Month: March 2019

‘ji32k7au4a83’ Is a Remarkably Common Password gizmodo.com

Rhett Jones, Gizmodo:

For too many people, moving the digits around in some variation of Patriots69Lover is their idea of a strong password. So you might expect something complicated like “ji32k7au4a83” would be a great password. But according to the data breach repository Have I Been Pwned (HIBP), it shows up more often than one might expect.

This interesting bit of trivia comes from self-described hardware/software engineer Robert Ou, who recently asked his Twitter followers if they could explain why this seemingly random string of numbers has been seen by HIBP over a hundred times.

This is a fantastic nugget of trivia that ought to entertain friends at your next dinner party or night out at the pub.

The Secrets of Stéphane Breitwieser, One the World’s Greatest Art Thieves gq.com

Michael Finkel, GQ:

In the annals of art crime, it’s hard to find someone who has stolen from ten different places. By the time the calendar flips to 2000, by Breitwieser’s calculations, he’s nearing 200 separate thefts and 300 stolen objects. For six years, he’s averaged one theft every two weeks. One year, he is responsible for half of all paintings stolen from French museums.

By some combination of skill and luck, Breitwieser and Kleinklaus are doing everything right to avoid capture. They constantly shift the countries they target, alternating between rural and urban locations, large museums and small, while further mixing things up by stealing from churches, auction houses, and art fairs. They don’t kick down doors or cover their faces with masks—actions that would trigger a much greater police response. Crime works best, Breitwieser believes, when no one realizes it’s being committed.

Several times, he steals while they’re on a guided tour, then casually continues the tour while holding the item. At an art fair in Holland, Breitwieser hears a shout of “Thief!” and sees security guards tackle a man. It’s another burglar. Breitwieser takes advantage of the commotion and slips a painting under his coat.

Via Michele Seiler at Coudal, naturally.

Facebook Allows Users to Look Up Others With Their Two-Factor Authentication Phone Number, With No Opt-Out techcrunch.com

Jeremy Burge:

For years Facebook claimed the adding a phone number for 2FA was only for security. Now it can be searched and there’s no way to disable that.

Facebook 2FA numbers are also shared with Instagram which prompts you ‘is this your phone number?’ once you add to FB.

Zack Whittaker, TechCrunch:

Last year, Facebook was forced to admit that after months of pestering its users to switch on two-factor by signing up their phone number, it was also using those phone numbers to target users with ads. But some users are finding out just now that Facebook’s default setting allows everyone — with or without an account — to look up a user profile based off the same phone number previously added to their account.

This isn’t just yet another example of Facebook behaving outrageously when it comes to the company’s pathological need to slurp up everything about its users’ every living moment. It also has the potential to reduce the likelihood that users will adopt two-factor authentication. Technically-literate people have been preaching two-factor authentication for a long time, but average users have been slow to enable it; if they get the impression that it’s yet another piece of data that creepy companies can use to track them, they will be even more hesitant.

Also, I’d like to address something about two-factor authentication that’s been bugging me for a while. Ever since fears about SIM hijacking began spreading, some people have been claiming that using SMS-based two-factor authentication is worse than not using two-factor at all. I think that’s silly and myopic. It is worth noting that SIM hijacking is pretty easy for someone who has access — directly or indirectly — to a carrier’s SIM backend. But the circumstances under which someone’s phone number would be hijacked are pretty rare for the vast majority of us. People who are connected with low character count or high-valued social media accounts, higher-ranking employees, activists, journalists, wealthy individuals, and public figures are more susceptible to these kinds of attacks. Most of us, however, are not any of these things, and will likely benefit from using any kind of two-factor authentication. You should use a code generator or a hardware mechanism like a YubiKey wherever you can, but SMS authentication is not necessarily terrible, and is likely not worse than using no verification at all.

However, that is entirely theoretical, and there’s an enormous caveat you should be aware of: while you may have loads of email accounts and it’s trivial to create a throwaway one, but you probably only have one phone number. Therefore, it is critical that you only give your phone number to services and apps you really trust. Many unscrupulous apps will include your phone number in information they send to data brokers and advertising companies like Facebook. You should, therefore, be extremely careful when providing your phone number anywhere. Treat it as you would a unique personal identifier, like a Social Security Number or a Social Insurance Number. Assume it has been compromised, but protect it nevertheless.

Google Rejects Calls to Remove Absher From the Google Play Store businessinsider.com

Bill Bostock, Business Insider:

Google has declined to remove from its app store a Saudi government app which lets men track women and control where they travel, on the grounds that it meets all their terms and conditions.

Google reviewed the app — called Absher — and concluded that it does not violate any agreements, and can therefore remain on the Google Play store.

The decision was communicated by Google to the office of Rep. Jackie Speier, a California Democrat who, with other members of Congress, wrote last week to demand they remove the service.

Apple has also, so far, not removed Absher from the App Store. I wonder if, before starting their app marketplaces, either company considered that they could trigger a diplomatic crisis if they were to remove an app.

By the way, when I checked just now to see if Absher was still available in Apple’s App Store, I noticed that it had over six hundred reviews, with an average rating of 4.9 out of 5 stars. That’s unbelievable — as in, I literally cannot believe that a paperwork utility app created and distributed by a government agency could be so beloved. Even when sorting by “most critical”, the lowest rating seems to be a mistake; every other rating is at least four stars. Looking closer, it seems that a large number of reviews seem to have been posted in the last two weeks, and many of them mention how “well developed” the app is, how “useful” it is, and how it is usedby both genders” including “female citizens”. It seems unlikely to me that lots of people spontaneously decided to review this app recently using the same words.

Electronic Frontier Foundation Calls for Apple To Allow User Encryption for iCloud Data fixitalready.eff.org

The Electronic Frontier Foundation yesterday launched a new initiative they’re calling Fix It Already, with demands for the resolution of what they see as critical issues with products and services from nine of the biggest tech companies. These requests are thoughtful and well-considered; it’s worth reading through them.

Of Apple, the EFF says that the company should improve the encryption of iCloud data by ensuring that users control the keys.

I am certain that this is far more difficult to implement than few people outside the iCloud team are aware of, and that there may be caveats. But now that oppressive regimes like Russia and China are demanding that cloud data for users in those countries be stored on servers located in those countries, and Australian authorities think they can get software companies to crack encryption just by asking, I think this is an increasingly pressing concern. I would like to see Apple address this.

Samsung Galaxy S10 Plus Reviews theverge.com

Dan Seifert of the Verge likes Samsung’s new Galaxy S10 Plus — especially its incredibly dense and high-quality display — but isn’t a fan of its unlocking and user verification options:

The other new thing that’s embedded in the screen is the fingerprint scanner, which has been moved from the back of the phone. The S10’s scanner is ultrasonic, which is supposed to be more reliable and harder to spoof than the optical in-screen fingerprint scanners we’ve seen on the OnePlus 6T and other phones. It even works if your finger is wet.

But it’s not as fast or reliable as the traditional, capacitive fingerprint scanner on the back of the S9. The target area for the reader is rather small (though the lockscreen will show you a diagram of where to place your finger) and I had to be very deliberate with my finger placement to get it to work.

Even then, I often had to try more than once before the S10 would unlock. I’d just rather have a Face ID system that requires less work to use, or at the very least, an old-school fingerprint scanner on the back of the phone. The S10 does have a face unlock feature, but it’s just using the camera to look for your face and compare it to a previous image — there’s no 3D mapping or anything. I was actually able to unlock the S10 with a video of my face played on another phone.

For what it’s worth, Brian X. Chen of the New York Times also had trouble with the under-screen fingerprint reader, but Marques Brownlee did not. Chen spoke with a Samsung representative:

I shared my concerns with Samsung. Drew Blackard, a director of product marketing at the company, said that based on customer feedback, the fingerprint sensor was the most popular method for unlocking devices. As a result, the company focused on improving that feature.

He added that Samsung was studying face recognition and had made it more difficult to trick the scanner with a photo of a person’s face. “Is it an area that we’re continuing to look at? The answer is: Of course,” Mr. Blackard said.

I have to say Samsung’s decision to focus on fingerprint sensing instead of upgrading its face scanner is not particularly satisfying. User feedback isn’t generally an ideal way to design security features. After all, many people also enjoy using the same weak passwords across all their internet accounts.

Last year, component producers told Reuters that Apple’s Face ID system was about two years ahead of its competition; they estimated that comparable facial recognition systems would start to become available on Android devices this year. It’s hard to think that these under-screen fingerprint readers exist for any reason other than because they can’t yet compete with Face ID.

I also found this comment noteworthy in Seifert’s review:

Perhaps more interesting than the screen itself is what’s embedded in it. Though the display stretches to the very top edge of the phone, the S10 doesn’t have a notch cutout for its front facing camera. Instead, Samsung is using an offset “hole punch” design, which allows the camera to poke through the screen on the right side. On the S10 Plus, this houses two cameras: the main camera and a secondary one for depth effects and portrait mode.

This design lets Samsung avoid the oft-criticized notch look, but it also means that the battery and network indicators are awkwardly pushed off-center to the left. A notch design has similar compromises, but it’s at least symmetrical: notifications and clock are on the left, battery and network indicators are on the right. The off-center look of the hole-punch design just looks worse to me.

I’m ambivalent as to whether a notched display or a hole-punched display looks better. But one thing I have noticed on both kinds of displays is that Android manufacturers often have an option to create a blackened area to surround and hide the notch or the cutout. It never fails to look clumsy. The more I look at photos and screenshots of phones with that mode switched on, the more I think Apple was right to discourage developers from hiding the notch.