Skip to content

Blog

When is iMessage not iMessage? (When it’s facebookexternalhit/1.1)

Facebook is a company that engages in unethical behaviour. Its ubiquity and its necessity for many people’s social lives undermines people’s ability to meaningfully grant or withhold their consent to its policies.

I take no pride in seeing this coming in 2010, and I have refused to use any of their services consistently since.

So I was surprised, to say the least, when I sent a link over iMessage that I knew would be unique, but saw a request being made for it by the facebookexternalhit/1.1 bot user agent. This URL should not have ever been seen by anyone but me and the recipient. I took the time to verify that the only access to this URL was by myself and the recipient.

“GET /some-secret-url HTTP/1.1” 200 – “” “Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_1) AppleWebKit/601.2.4 (KHTML, like Gecko) Version/9.0.1 Safari/601.2.4 facebookexternalhit/1.1 Facebot Twitterbot/1.0”

It turned out that the facebookexternalhit/1.1 request (also identifying as Twitterbot!) was issued by the same IP address that I had. How could I be a Facebook/Twitter bot? How could it be that some Facebook code was running in my network? (I’m pretty particular in blocking large numbers of domains relating to Facebook properties.)

It turns out that this message preview in iMessage seems to make a request for the URL using this user agent string. It doesn’t identify itself as iMessage in the user agent string at all!

I’m satisfied that I answered the question — and indeed I understand the nature of user agent strings and how everybody pretends to be something else for compatibility. I expect a service to add to the user agent string, though. Chrome pretends to be Safari, which pretends to be “like Gecko”, which pretends to be “Mozilla/5.0”.

So why can’t iMessage add “iMessageLinkPreview/1.0” or something to the user agent string?

“Live Photos in FaceTime” Bug

So, the iOS 12.1.4 and MacOS Mojave 10.14.3 Supplemental updates are out, fixing Grant Thompson’s reported FaceTime groups bug. You know, the one that turned your device into a listening device…

(It’s at least something that Apple acknowledged that the reporting process for security issues from non-developers needs to be improved.)

I note that one of the other security fixes in this release is explained as follows:

Live Photos in FaceTime Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation

Impact: A thorough security audit of the FaceTime service uncovered an issue with Live Photos

Description: The issue was addressed with improved validation on the FaceTime server.

CVE-2019-7288: Apple

APPLE-SA-2019-2-07-1 iOS 12.1.4

It’s good that they thought it wise to do a thorough audit on the rest of FaceTime, but why is this bug so poorly explained? “Uncovered an issue”? Of what scope? Of what severity?

Perhaps security issues Apple discovers internally don’t get disclosed, to provide an additional layer of obscurity if they believe others aren’t yet aware of them? Perhaps this is a server-side bug only? (But if it is, why note it in the client OS release?)

It is an unusual practice (even for a company as secretive as Apple) to provide a line and a CVE reference and so on, but not give any detail at all in the public release notes.

“Accident Advice Helpline”, 0161 854 1173 , Where Did You Get My Number?

A Case of Curious Coincidences…

Put on your citizen’s journalism hats, because we’re about to go on an investigative adventure.

UPDATE: More unsolicited calls recently from 0161 854 1214 where no message is left — unverified as to whom this is at this stage. It seems reasonable to presume that this in the same range of phone numbers, given the MO.

I have received a number of calls from 0161 854 1173 recently (May 2018). A voicemail message is never left, but if you pick up, you always hear a very short extract of hold music before you are connected with a person (automatic dialer, perhaps?) The agent typically identifies themselves as from the “Accident Advice Centre” or “Accident Advice Helpline”.

I have made a number of call recordings of my interactions with this phone number. I stress that these recordings have been made lawfully, as incoming calls to my number automatically play a pre-recorded message “this call is recorded” before the ringing begins, thanks to my service provider. (A recorded message stating that the call is recorded is common practice in that it is similar to the recorded messages that one hears when calling up companies.)

I was of course curious who was calling and how my phone number had been obtained.

Me: “I’m just wondering really where the number that you’ve called came from? I mean, obviously —”

Agent: “Oh, your number, sorry, sir? Your number?”

Me: “Yes. Yeah, yeah, yeah.”

Agent: “Ah, right, I do apologise. I thought I — no — no worries. Yeah, we work off the Accident Portal1, sir. So when you ring your insurance and tell them about your accident, er, it comes under what you would call the Accident Portal. Now [inaudible] organisations that have access to the Accident Portal, OK? The DVLA, the Accident Advice Centre, that’s us, the Motor Insurance Bureau and the DVLA2. Sorry, the [inaudible], the DVLA and your insurers.”

Me: “You’re a government organisation?”

Agent: “We are a [government/governing]3 body, OK? Er, we were set up to make sure your insurance companies are doing their job correctly. Also just to make sure the complaints[?] OK and happy with your insurance [inaudible] and everything, and just to make sure you know, you’ve received all your requirements — your legal, erm, payments and stuff. Now—”

Me: “What I’ve [inaudible] is to find out information about your organisation, because I’ve struggled on a number of occasions to actually find out any more.”

Agent: “Say again, sorry?”

Me: “I’ve struggled on a number of occasions to actually find out any more information about your organisation.”

Agent: “Just bear with me one second, I’m going to get my manager, OK?”

Me: “I tend to start asking these questions and the call seems to be cut off.”

Agent: “Right, well, why did you think your call seems to be getting cut off?”

Me: “I don’t know.”

Agent: “Is this our company you’re talking about, or…?”

Me: “Yeah, calls from this number. The number you are calling from, and, yeah, I seem to ask for information about the organisation and then I don’t seem to — the call doesn’t seem to stay, uh, connected.”

Agent: “Are you just looking at the [inaudible], because that’s just an area code, so it could be a million, um, you know, a million people calling you.”

Me: “— the full phone number”

Agent: “Let me just see who’s called you in the past, give me one second.”

Agent: “Yeah, I can see that our, our, our, my colleague [name] tried contacting you. Erm, but she put it down to answering machine, like, we couldn’t get hold of you, and that’s why it’s come back through today.”

Me: “Yeah, as I said, it’s not the first call. I’ve had a number of calls, but, um…”

Agent: “Right, so are you aware of the compensation that has been set aside for you, Peter? — — Hello?”

Me: “Again, what I’m wondering about is more information about your organisation.”

Agent: “Right, like I said— That’s completely fine, obviously you’re only [inaudible] obviously want to know who we are and make sure we have your best interests at heart. Erm, just bear with me and I’m going to get my manager, she’ll just come over and give you a bit more of an explanation of who we are and why we are calling you, OK?”

Me: “That would be great, thank you.”

1: The closest thing to “Accident Portal” I can find is “Claims Portal Limited”, a “a tool for processing low value personal injury claims”. I have no evidence that this is the “portal” in question, however. Investigations into whether Claims Portal Limited have my data are ongoing. Unfortunately, this company’s website Terms of Use prohibit me from linking to them without prior consent, so you will have to use a search engine yourself. (“You may not provide a link to this web site from any other web site without first obtaining Claims Portal Ltd’s prior written consent.”)

2: It’s credible that there is a database of incidents for legitimate organisations like insurance companies. That data presumably would be processed for the purposes of the prevention and detection of fraud. It certainly would not be permitted to use the data for “leads” for claims management companies, especially if the data subject is not specifically aware of the data processing in the first place.

3: It’s not clear enough to distinguish between these two words in my recording. I did want a clear answer as to whether they were identifying themselves as some kind of official body, or as a for-profit company. We’ll discover more about the identity of the organisation later.

After a brief interlude, the manager spoke with me. I asked for the full organisation name and the registered office.

Manager: “It’s the Accident Advice Helpline, OK?”

Me: “OK, so that’s Helpline. Is that Limited?”

Manager: “It’s just the Accident Advice Helpline. So basically we make the follow-up calls, Peter —”

Me: “—  the name of the organisation.”

Manager: “Accident Advice Helpline. Yes?”

Me: “OK, so not Accident Advice Helpline Limited…”

Manager: “Yes. OK? So, basically what we do is we make the follow-up calls to make sure that each and every person that has been involved in a recent road traffic accident or an incident — is being looked after, and offered a 5-star service so they’ve got the courtesy vehicle in place and the car’s in the garage and that you’re happy with the recovery of the vehicle etc. And obviously we explain to them about the payment when it’s a non-fault incident, there’s a payment automatically set aside1 — erm — which is for minor discomfort2, so this payment has got nothing to do with your insurers, it comes from the third party, the fault driver’s insurance—”

Me: “—so the information you’ve received about my number. Where has that come from, please?”

Manager: “That basically is uploaded onto the database. When you pay your premium — and everyone in the UK and Scotland pays their 0.34% of all the premiums put together — creates the Accident Advice Helpline3, so we’re authorised4 to receive all the, basically, the details of incidents and make sure that you’re being offered a good service by your insurers and then obviously, like I said, we ask you about your courtesy vehicle, the recovery of your vehicle, if you’re happy with the services and then obviously if you’re non-fault we explain that you are entitled to a payment, which I believe [original person who called me]’s explained to you already for the minor discomfort — you’ve had your seatbelt on5, someone’s collided into your vehicle and you’ve been involved in a low-velocity impact collision you are automatically entitled to a payment from the third-party6. So, like I say, just to confirm — erm — and to reiterate, this has got nothing to do with your insurers, this is coming from the fault driver’s insurance. Does that make sense?”

Me: “Erm — so, does your organisation have a registered office?”

1: Automatically set aside by whom I wonder?

2: “Minor discomfort”. Remember that justification that has been given for the “payment”, as we’ll be coming back to it later.

3: If I’m understanding the manager correctly, she is stating that the organisation is created from funding from everyone in the UK and Scotland [sic] and, I presume I am meant to believe, that the “automatic payment” comes from those monies. There is no evidence for this.

4: I did not press this point during the call — I was conscious that asking too many awkward questions seems to correlate with early termination of the call — but I’d love to know by whom they were authorised to receive my details. The “database”?

5: Another reference to “minor discomfort”, but then we move away from that and get more specific. Indeed, this is the closest I have come to any suggestion of the type of claim they’d actually want to pursue on my behalf. Mentioning the seat belt suggests they might look to see if a whiplash claim was a possibility if I continued further with them.

6: Automatically entitled? And this is “coming from the fault driver’s insurance”? I don’t accept these statements are true.

I will spare you the details of me explaining that asking for the registered office meant that I wanted a street address!

I eventually got this registered office from the manager:

50-52 Chancery Lane
London
WC2A 1HL

This address appears as the registered office address for an Accident Advice Helpline Limited, company 05121321. This doesn’t exactly match with the manager’s statement that it is “just the Accident Advice Helpline”, but the registered offices are the same.

The last filed accounts with Companies House were on 30th June 2017 and were accounts for a dormant company. I don’t think I can determine if the company is still dormant until they next file accounts in June.

(Coincidentally, Accident Advice Centre Limited (10275785), with registered office 8 Exchange Quay, Salford, United Kingdom, M5 3EJ, was dissolved on 13th June 2017, weeks before those dormant accounts were filed for “…Helpline”. I have a call recording from the same phone number, also from this month, where the agent identifies as from the “Accident Advice Centre” and confirms that this was the address of that organisation — “Yes, that’s our address”. So I’m still not sure who exactly is calling me from this same Manchester phone number — is it “Centre” or “Helpline”?)

I clicked on the name of the first company director for Accident Advice Helpline Limited listed on Companies House, and discovered this individual holds 36 directorships, almost all of them also with correspondence addresses of the London address as above.

Some of the more interesting ones:

I stress that all of the companies above can be reached at the 50-52 Chancery Lane address above.

The list seems rather comprehensive and efficient, in the sense that the whole process of lead generation, claims management, cost assessment and medical assessment for personal injury claims could, in theory, be administered all from this one building.

With all these companies physically located in the same building and with at least one common company director, I wonder how the issue of conflicts of interest is dealt with?

For example, I am sure that a “costs consultants” business would want to act in good faith to (I assume) estimate costs associated with an incident, but with such a close link to legal services firms and claims management firms that may be interested in maximising the assessment of costs… I will say that it raises ethical and procedural questions that I am sure the organisations involved will be happy to answer.

Back to my calls — I take the view that, while they may not want any money directly from me, that this is a marketing activity. They are a private company, trying to generate leads for business for personal injury claims.

My phone number is listed in the UK’s Telephone Preference Service. Let’s look at the legal obligations that this places on organisations:

Direct marketing telephone calls: it is unlawful for someone in business (including charities or other voluntary organisations) to make such a call to any Individual if that Individual has either told that business or organisation that he/she does not want to receive such calls or has registered with the Telephone Preference Service that they do not wish to receive such calls from any business or organisation.

I notified the manager that my number is in the TPS and that, therefore, I took the view that the call was unlawful.

Me: “Given that the number you have called is in in the Telephone Preference Service, um, list of numbers not to call, um, unfortunately the calls you’ve been making are actually unlawful under that relevant legislation1. When you said that this isn’t a marketing call—

Manager: “Oh for goodness sake.”

Me: “I’m sorry?”

Manager: “Do you want me to make a payment? Yes or no?”

Me: “Hello?”

Manager: “I assume no.”

Me: “Are you still there?”

[some confusion — I am asking “are you still there” because I am conscious that the call is likely to end soon]

Manager: “— so you don’t want to move forward with the payment, so I’m going to take you off the system, thank you — [hold music for ~0.5 seconds, then call disconnects]”

1: http://www.legislation.gov.uk/uksi/2003/2426/regulation/21/made

I’m struggling to think of another “helpline” would normally have managers who say “oh for goodness sake” to the people they “help”.

I do hope that she did indeed “take [me] off the system”. I should never have been on there in the first place — and if the company was checking numbers against the TPS list before making marketing calls, as they are legally required to do, this never would have been an issue.

My advice? Do not deal with this organisation, or any with a similar name and similar spiel. Perhaps calmly ask them a few questions about who they are, and see whether their story matches the ones above.

If any relevant official investigatory body wishes to contact me for further details regarding the way this organisation has identified itself, the calling of numbers listed in the TPS, etc., you are most welcome. Your call may be recorded. 🙂

The Case of the Rogue Caching Servers (Unable to Download iOS Apps Over The Air)

macOS Server

A recent version of iTunes dropped support for downloading and syncing apps to iOS devices — the only methods for this are now using the App Store, Apple Configurator(?), or having some other over-the-air MDM solution push the apps to devices.

This caused me to run into a little bit of an issue in my day job — we’d been having sporadic issues doing over-the-air app updates on our corporate network, but when devices were taken off site, apps would update perfectly. I had been sort-of ignoring, sort-of working around this by downloading the apps to a desktop running iTunes and syncing (a small(!) number of) devices by Lightning cable.

But, now my workaround feature was gone! What was I to do? The story here is true, but some names and specific technical details have been omitted for professional privacy!

I was curious, so I did a packet dump or two and discovered the iOS devices were talking happily to the iTunes Store as you’d expect they should, but that when it came to actually downloading the app’s bits, they were contacting an IP address in a private range!

» Read the rest of this post…

Windows Upgrade Woes — 0x8024000d when searching for updates after 1703 upgrade

Windows as a Service.

It sounds like an eminently sensible idea in world where failing to keep software up-to-date, in particular with security fixes, has a tangible negative impact on people. Treating software as a service also provides a healthy ongoing income stream, as well. 😉

At work, we had many issues with our first attempt at running an in-place upgrade from Windows 10 1511 to 1607 using ConfigMgr. They were resolved, in the end, but required a lot of effort.

So, naively, I am assuming that we couldn’t possibly quite as unlucky a second time, when testing using the same Windows 10 Servicing method for upgrading 1607 to 1703.

Alas, the upgrade to the new build itself worked without issue, but once booted into the new OS, Configuration Manager-mediated Windows Update scanning now fails.

This, from the WUAHandler.log:

OnSearchComplete - Failed to end search job. Error = 0x8024000d.
Scan failed with error = 0x8024000d.

Digging a little deeper, I’m seeing errors relating to the metadata for the updates.

[metadataintegrity] failed: hr = 0x80245004
[metadataintegrity]GetFragmentSigningConfig failed with 0x80245004. Using default enforcement mode: Audit.

We’re seeing an error relating to missing XML content, which I guess adds up with the suggestion that the metadata integrity is not validating.

0x8024000D WU_E_XML_MISSINGDATA Windows Update Agent could not find required information in the update's XML data.

My searching so far indicates that folks have fixed this with rather significant rebuilds of their WSUS infrastructure. I’d like to avoid that, of course!

It seems that perhaps third-party products being added to WSUS (such as Adobe Flash Player, before it was shipped as part of MS updates from Windows 8 onwards) may be related to the issue.

It is odd, and frustrating, that whatever issue it is only manifests in 1703, and that, once again, the nuclear option of a rebuild of a significant infrastructure piece is the dominant suggested solution.

I will update this post with any success I have resolving the issue without starting afresh with WSUS.

Light

Filesystem? What New Filesystem?

A quite legitimate criticism of iOS for some time has been the fact that you seem to end up with multiple gigabytes of unexplained “other” disk space usage after using the device for some time. It’s frustrating, especially on smaller devices.

Reinstalling iOS and restoring from your most recent backup would clear the mythical “other”, at least for a while.

It seems that the latest update to iOS, version 10.3, introduces a whole new filesystem technology, APFS. This wasn’t mentioned in the release notes, and is only really detectable by the end user in the form of a much longer upgrade process than would be needed for a typical iOS release.

Since upgrading a few devices, I have noticed a big jump in the available free space on those devices. The pesky “other” is still there, but appears to have shrunk significantly.

Hats of to Apple for fixing what was a criticism going a long way back, and for managing a quite potentially disruptive filesystem migration in such a transparent way for the end user.

May the “other” space usage forever remain small.

Let’s Encrypt on Windows with ACMESharp and letsencrypt-win-simple

The march of freely available TLS certificates for domain validation continues in the form of the Let’s Encrypt project and I’m very pleased that it does.

I’m very happy with the Certbot client on most systems where I need to deploy Let’s Encrypt, but on hosts facing the big wide world that are Windows-based, Certbot obviously is not an option!

Fortunately, I’ve had success with the ACMESharp library for PowerShell. What’s cool about the library is that it does break down the process into individual commands, meaning you can automate, script and report on your certificate status with a great deal of flexibility.

For simpler scenarios, though, the letsencrypt-win-simple client offers a nice friendly command line interface to the ACMESharp library and is a nice easy way to quickly retrieve and install a Let’s Encrypt certificate on a public-facing IIS instance. Automating the renewal process is easy too — just create a Task Scheduler task.

Yes, it’s a command line client, and there are Windows folks who may not be comfortable with that, but it walks you through every part of the process. No memorising of switches and flags are needed!

There really is no excuse — now is the perfect time to get everything on HTTPS!

Appeasement is not Acceptable

I have avoided overt political statements on this blog, unless they fell within the sphere of technology and I felt very strongly. 

But this is beyond political. 

I am appalled at my government’s appeasement of Mr Trump. I am appalled at their willingness to do deals with this new US administration.

Through the factually verifiable acts of this new administration (for example, the dismissal of the Attorney General after opposing the president), there is a clear attempt to dismantle checks and balances that are an integral and essential part of a democratic state. There is an obvious contempt for the rule of law. 

Functioning democracies do not behave in this way.

We must not wait for this US administration to start ‘disappearing’ people who lawfully oppose the administration before we act to say, loudly and clearly, that enough is enough

Safeguarding British values (as those values are defined by my government) demands that we condemn and oppose this behaviour.

I demand that my government condemn the Trump administration’s rejection of democratic norms and utilise any and all diplomatic pressure to make this clear.

History will judge us very poorly if we sit around waiting for it to get ‘bad enough’ before we take a stand.

Hopes for 2017

I hope for a world where we are able to actually keep calm and carry on in the face of significant challenges, rather than just displaying the aforementioned in poster form.

I hope for a world where those with all different political persuasions will have the courage to stand up for what is right, even when it is hard.

I hope for a world where we always remember to treat each other like human beings.

Happy New Year everyone.