of a device user without resorting to letters to transcribe or objects to identify. Initially they are using USB security keys for this purpose but are moving towards full WebAuthN implementation for this purpose.

This approach will work with WebAuthN-capable browser and operating-system setups and work in a similar vein to password-free authentication for online services using that technology. This will require you to enter your device PIN, use face recognition or use the fingerprint reader, operate a USB security key or an authenticator app on your smartphone to prove your personhood, as if you are enrolling in to an online service that implements WebAuthN technology.

The success or failure of the WebAuthN test will simply allow you to submit that form or not on the Website. The logic won’t cause any extra identifying factors to be stored on the online service’s server under default setups. But it may store a device-local cookie to record success so as to treat the session as authenticated, catering towards data revision approaches in wizard-based forms or long data-entry sessions.

A question I would have with this CloudFlare approach is how it can work with computing setups that don’t support WebAuthN. This will also include shared computing setups and public-access computers where the use of this kind of authentication may not be practicable for a single session.

But Cloudflare’s effort is taking WebAuthN further as a way to prove that a real person rather than a robot is actually operating an online account in a manner that is universal to abilities, languages and cultures.