Skip to content

Blog

When is iMessage not iMessage? (When it’s facebookexternalhit/1.1)

Facebook is a company that engages in unethical behaviour. Its ubiquity and its necessity for many people’s social lives undermines people’s ability to meaningfully grant or withhold their consent to its policies.

I take no pride in seeing this coming in 2010, and I have refused to use any of their services consistently since.

So I was surprised, to say the least, when I sent a link over iMessage that I knew would be unique, but saw a request being made for it by the facebookexternalhit/1.1 bot user agent. This URL should not have ever been seen by anyone but me and the recipient. I took the time to verify that the only access to this URL was by myself and the recipient.

“GET /some-secret-url HTTP/1.1” 200 – “” “Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_1) AppleWebKit/601.2.4 (KHTML, like Gecko) Version/9.0.1 Safari/601.2.4 facebookexternalhit/1.1 Facebot Twitterbot/1.0”

It turned out that the facebookexternalhit/1.1 request (also identifying as Twitterbot!) was issued by the same IP address that I had. How could I be a Facebook/Twitter bot? How could it be that some Facebook code was running in my network? (I’m pretty particular in blocking large numbers of domains relating to Facebook properties.)

It turns out that this message preview in iMessage seems to make a request for the URL using this user agent string. It doesn’t identify itself as iMessage in the user agent string at all!

I’m satisfied that I answered the question — and indeed I understand the nature of user agent strings and how everybody pretends to be something else for compatibility. I expect a service to add to the user agent string, though. Chrome pretends to be Safari, which pretends to be “like Gecko”, which pretends to be “Mozilla/5.0”.

So why can’t iMessage add “iMessageLinkPreview/1.0” or something to the user agent string?

Staying Safe

I have written on this subject before, but as suspected, surveillance is back on Parliament’s agenda again.

Is the Investigatory Powers Bill the latest attempt at a “modernising” of existing laws and conventions, as is often claimed, or an unprecedented extension of surveillance powers?

I would argue strongly that the capability for your local council, tax enforcement authorities, and the myriad of other agencies that are proposed to have access to this data, to ‘see’ every thought you might have dared to research online is vastly more than would have been possible in human history. It’s also vastly more than any other country has sought the legal power to access.

Photo by Luz on Flickr. Licensed under CC-BY.

Photo by Luz on Flickr. Licensed under CC-BY.

Given what we know in a post-Snowden era, this proposed legislation is quite clearly not about ensuring a continued intelligence flow for the purposes of national security. That has been going on behind closed doors, away from any democratic process and meaningful oversight, for many years, and will no doubt continue. Whether or not the activities of military intelligence agencies have a strong legal foundation has apparently not stopped them from gathering what they need to do their job. It is important for me to note that I don’t doubt the hard work they do, and the success they have had over the last ten years in preventing violence in the UK. However, we know that overreach and abuse have occurred — at the kind of scale that undermines the very values our government and their agencies are there to protect.

It is clear to me that, given the secret and ‘shady’ nature of much of the activities of the security apparatus of perhaps every nation state, what we do not need to do as a democratic society is provide a strong legal protection for such morally ambiguous acts. If a tactic is invasive or aggressive, but genuinely necessary in a “lesser of two evils” sense, the fact that the actor has to take on the liability for it provides an inherent safeguard. If it is easy and low risk to employ that tactic, there is a stronger temptation for its abuse, or for its inappropriate extension into everyday investigations. When these laws are ‘sold’ to the people as being for national security and to keep us safe from violence, it cannot be acceptable that the powers are made available to other agencies for any other purposes, as the Bill proposes.

A nation state does not have the right to violate the sanctity of the boundary of someone’s home without strong justification — a warrant. A nation state similarly does not have the right to violate that boundary in the form of bulk data collection on an entire populace. The Internet connections we open and the data we transfer is something that we can keep private from our government, unless due process is followed to override that on an individual basis.

That must remain. That principle must be protected, or we’ve forgotten why we bother with this ‘free country’ thing.

It must be protected even when we face short- and medium-term risks to our safety. Why? Because it is not hyperbole to say that failing to do so lays the technical and legal foundations of a police state, which is a much more significant long-term risk.

Fortunately, there are many fighting against this Bill, which (even if you disagree with my arguments above) is widely regarded to be completely unfit for purpose.

I wholeheartedly support the Don’t Spy on Us campaign and its six principles, and I stand with them as a supporter of the Open Rights Group, one of the organisations behind the campaign.

Notes on Creating an Encrypted Bootable SuperDuper Backup

SuperDuper icon

SuperDuper is one of my favourite backup applications for the Mac, and I use it as part of my backup and recovery strategy.

One of its benefits is creating a bootable clone, so in the case of any trouble, you can connect the backup drive, hold Option/Alt and boot your alternative system.

The world has changed since I first used this tool, and full-disk encryption is now essential for maintaining privacy and “not-having-your-life-turned-upside-down” in the event of a loss of control of the drive with your life on it. FileVault on OS X since Lion works beautifully for your boot drive, but unfortunately I had to sacrifice the bootability of my SuperDuper backup in order to ensure it was encrypted.

Recently, a drive failure on my SuperDuper backup drive (yep, they do happen, and that’s why we back up!) required me to replace the drive. That gives a good excuse to play, and try and make a bootable and encrypted backup — FileVault-style, but on an external disk that we manage ourselves.

» Read the rest of this post…

Twitter Protected Account Limitations

Picture of megaphone

I like the fact that since the very early days, Twitter has offered you the ability to make your account ‘protected’. What this means is that unlike the default setting, your tweets are not publicly visible. Only people who are following you can see them, and any new followers you get after you protect your account have to be approved by you.

It is a great way to use Twitter if you don’t necessarily feel comfortable sharing a lot if you know you are sharing it with the world. That’s why I like it, anyway.

However, there are some sacrificies you have to make when having a protected account — and at times it is not awfully clear what these are. Here are a list of some of the protected account restrictions you might come across, but might not be aware of.

  • If you send a tweet @ someone who is not following you, they cannot see that tweet. So if you do have a protected account and are trying to enter a competition with a business where their account is not following you, for example, or speak to anyone who is not already following you, that is why they aren’t responding to you!
  • Other people cannot retweet you (using the ‘official’ retweet mechanism). It is possible for others to use other ‘quote’ style manual retweets, but not the native retweet functionality. Trying to retweet anyone who is protected will throw an error message.
  • Your tweets are protected, but the list of those who you follow and the list of who follows you is still public. There is no way to make those lists private. This is something to bear in mind.
  • Another privacy point to remember is that if your account is protected, but you are conversing with someone whose account is public, their side of the conversation will be public (unless you converse via Direct Message).
  • It can be more difficult to meet new interesting people on Twitter if your account is protected. There are those on the service who won’t spend much time deciding whether to follow you if you are protected.

For some of these reasons, I now also have a public account, @PeterUpfold, which announces new blog posts here and also I use to make conversation with people who aren’t following my main, protected account, @strategyoracle.

This post is up-to-date as of 2010-12-11. Twitter can, and does, change its features and functionality iteratively. If you’re looking at this post at a later date, some of these restrictions may have changed!

‘Megaphone’ image is soundsky, by seungmina on sxc.hu. Licensing information for that image.

Opt Out of Cookies for Apple’s iAds in iOS4

Cookie picture, by amagill -- http://www.flickr.com/photos/amagill/34754258/

The iAds feature in Apple’s iOS 4 has caused its fair share of controversy, and Apple’s privacy policy has just been updated to reflect the changes that iAds bring to the platform.

Notably, it is possible to opt out of iAds ‘cookies’, which means that the ads you see might be less relevant, but you are able to opt out from targeted advertising, which some people may be uncomfortable with (especially considering this functionality is built in across the OS and, presumably, the analytical data Apple gather from iAds would be shared across different apps).

Apple and its partners use cookies and other technologies in mobile advertising services to control the number of times you see a given ad, deliver ads that relate to your interests, and measure the effectiveness of ad campaigns. If you do not want to receive ads with this level of relevance on your mobile device, you can opt out by accessing the following link on your device: http://oo.apple.com. If you opt out, you will continue to receive the same number of mobile ads, but they may be less relevant because they will not be based on your interests. You may still see ads related to the content on a web page or in an application or based on other non-personal information. This opt-out applies only to Apple advertising services and does not affect interest-based advertising from other advertising networks.

I would encourage anyone upgrading to iOS 4 or purchasing a new iOS device to consider opting out of the iAd cookies, if they feel more comfortable knowing that the advertising is ‘dumb’ and not being targeted directly at them.

As the quote from the privacy policy says, all you have to do to opt out is visit http://oo.apple.com on each iOS 4 device where you want to opt out.

Cookie image is &#8216C is for Cookie’ by amagill on Flickr. Licensed under CC-BY.

Facing up to Facebook Privacy

Facebook is one of the most important social platforms on the internet today. I joined it probably several years ago now, not long after Facebook Applications were introduced.

Those of you that follow me on my personal Twitter account, @strategyoracle will probably know that I keep that account protected — i.e. only those that request to follow me and I allow can read my tweets. I do that because that is the way that I feel most comfortable using the service and it is how Twitter is most useful to me. I have tried using that account both publicly and privately, and ultimately it was more useful and more comfortable to keep it protected.

On Facebook, I have also used the privacy options to make Facebook a tool that is useful to me and that I feel comfortable with. I was able to keep most of my information inside a small group of trusted friends and in doing so, I felt comfortable using it and sharing with it.

In recent years, though, the degree of control that Facebook gives you has eroded. This EFF post demonstrates how the service and its privacy policy has changed in this respect since 2005. I have found it more and more difficult to feel comfortable using Facebook in the context of these changes.

The final straw came today.

Now, it seems that any ‘connection’ that you make — whether it be with a friend, or a page that you ‘like’, has to be public.

Facebook came up with a screen asking me to make many ‘page’ connections public, based on my interests and activities that I had previously entered. Even leaving aside the fact that it showed me interests I had previously deleted from my profile, I was horrified to learn that unchecking all of the boxes to share the information actually removed all that information from my profile! There is now apparently no way to restrict information such as my activities and interests and only show that to trusted people. It’s share all, or have nothing, when it comes to this information.

It is quite clear to me that this is now the choice:

You either use Facebook as publicly as they want you to (even as that changes in the future), or you don’t use it at all.

I choose the latter. Assuming I don’t get convinced otherwise in the next few hours, I consider it pretty likely that I will delete my Facebook account. After all, I can always create one again later.

I am hugely disappointed that it seems Facebook doesn᾿t seem to respect people who are more private by nature. I am sorry to all those who may prefer Facebook as a medium for communication and will not be able to contact me there.

UPDATE: I went ahead with the delete. I can always create an account again later and remember you can always send me an email or request to follow me on Twitter (or follow my public Twitter account too).

SRWare Iron — A Google Chrome Alternative

SRWare Iron Icon

UPDATE 2010-06-30: At the time of writing, the Mac version of Iron is not up-to-date and is probably insecure. I have stopped using it for now. Hopefully it can be kept up-to-date and patched to a schedule close to the normal Chromium releases in the future.

Google has come a long way since its humble beginnings in 1997 and now offer a huge array of online services. One of the criticisms often aimed at the company is centred around privacy. From searches you make on the search engine, to the contents of your email if you are a Gmail user — they have the ability to build up quite a detailed picture of what you do online.

Apparently, the Google Chrome browser itself also does various things which may impact privacy. The browser creates a unique client ID which is sent to Google when you do things such as type terms into the combined address and search bar, for example, and if the browser crashes, the technical information relating to that crash is sent to Google.

If you are someone concerned by the implications of this and maybe don’t trust Google very much, you may want to give SRWare Iron a try.

Iron is a browser based on the open source Chromium project which also powers Google Chrome, but with many of the potentially unwanted features that may impact privacy disabled.

This is a great example of open source code working well — it allows you to enjoy the benefits of the Chrome browser (the speed, interface and unique tab-as-process architectre) while side-stepping things you don’t want.

Screenshot of SRWare iron running on Mac OS X

Personally, I am not enormously bothered by the privacy issues and at the moment I’m pretty happy with a Safari/Firefox combination for my browsers of choice, but if you are looking for Google Chrome, without so much Google, this is worth a try.

You can download the browser from the SRWare website.

UPDATE: The Mac version can be downloaded from this forum post on the SRWare site.

Force Session Cookies on Chrome for Mac

Google Chrome icon

I just downloaded the new Google Chrome for Mac beta. I like to clear out my cookies after each time I quit the browser, so tracking information and so on doesn’t hang around any longer than it needs to.

On Google Chrome for Mac, there is no built-in setting to force all cookies to be session cookies, but you can use this hack to achieve the same thing. After launching Chrome at least once, then quit it and run the following commands in Terminal:

rm "~/Library/Application Support/Google/Chrome/Default/Cookies"
ln -s /dev/null "~/Library/Application Support/Google/Chrome/Default/Cookies"

The first command deletes the cookies file and the second command creates a symbolic link, so that anything dropped in the cookies file goes to /dev/null (i.e. the cookies gets deleted and not stored once you quit!)

UPDATE 2010-01-29: JeanVal reports in the comments that this process works on Chrome for Linux too. The Cookies file is stored at the path ~/.config/chromium, so just adjust the commands above to fit that path.