Re: [projectvrm] Vendor entitlement run amok

[Don Marti < >]

begin Doc Searls quotation of Thu, Aug 20, 2015 at 11:04:25AM -0400:
> 
> Thanks Judi.
> 
> I love how yhou bring together what T.Rob and Jennifer Stisa Granick said. 
> 
> So, leveraging those, I just added some text (and an image/metaphor) to my 
> Advertising Wheat & Chaff piece <http://bit.ly/wheatchaff>, and tweeted 
> that too, with a HT to @idcoach: 
> <https://twitter.com/dsearls/status/634374330030264320>.
> 
> In the meantime I’ve also had some conversations with browser and ad 
> blocking people, and I think what I propose is do-able.
> 
> Just scroll down to the subhead “An easy solution” and see what you think. 
> And what we can do together.

Marking responsible advertising on legit sites is an
important part of the problem.  "Labeling" an ad as
"wheat" can be done.  From the Privacy Badger FAQ:

  I am an online advertising / tracking company. How
  do I stop Privacy Badger from blocking me?

  If copies of Privacy Badger have already blocked your
  domain, you can unblock yourself by promising to
  respect the Do Not Track header in a way that
  conforms with the user's privacy policy.

  https://www.eff.org/privacybadger

But somehow marking legit ads is only part of the
problem.  The browser has to be designed to handle
the skeeviest ad that a user will see on his or
her worst day.  (yet another malvertising story:
http://www.cyphort.com/100m-huffington/ )

Most email users don't send spam, but all email
recipients need a spam filter.  Legit sites win by
nudging, educating, and rewarding users to get out of
the two low-value categories ("eyeball inventory" and
"general ad blocker users") and onto good tracking
protection.
  More: http://blog.aloodo.org/posts/what-do-you-mean-we/

> Enough with the complaining and thrashing through the weeds. Let’s fix this 
> thing.

In progress.  Privacy Badger, Disconnect, and the best
of the iOS content filters are working on this.

Two things to check on any site: do you have an
AdChoices link or a "please turn off your ad blocker"
message on your site?  If so, rewrite to match up
with user expectations about client-side security
and data collection.

  http://blog.aloodo.org/posts/turn-off-your-ad-blocker/
  http://blog.aloodo.org/posts/safer-friendlier-adchoices/

Doc, I join you in refusing to complain.  Mockery,
sure.  Quick and dirty "hey, paste this on your
web site!"  sure.   But no complaining.  Just made
that rule 6.

  http://blog.aloodo.org/misc/rules/

> 
> > On Aug 19, 2015, at 8:58 PM, Id Coach 
> > <
 >
> >  wrote:
> > 
> > Thanks T.Rob, blogged this in response:
> > http://digitalidcoach.com/2015/08/tracking-and-profiling-run-amok/
> > 
> > Included some stats from Pew study on attitudes about privacy and
> > surveillance, also a link to Jennifer Granick's keynote at Black Hat.
> > 
> >  j.
> > 
> > On 8/19/15 9:02 AM, T.Rob wrote:
> >> My main issue with vendors turning us into instrumented data sources 
> >> isn't
> >> the data so much as the lack of consent. My Fitbit knows a lot about me 
> >> but
> >> it's an add-on that I self-selected and it provides value to me. The
> >> tracking in my browser is not something I can easily avoid since the 
> >> browser
> >> is now an integral part of my life. Between those extremes there are 
> >> lots of
> >> IoT devices that you can currently choose a private version but where 
> >> that
> >> choice is rapidly disappearing. You can still buy a dumb light switch but
> >> not a dumb car, for example. Your shiny new GT phones home.
> >> 
> >> Among the vendors who seem to feel an entitlement to our data is 
> >> Microsoft,
> >> whose Windows 10 is basically a box of spyware disguised as a
> >> user-productivity-gaming-and-cat-video-watching platform. I've already
> >> written about the issues there, how to mitigate them, and the 
> >> disheartening
> >> number of those "features" that can't be disabled. Yet as bad as all that
> >> is, this latest revelation still managed to surprise me across several
> >> metrics: the lack of consent, the extent of the invasion, the degree of
> >> exposure, the fact that it's already been exploited to infect user 
> >> devices,
> >> the fact that the entity who exploited it is a "legitimate" vendor, and 
> >> the
> >> fact that said "legitimate" vendor egregiously exposed the exploit to the
> >> Internet.
> >> 
> >> Ars Technica is reporting that Microsoft has included in Windows 8 and 
> >> above
> >> the ability to load executables from the device firmware. This means that
> >> even a clean install of Windows on wiped hard drives will run the
> >> executables from the firmware. This is intended for anti-theft protection
> >> which is generally exposed to the user in the BIOS and can be disabled.
> >> However, Lenovo used it to load software that reports information about 
> >> the
> >> device, downloads executables over the Internet and installs them into
> >> Windows, overlays some of Microsoft's system files, is riddled with bugs
> >> such as buffer overflow, updates itself unsecurely, and does all this 
> >> over
> >> plaintext HTTP connections.
> >> 
> >> http://iopt.us/1LkR5D2 
> >> http://arstechnica.com/information-technology/2015/08/lenovo-used-windows-an
> >> t
> >> i-theft-feature-to-install-persistent-crapware/
> >> 
> >> The design of the firmware executable injection features to support
> >> anti-theft has always been a compromise. We give up some security in the 
> >> OS
> >> and firmware to get the ability to retrieve/wipe the PC if it is stolen 
> >> or
> >> lost. However, it opens the possibility of malware taking up residence in
> >> the hardware and there are examples of this being exploited. The delta in
> >> difficulty between stealing a laptop versus exploiting the firmware
> >> bootloader injection results in this feature being a net security benefit
> >> but not by a very big margin. Should it become easier to exploit the
> >> firmware bootloader injection, this could turn very bad, very fast.
> >> 
> >> Microsoft and Lenovo, in stunning examples of the pervasive attitude of
> >> vendor entitlement, significantly reduced the degree of difficulty for
> >> exploiting firmware bootloader injection to where any script kiddie can 
> >> root
> >> the device. Worse, it was done without the ability for the user to 
> >> disable
> >> it. The patch released by Lenovo reportedly disabled the function but 
> >> even
> >> people comfortable using the BIOS setup will have difficulty disabling 
> >> it.
> >> 
> >> Microsoft has effectively weaponized firmware bootloader injection.
> >> 
> >> Lenovo has not only exploited it, but their code is so incompetent as to
> >> make a new class of vulnerability available remotely, anonymously, and 
> >> with
> >> almost no skill requirement whatsoever.
> >> 
> >> In terms of privacy invasion, this is not a difference in degree. It's a
> >> difference in kind. It's a new line that has been crossed and which, due 
> >> to
> >> the technical complexity of explaining the risk to regular folks, will 
> >> fly
> >> completely under the radar. It's custom-designed to root your device 
> >> without
> >> knowledge, consent, or recourse, so functional that "legitimate" vendors
> >> apparently find malicious uses irresistible, and impossible to constrain 
> >> to
> >> "legitimate" vendors. If you have a Lenovo PC today and haven't disabled
> >> this "feature", all sorts of uninvited guests can come camping out in 
> >> your
> >> firmware and you won't be able to kick them out. If you have any other 
> >> brand
> >> of device running Windows, well it's just a matter of time now.
> >> 
> >> But try telling any vendor - or your representative - that just because 
> >> we
> >> can doesn't mean we should. Nobody treats this as a privilege. Access to 
> >> our
> >> data and the internals of our devices is assumed to be an entitlement, 
> >> even
> >> when the implementations are clearly incompetent and capable of causing
> >> significant emotional, financial, and even physical harm to the owner of 
> >> the
> >> device or user of the service.
> >> 
> >> So let's say there's a vendor with retail customers who wants to improve
> >> their profitability. Do they consult with the merry band of VRM 
> >> minstrels?
> >> Why should any vendor treat unlimited and intimate access to us as a
> >> privilege when the competition sees it as a right, capably exploits it, 
> >> and
> >> the current regulatory regime fully supports that approach? VRM doesn't
> >> become mainstream until there's a line imposed by the market such that
> >> vendors need a way to remain competitive without crossing it. Not only 
> >> are
> >> vendors crossing that line today, they are having long jump competitions 
> >> to
> >> see who can go the furthest, and then advancing the line while we aren't
> >> looking.
> >> 
> >> 
> >> Blogged here: 
> >> http://iopt.us/1NuI0Y2
> >> https://ioptconsulting.com/vendor-entitlement-run-amok/
> >> 
> >> Kind regards,
> >> -- T.Rob
> >> 
> >> T.Robert Wyatt, Managing partner
> >> IoPT Consulting, LLC
> >> +1 704-443-TROB (8762) Voice/Text
> >> https://ioptconsulting.com
> >> https://twitter.com/tdotrob
> >> 
> >> 
> > 
> 

-- 
Don Marti 
<
 >
                   
http://zgp.org/~dmarti/
Are you safe from 3rd-party web tracking?  http://www.aloodo.org/test/