#0016: Software recommendation: Firefox Monitor and haveibeenpwned?

#0016: Software recommendation: Firefox Monitor and haveibeenpwned?

https://monitor.firefox.com/

https://haveibeenpwned.com/

Preamble

In a bid to make more immediately useful content, I’d like to start recommending some of the various tools that I use. In this case it is an online service. Namely Mozilla’s Firefox Monitor; or more to the point, it is actually the website: haveibeenpwned.com (HIBP), which Firefox Monitor uses to enable it’s service.

What do they do?

In essence Firefox Monitor and HIBP are used to check whether or not an email address is associated with a recorded data-breach. Keyword: “recorded”. It does this by using a database of known breaches provided by haveibeenpwned.com.

The purpose of this service is to allow people to ascertain whether or not, an online account (and the user information there in) associated with the email address: has been compromised in a known data breach; and thus in need of immediate remedy. Things like: changing passwords, recovery phrases, and generally being aware that any potentially sensitive information associated with that account, such as: full name, mother’s maiden name, GPS location, education, birth date, telephone, city, school, or business information has now circulated within the hacker community.

Additionally, it helps to know which company is to blame for the spike in volume of spam and phishing emails, that will most certainly accompany said breach. I don’t know about yourself, but that’s something I’d certainly like to know.

Why is this service important?

It is my belief that every solution begins with awareness, the awareness of the problem. Only then can we move to better the situation. This tool gives you exactly that.

In my opinion, the main reason why I think this tool is important is because the companies involved in the data breaches themselves are loath to make their customers aware of them. Even though it is in their user’s best interests; it is not in the businesses best interests to advertise any breaches beyond the legally mandated/enforced minimum. Furthermore, who knows what that actually even is when dealing with global or multinational companies that operate over many legal jurisdictions. This is especially true when dealing with larger companies with entire legal teams at their disposal.

This service is important because (still just my opinion): companies in general tend to quietly patch any security vulnerabilities as they find them, and move on hoping no-one has noticed. This is especially true when there is no internally confirmed security breach.

Whenever a confirmed breach does happen, the first thing that the company responsible does is downplay the scope and severity of it. This may (and probably does) include: not even publicly reporting the breach until it is already made public elsewhere, often at a much later time. In many cases there is even resistance to acknowledge fault after the breach is made public. This is most likely a bid to exonerate themselves of any potential legal liabilities involved.

At the very least acknowledgement of fault could be seen as weakness. Weakness that will shake public confidence in the company and/or service. Therefore it is in their best interest to maintain the general illusion of control and/or competence. It’s corporate PR 101. It’s just a shame that the company and it’s users’ interests don’t align within this circumstance.

Why should people use these tools?

Both Mozilla Firefox Monitor and HIBP are free to use publicly available tools. Both tools come from reasonably trusted sources. Firefox Monitor is the product of an open-source community driven effort, giving it a certain level of transparency. And HIBP was developed by Troy Hunt, an authority on the topic of digital security. Even if you don’t know who Mr Hunt is (and I didn’t prior to this post), the fact that the Mozilla team decided to use his HIBP database for Firefox Monitor means that they are vouching for it.

More importantly, the tools themselves can assist an individual with regards to protecting their personal information online. They do this by allowing the individual that exact thing that I mentioned earlier: awareness. Awareness of whether or not that person’s email associated account information has been circulated, and which company is at fault for it.

For example: if you used the tool and because of it now know that, an account associated with your email with company X has been breached; and along with that breach your “security questions” were revealed. Then now you know to both remove, and not to use those particular security questions, with any future account … ever. As they are basically permanently compromised. Forewarned is forearmed.

taken from https://github.com/mozilla/blurts-server

Difference between Firefox Monitor and haveibeenpwned?

Firefox monitor is a very slimlined version of the HIBP tool that gives the lay user just what they need, without overwhelming or putting off said lay user. It is rather idiot proof; merely requiring user’s to input their emails and press enter. That’s it. Firefox monitor also has been bundled in with a few basic articles on good security protocol, that may be helpful to the average user. Common sense stuff a lot of it, but you know what they say about common sense.

Although Firefox is the simpler tool to use, it must be said that HIBP is a far more robust tool. And the one that I recommend. This is because in addition to searching email addresses, it allows searching via: passwords, and domain names. The website also allows users to browse a catalogue of breached websites without running a search. Extracts below.

Ever wondered how many accounts have been breached because they used the password “love”? Wonder no more. According to HIBP, its 356006 times.

I have also perused a nice little selection of companies from HIBP’s catalogue of known breaches that you may find interesting.

Personal experience with a data breach.

Just an aside if anyone is interested. From reading the above “Why is this service important?” section, you might have gotten the idea that I may be ever so slightly cynical about the companies involved in security breaches like these.

Frankly speaking, whenever data breaches do happen, I do not consider the corporations involved to be “victims” of cybercrime, as many others seem to do. It is a nauseating sentiment. One that condones bad behaviour. This is because it is my personal belief that the vase majority of the cases are due to one core thing: a dereliction of duty. Them failing in their duty to protect the data that they collected. Little more.

In addition to consuming the various news articles about data breaches over the years. Ones that had the general themes of corporate incompetence. Like for example: employees carrying around sensitive data on unencrypted thumb-drives, only to lose them on the train. I also have a few examples of companies that leaked my very own personal information. All of this has coloured my opinions thus.

The most memorable is the online virtual tabletop gaming website roll20.net. The thing that rubbed me the wrong way about them is that at no point during the process did they ever take any accountability for allowing it to happen. They did eventually outline what information was taken, but they never offered an apology for their lax in security. Instead they covered it up with boiler plate (legal friendly) corporate speak.

Example: “The investigation identified several possible vectors of attack that have since been remedied. Best practices at Roll20 for communications and credential cycling have been updated, with several code library updates completed and more in development.” Assuming that is indeed true, the same could literally be said by any company involved in a similar data breach – just change the names.

Although from what I understand by reading the article that they linked in their post, technically (purely technically) this appears as though it’s not their fault. But rather it was due to the underlying technology that they used. At least that is the implication presented. I’d argue that they still made the decision to use said tech, and thus vouched for it by doing so. Making them responsible, at least tangentially. At least enough for a simple sorry. The closest their customers got to an apology was a “Frankly, this sucks.” Writing it in an official company blog post that they passed for a conclusive public report; authored by Jeffrey Lamb, the Data Protection Officer.

I remember thinking at the time that whoever was writing this was good at the bland formalities of corporate speak, but otherwise is (and excuse my French): a fucking dickhead. You have to keep in mind reader, that they only knew of their own data breach because of a third party report. One that was published months after the fact. The report was published in February of 2019, and the breach happened (according to Mr Lamb) sometime late 2018. No apology warranted, not even for missing the hack, until a third party told you about it months after the fact. They then go on write their conclusive report in august of 2019. So nearly a year, between data breach and the final public debrief, where they outline exactly what data was exposed. I call that incompetence. “Data Protection Officer” more like resident salary sucker.

The ultimate lack of accountability is what really rubbed me up the wrong way here. And why would they be accountable, there is little in the way of consequence it seems for these messes. There are even examples of customers defending roll20 in the comments, referring to them as “victims” of cybercrime. They aren’t the victims here idiot, you are! I’ll include some choice examples of this for your entertainment. Its customers like that, that make businesses feels like they don’t have to be accountable either for their actions, or in this case general inaction with regards to proactively protecting customer data. Please read through the example comment thread.

You really can’t reason with people like that. They have too much emotional stock in a corporation to admit to themselves that they got screwed by it. There were even people actually praising roll20 for it’s meagre efforts. A sum total of 2 blog posts, some notice tweets/emails, and for patching a hole in their own boat. Thanks roll20, stellar job. Shame about all my cargo sinking to the seafloor for the bottom feeders to enjoy. I mean you only lost my full name, my IP address (so my physical location), my password, oh and some of my credit card data. Don’t worry about that roll20 (not like you would), that’s my problem. Fuck those types of customers. Wankers.

Moving on. Another example of a gormless entity losing my data is ffshrine.org. A final fantasy fan site that I registered with in 2010 I believe; and haven’t used that account since 2010. Ideally, they would have flagged the account as non-active and deleted it after a couple of years. But alas, instead they just kept whatever details I gave them for the five years until their 2015 data breach. Where they lost subscriber passwords and email addresses. No warning email post event, nothing. Radio silent. I had a similar experience with tumblr back in the day. Radio silent. No accountability. Are you sensing a theme here, dear reader?

Closing thoughts.

I have written far more here then I initially wanted to, so I will keep this summary short. Tools like haveibeenpwned and Firefox Monitor are things that you as an individual can use to help protect yourself in cyberspace. They can help you take proactive measures to safeguard your own data. They can also show you evidence that the large corporations really aren’t as professional or as infallible as they like to appear.

And that when, they make mistakes; mistakes such as losing your data. It is often you that has to bare the brunt of the repercussions, with little if any repercussions to them. Maybe they incur a temporary stock dip. But the fact of the matter is, they’ll recover from it. However whatever data you provided them for safe keeping, well that’s now permanently out there. Enjoy.

For example. To this day I still get phishing emails that say something like: “hey MY_FULL_NAME, YOUR_BANK has detected multiple login attempts using PASSWORD_FROM_FFSHRINE.ORG to login. We have frozen your account because we suspect fraudulent activity. Follow the obviously dodgy link provided and give us your security questions to fix this.” Although I can recognise a phishing scam when I see one, many technology illiterate users can not.

And make no mistake, the companies that were lax in their security. The one’s that have the attitude that breaches happen; are the exact ones to blame for the perpetuation of the black market information economy. An economy that preys on people; the real victims. The people who trusted these corporations with their data, thinking it in safe hands. Not the corporations themselves whose lack of diligence and general incompetence allowed for the data that they were trusted with to be exposed.

Jeez… that got a bit preachy towards the end. Didn’t it? Sorry about that. It’s just seeing companies fobbing off their responsibilities, and then seeing customers with Stockholm syndrome defending these same companies against criticism – really ruffles my feathers.

Anyway, thanks for reading.

References, links, further reading.

https://github.com/mozilla/blurts-server

https://monitor.firefox.com/

https://monitor.firefox.com/breaches

https://monitor.firefox.com/security-tips

https://haveibeenpwned.com/

https://haveibeenpwned.com/About

https://feeds.feedburner.com/HaveIBeenPwnedLatestBreaches

https://blog.roll20.net/post/182811484420/roll20-security-breach

https://blog.roll20.net/post/186963124325/conclusion-of-2018-data-breach-investigation

Hacker who stole 620 million records strikes again, stealing 127 million more

#0015: Device analysis of an unbranded LED dynamo torch

#0015: Device analysis of an unbranded LED dynamo torch

Preamble

It’s rather hard to provide a useful review of an unbranded product such as this. Since it has no brand, and no model to specify; we can only identify this particular device by it’s general appearance. Unfortunately this can be an issue when it comes to stating anything definitive about the product. This is due to the unregulated variations and derivatives on the market. In other words, just because two of these unbranded devices are outwardly identical, doesn’t necessarily mean that the components (or configuration there of) are also going to be the same. Heck, we don’t even know if any two different units were made by the same OEM (Original Equipment Manufacturer). Consequently, your mileage may (and probably will) vary if you pick up one of these dynamo torches. I can only show you what I have in front of me; and I have a sample size of two.

Device Demonstration

Device internals

Schematics

Torch A

made using https://www.digikey.com/schemeit/


Torch B

Key:

L1: 5 mmØ through-hole LED (white)
L2: 5 mmØ through-hole LED (white)
L3: 5 mmØ through-hole LED (white)
R1: 5.1 ohm resistor
S1: two-state toggle slide switch
V1: dynamo (AC source)
B1: [x3] AG10 / LR1130 button cell battery

Possible modification

  • rectifier and capacitor on the dynamo circuit

Key:

DB1: Diode Bridge
C1: capacitor

I think that perhaps some kind of rectifier followed by a capacitor on the dynamo circuit will provide the parallel LEDs with a more constant voltage. Allowing it to stay on with a constant light intensity for a little longer, at the cost of a few initial revs without any light output as the capacitor charges. Is it worth the effort? Not especially. It might just help prevent the sudden light dropout. I’ll need to test it out myself before I say anything definitive here.

As for the rectifier, I would recommend a full-bridge rectifier using four diodes for maximum efficiency. That is if there’s space for it. This is because this configuration inverts the AC negative voltage into positive, before passing it onto the smoothing capacitor. Alternatively, a single inline diode will simply cut the AC in half by passing only the positive voltage. It’ll do the job, but at the loss of the negative voltage of the AC. Although, this is lost anyway at the LEDs, since they’re diodes. With this use-case, I think we need all the efficiency we can get, and a full bridge rectifier may even make the device function a little better. Like I said it needs proper testing, that’s why I stated this as a “possible modification”, rather than my usual “recommended modification”.

EDIT (2021-02-04): On further thought, any benefits of rectifying the dynamo AC will probably be negligible. I believe this is the case due to the low voltage provided from the dynamo (approximately 2V AC) coupled with the forward voltage drop that will occur within the diodes themselves.

The example diodes I have (namely 1N5818) have a really small forward voltage drop of 0.45 volts at 1 ampere. Even this miniscule drop will have a notable effect on any resultant DC.

web link: https://www.bitsbox.co.uk/data/diodes/1N5818.pdf

Still I still think the idea of rectifying a dynamo’s AC to DC would be worth while if for no other reason then to make a generally more useful form of power. Unfortunately, for a dynamo of this output, it’s just not worth it.

Dynamo AC generation demonstration

Gear array and dynamo

A1: Spur rack: 24 mm w/ 11 teeth
B1: Spur gear: 8.5 mmØ w/ 10 teeth
B2: Spur gear: 41 mmØ w/ 81 teeth
C1: Spur gear: 7 mmØ w/ 12 teeth
C2: Latching spur gear: 2 pivoting teeth
D1: Internal spur gear: 26 mmØ (inner diameter) 32 mmØ (outer diameter)

(Please note: when two gears have the same gear letters, it means that the gears are connected.)

Dynamo:
24 mmØ toroidal (doughnut) magnet (with 4 Norths and 4 Souths)
coil consists of:

  • dynamo core (magnetic conductors)
  • a 920 cm length of 0.1 mmØ gauge copper wire
    (wrapped into a coil of ~276 revolutions)

Please forgive any inaccuracies in naming convention for the gears, this is the first time I have actually paid any attention to the subject of gears in general, and it appears to be a deeper subject than initially expected with quite the learning curve involved. The “latching spur gear” and “internal spur gear” are the ones where I hazard a guess as to what they might be called, this is because at the time of writing I was unable to find a named example of what I was looking at. It can be difficult to find something when one doesn’t know the keywords to search.

Gear system in action

Pushing force on the handle moves the spur rack against spur gear B1. B1 then rotates clockwise. This in turn rotates the conjoined spur gear B2 clockwise. B2 interfaces with spur gear C1, and rotates spur gear C1 counter-clockwise. Which in turn rotates it’s conjoined latching spur gear (counter-clockwise).

The swivel teeth within the latching spur gear are designed to lock into the teeth of the internal spur gear D1. Although this happens only when they rotate counter-clockwise within D1. In doing so they rotate D1 and it’s toroidal magnet. This rotation causes a flux in the local magnetic field. This is picked up by the magnetic metal of the “dynamo core” and transported via this core to the copper coil winding. Where it induces an alternating current that powers the LED lights.

Once the handle is fully pressed in, with the spur rack (A1) at the end of it’s track. The operator’s pressing force is removed. At which point the spring in the handle pushes the handle back out; and forces the spur rack to move back to it’s start position. In doing so it rotates spur gear B1 counter-clockwise this time, this rotation is passed on to spur gear B2. Which rotates spur gear C1 clockwise. This rotation is passed to the 2 tooth latching spur gear C2. Which in turn spins clockwise freely and allows the gear system to reset position. Then the process repeats as the operator pushes on the handle. And so on.

The device as a consumer product

Build quality

This is probably the cheapest dynamo torch on the market. If not in price, then certainly in build quality. The main body of the torch is made up of two separate mouldings that sandwich together. This configuration clips into the grey plastic ovoid that houses the LEDs, batteries, and the light guide/reflector. Add to this one or two (depending on version) small self tapping phillips screws to keep the device together.

The phillips screws for the housing are set into thin moulded standoffs that seem prone to either splitting at the screw thread or cracking at their base. The cracks on the base of these standoffs I believe are caused by the general mechanical stress incurred by the gear and spring system. Both in action: when the dynamo mechanism is being used, with the spring loaded handle being vigorously pumped back and forth; and at rest, because the spring that pushes the handle back out puts a constant stress on the gears that are set into these flimsy standoffs.

I have had these two torches in safe storage for a few years, I was surprised to find out that one of the two had broken it’s standoffs, well off. Considering my storage solution (think sealed plastic tub in a garage), this may have been caused if not exacerbated by temperature variations, in addition to the stress of having a coiled spring pushing against them. But basically, I put the thing away fixed, and found it broken. Considering that one of the use-cases the online retailers advertise this thing for is camping, I don’t think that the temperature swings of the mild british weather should have caused this.

Something positive. The internal components I generally have little problem with; from the LEDs, to the Dynamo, and nylon gears. They are all very inexpensive components, but there is nothing especially wrong with them. They are all basically fit for purpose. Even the dynamo, although unfortunately, it’s delicate hair thin wires extend out the dynamo coil and into the device proper: towards the switch and LEDs. This makes the device far more likely to suffer a breakdown, as these wires are far too thin and delicate to be used for general device circuitry. Especially when in the presence of an unshielded gear-system. Look at the pictures to compare the dynamo wire (~0.1 mmØ) to the LED (~0.4 mmØ) or switch (~0.5 mmØ) terminals to understand just how thin the dynamo coil wire is. Please note: inaccuracies in recorded measurements are due to the pictured calipers used … and me.

False advertisement claims

I have seen this torch (and it derivatives) in multiple online stores. I have also seen a lot of false advertising around this product across multiple vendors. Including Ebay, AliExpress and especially Amazon. This is predominantly due to the seller’s lifting the product descriptions from each other, in some cases they’re literal copy-pastes.

There are many claims on these store pages that made me chortle. These included: “High tech ultra bright LEDS” when referring to the 3 bottom market 5mmØ through-hole LEDs; or the sentence “perfect for outdoor use” when describing an electronic product that is about as watertight as the average kitchen sponge.

Since these claims made are subjective, you can’t say that they are technically wrong, because that’s just like your opinion man. These are (in my opinion man): just examples of product puffing or marketing wankery. Something that I honestly have come to expect at this point in my life. Whenever I go to buy something, I will inevitably have some to sit through at least some marketing bullshit, because apparently every single product ever made, is as great a sliced bread, and should get you as excited as the second coming of our lord and saviour. Or else there is clearly something wrong with you.

Moving on. Something else that I have come to expect, and let’s be honest here – enjoy: is Chinglish. And there are some great examples of this within these product descriptions. My favourite is “Works on a new technology of pressing handle with your hand.” Hey, it made me smile. Here’s another doozy for you: “LED torch adopt advanced technology of LEDs emitting level of 3 fluorescence tube”. What the actual fuck are they trying to say?! If internet scholars ever decrypt this product claim, you can probably safely bet that is it some form of bullshit.

Which nicely brings me to the real issue that I have with these product ads. It is the genuine examples of outright falsehoods. The main two claims that I have issue with, are: 1) That the dynamo action charges the batteries, and 2) That the product doesn’t include batteries in the first place.

For the first example I have an ebay advert that uses the keyword “charge” in it’s description and makes mention of the 3 disposable AG10 coin batteries that come in the unit. Although it doesn’t mention that they are single charge disposable units. Hence the assumption that the average consumer is likely to make is that the dynamo charges these batteries. Another amazon ads states the claims “No batteries required, Eco and rechargeable”, to make the customer think that it comes with some kind of componentry that either enables the device to charge without batteries (e.g. capacitors), or that the device comes with built-in rechargeable batteries.

Unfortunately neither are true. A cursory look at the above schematic for either unit A or B will show you that at no point does the dynamo charge the batteries. They are on two separate loops. Also, where is all the charging circuitry? The bridge rectifier, voltage regulator, and smoothing capacitors involved in converting the alternating current that the dynamo would produce into a fixed voltage direct current for the batteries. Additionally, even ignoring those facts: let’s say after reading this paragraph someone still isn’t convinced of my claim that the dynamo does in fact not charge the batteries; then why does this torch ship with disposable (non-rechargeable) alkaline AG10 coin batteries then? It’s because this claim is provably false.

Now onto the next false claim. This was the one that I took notice of initially, and actually inspired this rant. The claim of these torches not having a battery to begin with. The disproving evidence of this claim in some cases is in the bloody product description itself. I have even seen adverts that claim that it doesn’t have batteries, to then make the contradictory claim of a 15 minute running time at full charge.

Closing thoughts

I honestly never intended to talk this much about this budget torch. However the more I looked into the item the more I found to say. To sum it up for you: everything from the build quality, to the false claims: make this thing is absolute dreck.

I think the main reason as to why these types of products can make outlandish claims and still sell is because of their price. They are so inexpensive, that returning them may cost more in unreimbursed postage costs, than the refunded price of the product. For example: a torch costing approximately £2.50, will cost £3.10 (at time of writing) to return via a Royal Mail UK only “small parcel”. This is of course assuming that the customer bought the product from a UK distributor.

If it was bought from China, then a return is basically not financially viable. The international postage is only cheap one way; and that’s due to bulk export shipping from China. Consequently, I have had experiences with seller’s who have contacted me offering a full refund with no return if I removed a (well deserved) negative review I have given for the product. That’s likely the main reason why they have such high reviews (4/5 star average on amazon); because they buy off the negative ones; like mine.

As for my final word on the torches themselves: I think that they are basically designed to be factory fresh e-waste. They will go from the factory, to the seller, to the customer, and to the bin faster than should be acceptable. This due to their own shoddy nature and little else. They are a good testament to the saying: “you get what you pay for”. One could also use the saying “buy cheap, buy twice”, that is if a person actually intended to use these torches for their advertised use-cases. Good luck camping with this piece of hot shit in your back pocket.

Thank you for reading.