Category Archives: Privacy

Seven to ten to seven

Seven to ten to seven

“Seven to ten to seven”

As you undoubtedly know, for now my recommendation about Windows 10 is: Stay put when you’re on 7, upgrade when you’re on 8/8.1. If you disagree, that’s fine: do what works for you. Of course, there is an “if”, namely, you’d better upgrade to 10 in order to secure the 10 upgrade for free before the promotion ends. As such, I’ve been a busy bee, taking Windows 7 machines, making an image of their disk, then upgrade and the revert to the 7 image.
Technically, you can upgrade to 10, ensure your machine is activated and then click the “revert to 7″ button in the “Upgrade” section somewhere. You have 30 days to do this. Now, personally, I prefer the “image-upgrade-restore” process because you do not know what Microsoft does when you click the rollback button. Is your machine hash flagged? Well, you get to say what you think of 10, but there is most likely not a human soul that will ever see these complaints.

Being more the Unix guy, I automated my work as far as possible. The automation consists of three parts: an imaging script and two windows scripts (reg and cmd). The first script is actually rather old and was originally written for other purposes: image newly bought PCs. It uses parted, so I assume that it should work on GPT partition layouts, but I have never tested this.

Now, to be entirely honest, you’re not going to manage to do the imagining without a little crash course on devices and the Linux command line. (Only tested on Ubuntu 14.04 LiveUSB. Dependencies are: ntfsclone, dd, dmidecode, hdparam and probably another few)
Basically, you’ll run it as following: sudo ./generate-image.sh /dev/sda
However, this assumes a few things: your working directory has my script, that in this working directory you have enough space to store the generated images and that the disk you want to image is /dev/sda (which it most likely will be, but I cannot say for sure). You also need to be sure that no partition of /dev/sda is not mounted. (Hey, now that’s something I could add to my script…)
When you run that script, it will create a directory based on your machines information, and will attempt to image the mbr (full and without partition table), and all partitions. For vfat it reverts to dd, for ntfs it reverts to ntfsclone and it generates a restore.sh script for your convenience for easy restoration. I’d say: cool, but you may think otherwise.

Nevertheless, I have decided to publish it here for the nerdier guys.

So, then you upgrade to 10, wait until it’s activated and that’s the last you’ll see from Windows 10.

Now, you boot back to your LiveUSB, go to the image directory the script created and run sudo ./restore and it will restore everything magically. If you want to use the backed up partition table, give any parameter (it’s a bit dumb, yes…).

When it’s all done… Reboot. You’re back to your Windows 7 machine as if nothing ever happened.

Now for the part any Windows user can do. The two scripts in the privacy.zip, are privacy.cmd and privacy.reg. The reg file you can just double-click, and it will essentially mark your machine as being “not interested in Windows 10, don’t bother me any more”. It disables GWX (the Windows 10 notification icon), disables the upgrade function, disables reservation and disables the fact that recommended updates are treated like important updates. This is important, because Microsoft used the “recommended” channels to push these -let’s just say “annoying”- patches to your computer.

The privacy.cmd script does something entirely different. If you haven’t been living under a rock the last months, you know that Microsoft pushed patches that adds a tracking services to your pristine Windows 7 installation. Now the script starts off with stopping that service, and then disabling it. I do this, because the uninstallation of the offending patches might fail for some reason. At least, then you’re sure the service is off. After it has done this, the script tries to uninstall the patches related to the Windows 10 upgrade and the tracking service.
Be advised, in order for the privacy.cmd script to work you need to run it as Administrator. Right click on it, then select “Run as Administrator”. It might take a while.
Congratulations, the nagging for the upgrade should stop, until Microsoft decides to push it as an important upgrade. After a reboot, you may want to manually mark these patches as hidden. Perhaps I should try to figure out, whether you can do that with a registry patch too.

What is your Facebook “username” any way?

My previous rant is wrong.  Well, not in the sense that I’m going to admit that “email-as-username” is the greatest idea on earth.  I still think it’s dumb, and some people I respect a lot disagree.  I’m still not convinced.

No, a little bird tweeted me the following:

@jawtheshark changing the email for facebook won’t help … you can use your actuall username to login, no need for email adress

— Pit Wenkin (@PitWenkin) August 13, 2014

Wait?!?  What?  That vanity URL, I took back in the day also counts as my username?  Hands up, who knew that?  I most certainly didn’t.  I tested it from within a Private Browser session, all the following worked:

  • My “jawtheshark” gmail.
  • My “jorg.willekens” gmail.
  • My work cellphone
  • My private cellphone
  • My facebook vanity url nickname and by extension my facebook email.

Basically, pretty much anything that could identify me can now be used as a username to be logged into Facebook.  I am not really sure if that is a good idea.  So, I didn’t fix Flirty’s problem, since her “attacker” could use any of the above if he knows about the existence of them and they’re pretty much public.

The username/email conundrum

Email icon / Hand Drawn Web Icon Set by Pawel Kadysz

Hand Drawn Web Icon Set by Pawel Kadysz. Free for commercial use

Flirty, our Executive Assistant, looked rather down and tired today. Sure, she is a ranty German chick as we know and love them. She mostly on a friendly-flirt basis with me in the sense she calls me “honey” and I call her “sweetheart”. All in good natured humour, naturally. She looked stressed out.
While working with executive divas is straining, it was clearly something else. It came out rather quickly: Her Facebook had been hacked or at least someone was attempting to hack it.
Now of course, we all are familiar with the occasional “Your account has been accessed from Bumfuck, Elbonia, was that you?“.  Usually, it just means some silly hacker got hold of a username and tried a few attempts.  Nothing much to worry about.  This, however, was so much more worrying.  The login-attempts came from the city she lives in. First of all, kudos to Facebook detecting that.  It sure as hell isn’t only geolocation that’s used for detection.

It does mean, however, that most likely someone she knows is trying to hack her Facebook.  Why?  Who knows, it’s none of my business.  What it also means, is that changing her password was not enough.  These messages and attempts would continue, since the person trying this knows her username,

I told her to see whether her email provider allowed aliases for her current email (I was astounded: it did!  Yay, for that provider!), and told her to use the new alias as her Facebook login instead of her normal email address.  (Note: you do need to delete the original one, because you can use all your registered emails to log in!  Try it.  I wasn’t aware of that.)  I’m pretty sure this will fix the issues.  I’d have loved to set up two factor authentication, but it requires to install the Facebook Application for her phone, and she didn’t want that.  Fair enough.

I think that will fix her issue, but it does highlight a problem, that has annoyed me more than once: the insistence of using email addresses as login credentials.  I have no idea who came up with that, but he needs to  be stomped in the balls.  Along with those people who thought it was a great idea and adopted it.  That’s a lot of stomped balls.
You, see, most “normal” people have at most two email addresses: a private one and a work one.  Yes, yes, I have half a gazillion, and so do you, but my mom doesn’t, neither does my wife or in this case Flirty.

It means that, by definition, anyone knowing such a person will know the “username” you have to use on so many sites.  Now, I do realize usernames are not secret, and they never have been, but this “email-as-a-username” system servers the “username” to wannabe hackers on a silver platter.

Now, sure, they still have to guess your password.  They’re not going to come in, unless your password is very weak. The situation indicates that “someone she knows” tried this, which puts the odds of a correctly guessed password much higher.  To less technical users, those notifications of someone attempting a login, especially from the city where you live, are very scary.  I’m glad Facebook does this, but it makes non-techs freak out.

Never mind that in the bigger picture, spam lists can now be used to try to authenticate against a plethora of services, like iTunes, Facebook, etc…  Sure, the odds are low, I do realize that, but once someone starts using a list where you are on, you might be annoyed quickly.

There is another problem with this, by the way, which is unrelated to Flirty’s problem.  I had this particular misunderstanding with my mother in law.  Given so many services rely on the “email-as-a-username” system, she started to be totally unable to differentiate between accounts.  To the point she thought she had an account on a website she never registered with, but tried to login with her email address using her (real) email addresses password.  Imagine someone was logging that!
This is complicated even further by the fact that different services have different requirements for passwords making it impossible to give all accounts the same password.  Yes, I know this is a very bad security practice[1], but hey, I don’t want her to call me every time a password is required.  So it is good that her iTunes and email password aren’t identical, but it is very bad for her as she doesn’t have a clue what is going on.  Yes, yes, “education” and “informed users”… blah, blah… Can you tell I’m jaded?

Basically: “email-as-a-username” is flawed.  The only positive things I can see about is that it’s easy to remember and a password reset is easy…. provided the email is still active and it didn’t get compromised itself.

Perhaps I’m missing something? If so, feel free to inform me.

Footnote [1]
I realise that someone is going to say “use a password manager”, which is a wonderful technical solution.  Except of course, for normal users this complicates the whole thing even more.  I’m not even a fan of password managers, because I don’t want the data stored on a server that is not under my control and I want the information still globally available.  Best I’ve found is to use pass, on a machine to which you have ssh access.  Covers my requirements, but definitely isn’t for Joe Sixpack.

 

 

On shared computer accounts.

“I read your email” used to be a popular system administrators t-shirt. It probably still is.  Ever since I started playing system administrator, for home systems, it was one of the things I didn’t do.  It’s user data, you don’t touch user data and it’s the way it should be.

Way back in those days, the typical home computers did not have significant user accounts.  Stuff was shared, and I do remember one occasion of one of my family member going through our Eudora account and being angry at something I wrote.  I don’t even remember what it was, it must have been quite petty.  It is then that we separated everything for everyone: everyone got his/hers account,  password protected, preferably with the screen saver locking out access.  All this even got better when we switched to Windows NT 4.0 and later (the best operating system coming from Redmond, ever) Windows 2000.

It brought fun stuff like, having your own colour scheme, your own wallpaper and you could organize your data as you wanted.  The downside was having to log out and the log in when another user wanted to use the machine.  I mean, I am talking pre-Windows XP, here.  When we did switch over to XP (rather late, SP2 was just released), the “Fast User Switching” feature was one of the biggest arguments.  That, and the superior wireless handling.

Why, do I write this?  It’s 2014, and I just found out, by reading into the context, that a certain branch of my family uses a shared computer account.  Today, around 20 years after we started separating our accounts.  They don’t even have the technological hurdles, we used to have!  When I pointed them out that this was not a good idea, I got the typical “we have nothing to hide to each other”.  Well, neither do I… Not really, at least, but you might need the occasional brain bleach if you do go meddling in my data.  For me this is about respect:  I respect your part of the computer and you respect mine.  Just as I respect your sock drawer and you respect mine.  I can look in it, but I won’t.  Because I respect you.  It’s the same reason, my wife won’t ever take my phone without asking me, and I won’t do that with hers either.

In that sense, it’s about trust: I trust you enough to give you your privacy.  I expect the same from you.  Let’s say it a bit differently: You may have nothing to hide, but you should still value your privacy.  Even from loved ones.

As you see, I don’t even touch on global spying, where the NSA and other governments try to track your every move and violate your privacy continuously.  That’s the big picture, but really, you won’t get the big picture if you fail to see the issues within your own four walls with your loved ones.