The Scourge of Email Click-Bait

We all get some SPAM in our Inboxes – despite the best efforts of our email hosts, be they Google or otherwise. But another type of message is starting to gain traction and I receive a number of these a week now – normally from recruiters is has to be said – and they are akin to the Click-Bait links you see all over the web (you know, the ones that normally end with ‘you’ll never guess what happens next’).

So, what am I talking about? Well, from this mornings Inbox we have ‘Exhibit 1’;

I’ve blurred the sender (although as I type I don’t really know why) but the subject line starts ‘Re:’ which would indicate that this is a reply to an email that I’ve sent – standard email client functionality. But I’ve never emailed (or even heard of) the sender or their company.

It’s just a rouse to get me to click on the message and read what they have to say – because the premise is that we have done business in the past.

Now, I may be getting old but I know if I don’t know someone and I’ve never heard of this guy. Add to that the fact that I can see the initial content of the email and that I have never, ever hired C# developers and it was pretty clear what this was – basically just SPAM sent by a low-end recruiter (not tarring all with the same brush here, I deal with many good ones) in an effort to appear to be known to me and to have an understanding of my requirements – neither of which is true.

It’s really no better than the email below it – which did slip though the SPAM filter.

The thing is this is not limited to low-end recruiters, I’m seeing this all the time now. Is this how people and companies think they can get an edge these days?

OK, maybe it’s not really a scourge but certainly a bit on the sly and under handed side of the wire.

WhatsApp – a Haven for Paedophiles and Terrorists?

Yep – thought that would get your attention!

It’s headlines like this that the UK Government (and the press) are throwing around in order to drum up support for one of the most intrusive and privacy damaging campaigns to date.

The premise is that bad people use these services, which make heavy use of encryption to keep messages private, and by doing so hamper the security services who can no longer access private information in order to monitor them and stop them from doing bad things.

Now I’m not denying that these bad people do use WhatsApp (and similar applications) to enable them to communicate without their messages being intercepted. But I use WhatsApp and so do my wife and kids and we are not bad people. If WhatsApp are expected to put a backdoor into their systems to allow access to the content by so-called ‘authorised agencies’ then what about our privacy?

When I discuss this with people many will say “well, if you’re not doing anything wrong then what’s the problem?”. However, when I ask them for their email and social media passwords they are a somewhat reluctant to hand them over – “but if you are not doing anything wrong then why do you care?”, I ask.

The answer is simple, their email and social media feeds are private and none of my business. Just because something is private does not mean it’s illegal or even wrong, just private.

We may be discussing our medical history, financial details, travel plans or just what time we will be home for tea but that’s our business, it’s private and nobody else’s business except ours and whoever we’re talking to.

So while I am willing to accept that bad people use these platforms in an effort to hide their activities, I’m pretty sure that they make up a tiny percentage of the 1,000,000,000 (and increasing) WhatsApp users. Do we all have to give up our right to privacy for the sake of these people and will it even make a difference?

The Snoopers Charter

In 2016 the Investigatory Powers Act, or Snoopers Charter as it was dubbed, was passed into Law and with it the privacy of every UK citizen was eroded a little more.

Did you know that under this legislation your Internet Service Provider now has to keep your browsing history for 12 months and provide it on demand to authorised agencies?

If you did then you may have assumed that as long as you are not “doing anything wrong” then you have nothing to worry about as the Police and Security Services are only looking for bad guys.

Well, did you also know that on the list of agencies that can access these records are:

  • HMRC (the tax man)
  • The Department of Work and Pensions
  • The Department of Transport!
  • The Welsh Ambulance Services and National Health Service Trust!!
  • The Food Standards Agency!!!

Now what on earth to the Food Standards Agency need with my internet browsing history? What possible use could it be to them?

If the UK Government were to enforce a backdoor into WhatsApp and other platforms like it – who would be able to access the information and how secure would it be?

But that’s not all. If the Government weakens encryption and demands backdoors be created in otherwise secure systems, who knows who can gain access to the information that was once protected?

If SSL certificates (which put the padlocks on your browsers address bar to indicate that the page is secure) become less secure, how safe are you when you are accessing your online banking or shopping on Amazon?

The truth of the matter is that if the UK Government gets it’s way it’s not really them that we have to worry about – it’s the hackers. They will have a field day with all this insecure data flying over the wire. All it would take would be a poorly implemented backdoor and then all bets are off. If Government agencies cannot even secure their own data, what chance do they have of securing the keys to our data?

A Developers Viewpoint

So, apart from being a UK citizen, what has this got to do with me and why am I ranting about it?

Well, as a developer I know that writing a chat application is not really that hard – in fact I recently read a book which guided the user through cross-platform Xamarin development and the target project was a cross platform chat application. Moreover, the source code is actually on Github so there’s a starting point right there.

Currently that XamChat application stores and sends data in plain text so not secure or private. But how difficult would it be to upgrade the app to use encryption? Even though I am not a cryptographer by any stretch of the imagination I’m guessing not that hard at all.

And that’s the point – if I can do this then any reasonably competent developer could do it too. If the UK Government we to make it unattractive for the bad guys to use secure apps like WhatsApp then there is nothing stopping them from writing their own end-to-end encrypted messaging system using state of the art encryption that cannot be broken with today’s technology.

Meanwhile the rest of us will be using insecure systems that leak information and make us vulnerable to malicious hackers keen to exploit these weakness, gather personal information and use it to their own ends.

Going Forward

In an effort to prove my point, I’m going to take a run at this. Ultimately I’m going to see just how hard bolting encryption into the XamChat application.

I’m not expecting (or intending) to create a WhatsApp killer or even anything that polished – just something usable to prove the point.

First thing to do is to get up to speed on encryption, especially in .NET. There’s a 4 hour course on Pluralsight so I can kill two birds with one stone; my commitment to watch one Pluralsight course a month and create a Command Line application to create Encryption Keys, Encrypt & Decrypt text data in preparation for creating SecureXamChat.

Edit – 15th Feb 2018: Subsequent to me posting this there was a great article in The Guardian which (obviously) make a much better job of getting the point across and it well worth a read.

Ditching AntiVirus

Just like us, as computers get old they tend to slow down. It’s a fact of life pure and simple.

With computers it tends to be due to the hardware not keeping up with the new requirements of today’s applications (just try running later Windows or Office on a Pentium 4 and you’ll see what I mean). We tend to put up with the slow down until something finally gives out, a hard-drive or motherboard for instance, and then we buy a new one.

Well my Windows 10 development workstation was slowing down and while it’s a few years old now, it is still a pretty high spec – i7-3770 with 32GB RAM and SSDs – this thing used to fly.

But recently it was noticeable that it was taking longer to boot, applications like Visual Studio and SQL Management Studio seems to struggle to load and surfing the web was a bit of a grind.

I decided to reinstall from the ground up and make sure that I didn’t install anything that didn’t really need for development (like Steam!). I also decided that I was not going to reinstall my AntiVirus!!!

“Oh My God!” – I hear you shout. Are you insane? Don’t you know how many viruses there are out there and how quickly your system could be compromised?

Well, no I’m not insane (or at least I don’t think so) and yes I do know that there are a lot of viruses out there but I’m not just doing this without due thought and advice. I also (probably) wouldn’t consider junking it unless it had crossed the line in the number of areas.

Why do I think it’s a good idea to run without Anti-Virus?

I listen to a number of Podcasts and one of them is Security Now from the Twit Network. When someone with the knowledge, experience and understanding that Steve Gibson has says that he doesn’t use a third party Antivirus then there must be something in it.

What does Steve use? Well, as he is running Windows 7, Steve is using the built-in Security Essentials (it’s Defender in Windows 10). Yep – he’s using what comes in the box! And the reason for that is that third party Anti-Virus is incredibly invasive and has to inject code deep into the Operating System. This, perversely, increases the attack surface for malicious code. Bugs in products like Symantec/Norton have exposed users to a greater risk of infection while users believed themselves to be safe. I’m not even going to being talking about Kaspersky!

In the 10 years or so that I’ve been using my current Anti-Virus application, Avast, I’ve only had about half a dozen warnings about suspect files – and there is no reason to believe that Defender would not have detected the same files or whether they were actually malicious (I get a number of false positive alerts when I’m compiling code in Visual Studio – and I don’t write viruses!). I tend not to surf around in the darker parts of the web and am pretty careful about what I install.

So, I’m not running without Anti-Virus – just without third party Anti-Virus.

What lines did Avast do to push me down this road?

Well, there are a couple of reasons really:

Recently it has been getting in the way of my work.

Running a WebAPI application in IIS on the workstation and accessing it from the iPhone simulator on the iMac was never a problem. So when I started getting ‘Failed Connection’ errors I assumed it was a configuration issue or a coding error. After an hour or so of debugging I find that Avast is blocking requests to IIS – which it has never done before. Turning the firewall off confirmed the problem – I just had to remember to do it again when I was next accessing the WebAPI from another system.

Other applications failed to start with the Avast firewall engaged (when they had played well together in the past) and efforts to resolve the problem by Repair/Reinstall all failed.

But the big thing that did it for me? The real big step over that line we call privacy was when I logged onto my internet banking and Avast displayed this:

Now call me a member of the tin-helmet brigade if you like but when I access my online banking over a secure connection I find it a bit disconcerting when something says “I can see what you are doing!”.

It was a reminder to me that like most (all?) third-party AV products out there, Avast can intercept and analyse traffic being sent over a secure connection through my browser. To do so it has install a trusted root certificate on my computer which means it can act as a ‘man in the middle’ – intercepting my traffic, checking it and then passing it on.

And it’s the man in the middle part combined with the increased attack surface and buggy applications part that worries me and that’s why I’ll be sticking with Defender for now.

Why install racing harnesses in your car when the built-in seat belts will keep you just as safe in normal use?

 

Why don’t users “read the manual”?

In a previous post I had a little rant about some reviews I’d received from users of the FillLPG Android application. This was as a result of a handful of 1 star reviews from users who I believe had missed the point of the app.

You see, the application itself is just a portal into the FillLPG website – a website I do not control. The data provided by the website is maintained by a community of users who use the site and the app to add new stations, remove stations and update prices.

The problem is that users of the app have a place to sound off and express their displeasure – the Google Play Store. By leaving a 1 star review and the most basic of justifications for it (see previous rant) they get it off their chest and move on.

Well, today I had another 1 star review but this time the user took the time to explain why he had done so, but in doing so showed that he had not ‘read the manual’ – or in this case, the app description.

I’ve not redacted the users name, he was happy to post this publically and thank Google that I only had 350 characters to respond!

The app has (at the time of writing) over 6000 active installations, it displays details of around 1000 stations every day and on average it is used to update 25 prices every day. Only 240 users have felt the need to rate the app and only 10% of those have left 1 star – and we know that people are more likely to complain about something than to praise it, so I’m not doing bad. But it does irritate me when people take the time to complain but don’t take the time to read simple instructions. Even when you bring this to their attention they don’t really bother taking it in or removing/updating their review, they just move on.

So what is to be done here? The app description clearly states that the data is maintained by the FillLPG community but obviously users are not reading this – or at least not all of it.

I could add a ‘Getting Started’ slideshow to the app which would be displayed after the initial installation – but we know that users just swipe or click next to get through these as quickly as possible without really reading the content.

Maybe users are their own worst enemy and we should just leave them to it – in this instance it is not as if I’m relying on income from the app, it’s free and there are no ads, so if they uninstall it then I’m no worse off, in fact the contrary may be true!

Obviously I would like users to get the best from the fruits of my labours – but how do we (developers) do that?

Aggregator Sites – What’s the Point??

I recently experienced and issue with one of my Xamarin apps and decided to post the problem on the Xamarin Forums. It’s a little obscure but I’m hoping that someone, somewhere has experienced the same thing and can point me in the right direction.

Well, in my lunch-break today I decided to take another look and entered the most concise search term I could think of – and received only 6 results, sometimes a good sign, sometimes not.

In this case it was the latter, mainly because there was only, actually one result – a link to my post on the Xamarin Forum. So what were these other results?

Well, they all point to the same site – Help4Mobile, which claims to use;

a concept which minimizes the duplicated subjects and content

Ironically it appears to do this by scraping data from other sites (which sounds like duplication in my book).

In the screenshot you can see my original post at the top (which is good I suppose). The next one down is the same post, scraped and re-posted by the help4mobile site. Now I’m not sure what will happen if someone was to reply to that post – I certainly wouldn’t know about it – so what’s the point?

The remaining results are different posts (probably scraped from some unsuspecting 3rd party site somewhere) and are returned because the sidebar on those pages contains links to the scraped version of my original post.

Now I’m confused by this. What is the point of this site?

  • It has no Ads so can’t be trying to get traffic to generate revenue.
  • The original poster will probably never know if anyone actually replies to their questions – because they didn’t post it on help4mobile.

Basically all this site is, from what I can see, totally pointless.

Moving to new Virtual (really) Private Server provider

With all the post-Snowden privacy concerns I recently started to consider how much of my data was being stored on US servers, and hence fell under US legislation. It didn’t really surprise me that the answer was ‘quite a lot’, when you consider GMail, Drive, Dropbox, GitHub, Squarespace etc, but what was the alternative?

I’ve hosted my own systems, such as Joomla, Drupal, Subversion and Redmine, on Virtual Private Servers (VPS) running Linux for years but some time ago I scaled this back in favour of the above services. This was not a cost issue, the two servers I had cost less than £10 a month, but I’m not really an Infrastructure guy and configuring/patching servers and applications is not really what I do. But with all this mass snooping going on I thought that maybe I should at least take a look at moving my data back under my control.

I’d previously watched a Pluralsight course called Mastering Your Own Domain which presented a couple of interesting applications:

  • OwnCloud – a Dropbox alternative
  • GitLab – as the name suggests, a self-hosted source control system similar to Github

There were a number of other very interesting points made during the course so if you have access to Pluralsight then I highly recommend watching it.

Having all but stopped using the two VPS that I had it was quite simple for me to re-image one of them and have a play with the above applications – and I must say I was very impressed (still am). But then came the bombshell – my VPS provider emailed out of the blue to say that they were merging with a US company with immediate effect (immediate meaning just that!). Now, the servers were still hosted in the UK but did they come under US legislation? If the NSA requested all of my data (or all of the data on the same appliance that my VPS was running on) would it simply be handed over? If so, what was the point in effectively moving from one US service to another?

I raised a support ticket and received a reply saying:

“.. buying a service from a non-US company gives you very little protection in any case..” 

“.. Remember GCHQ in the UK were collecting lots of data on behalf of the NSA, and vice versa”

Not very reassuring I think you will agree, so I pressed the point and asked them straight out:

“If you received a request for my data (or all data from an appliance) from the US authorities, would it be handed over?”

I received no response and the ticket remained open until I ultimately closed my account a few months later.

With my investigations into OwnCloud and GitLab now well underway and being happy with how they were panning out I decided to investigate an alternative provider. Taking everything into account I knew that the new service would have to be provided by a company that was neither in the US or the UK.

After quite a bit of searching around I finally decided on Bahnhof – a company based in Sweden and who also hosted WikiLeaks. Their Privacy Policy says it all really. Yes they cost a little more than my previous provider but not excessively so.

I have been running with my new server now for a couple of months and have had zero issues. OwnCloud and GitLab are running fine – although there are a few configuration niggles to iron out (which reminded my why I started using hosted services in the first place) but on they whole I’m happy.

I’ve also configured both services to run under SSL and used SSL Labs to help me configure the systems to gain an A+ rating. Not bad for a Developer 🙂

The whole process, and the ongoing commitment to maintain these servers has reinforced to me that privacy is something that needs work. It’s all too easy to do nothing and to say “I’ve got nothing to hide” – but as Edward Snowden says;

Arguing that you don’t care about the right to privacy because you have nothing to hide is no different than saying you don’t care about free speech because you have nothing to say“.

Users, you just can’t please all of them…

Recently I released the new version of the FillLPG for Android application as a Beta, that is working but with the potential for a few bugs and missing features. Because of my current work load I have not been able to put as much time into what is essentially a ‘pet project’ so I was running the risk of it never seeing the light of day.

On the whole it was received very well and there was a lot of positive feedback and feature suggestions. Then there are the ‘1 Star Brigade’ – you know, those who are so disappointed about an app that they just can’t let it go by and can give it a ‘virtual middle finger’ by leaving a 1 Star review – but frequently without taking the time to explain the reason for their displeasure.

By way of venting my own spleen I have a few examples:

This little gem was left a couple of weeks ago and is factually accurate – there are currently no stations listed in Bulgaria. But then why would there be? All the stations in the system are added and maintained by the users of the FillLPG website (which I should add is nothing to do with On The Fence Development Ltd or myself). Furthermore, the service was initially intended to provide location and price information for UK stations only.As more people hear about the site more and more stations are being added – currently as far away as Poland and Northern Norway! The users who add these stations are doing it for their own benefit and that of other LPG users.

My response to you Kiril is that users who complain about there being missing stations are, frankly, missing the point of the FillLPG community.

Next up in this helpful, two word, review – ‘Empty Map’. Well what am I supposed to do with that? How can I start to diagnose the problem – and to be honest, should I even bother? You see there are currently over 4000 installs of this version of the application and if nobody could see a map I’d be getting a lot more feedback from the users (over 4000 of them on the current release). I strongly suspect that this users problem is due to an out of date version of Google Maps on his device (it’s happened before – but that user contacted me to resolve the problem, which I did). I can’t understand why some users don’t realise that they problem may, just may be to do with them, their phone, connection or carrier and not the application. But no – it must be the app, it’s crap and I’m going to tell the world about!

To Maciej I say that you should think about the users who are running the app without any problems and think to yourself – ‘maybe it’s something at my end’

Finally there is this one, the app won’t run Android M. Now some of you maybe saying “Android M” what on earth is that? Well, it’s the next version of Android that was released AS A PREVIEW at the end of May this year. The actual release will be sometime before the end of this year, some say around September but you can’t be too sure with Google. When it does eventually come out, don’t expect to see it on your handset for a while afterward (unless you’re running a Nexus device) because it can take a while for the handset manufacturers to test it with their hardware and to put their own spin on it if required. HTC state that they will get the new releases onto their current compatible handsets within 90 days – so that’s pushing into next year.

So getting back to Stuarts ‘review’ – basically, two weeks after Android M was release AS A PREVIEW to developers and a good 9 MONTHS before any consumer device will be running it he sees fit to give the app a 1 Star review because it’s not compatible!

To you Stuart, I don’t really know what to say! I’m assuming you are a developer as most normal users won’t know what Android M is or how to get it. So developer to developer, you should know better!

The thing is, the app has about a 4 Star rating – dropping  a little thanks to ‘users’ like those above – and that’s fine with me. What irritates me is when people don’t consider the time and effort that other put in to producing these things. FillLPG for Android is a FREE app and doesn’t contain any Ads (and never will). I develop it in my ‘spare’ time and use it as a vehicle to practice my mobile development skills, so when I hear people whinging about missing stations, maps and the like it really hacks me off.

Anyway – the good news is that there are still plenty of users who make use of the application every single day. Users who provide constructive feedback and feature suggestions and, most importantly, appreciate that I do this with no expectation of reward.