Too many permissions for cellphone apps

It seems that nowadays for any simple Android cellphone app you need to give access for:
  • Your location
  • Your contacts
  • Your WIFI network name
  • Your phone ID
  • Reading what other apps are installed
  • Disk access

Unfortunately we have Android being slow to solve this issue, which has already been solved since years in other Android distributions such as CyanogenMod.

In either case, it is possible to remove some of the permissions nowadays. You can install the app as required, then before running it for the first time you should go to Settings -> Apps -> YourApp

From there, you can deny the permissions to access private data. Guess what? Most apps keep working exactly as normal, which makes one wonder why they request them in the first place.

Stay safe.

IPFS: the missing link for our future

There is a new way to store files online, it is called IPFS:

This is a decentralized network that functions on top of the Internet. The idea is that you can publish a file of any kind online and anyone else can decide to host the same file so you are not alone.

We have torrents. We have similar projects from the past and likely more in the future that are available, why would this one be special?

This one is easy to use. Has a catchy name and simply works.

For those interested in cyber-archaeology, the worse fear is that any given server will fail at some point. Geocities went gone, thousands of forum sites disappear per year, let alone the small zip files and other resources that we will not be finding again, so soon.

IPFS proposes a good way to preserve that link with our future, before it goes missing. Uploading new files is simple, straightforward and anonymous. The potential is there.

Imagine our forum software being rewritten one day to simply store the content on text files and permit any viewer to iterate and use this data. Even as the original server goes offline, the forum itself would continue to function as read-only on the very least.

Same for image and attachment hosting. Today, the server for one forum is hosting the attachments and images that are posted by end-users. With IPFS exists the option for any user to store those same files and thus preserve them when they are no longer available on the original location.

This matters not only for the future, it matters too for geographies where Internet access blocked to certain sites today. Or even better, just imagine how unimaginably difficult it is today to read a forum site without being monitored online through your operating system, the network cables, the web browser and the javascript libraries that simply tell the whole world what you are doing online, at any given moment.

In the end of the day: decentralization is the basis of our Internet.
It is our place where anyone, anywhere, anyhow can share knowledge at anytime.

Let's keep it that way.

Try out IPFS by yourself, and see today how the future looks like..

10 things to learn from the 1 400 000 000 passwords/emails leaked to public

Just writing 1.4 billion doesn't work.

To visually understand how big this recent leak of data was, you really need to count slowly the zeros on the title of this post.

That's data that anyone with some time will be able to find. It is not awfully recent, it is from about 2016 and most of the major websites such as google, linkedin, dropbox and similar have already forced their customers to change the password they were using.

Still, (and this is a big still), The amount of information that you can extract from this database with 1400000000 user accounts is simply gigantic.

10 things anyone can learn about you:
  1. Knowing your old password means that anyone can also query that same password and find other email accounts that you are using  (for example, gmail accounts)
  2. An attacker can likely spot a pattern that they can try in other sites. For example: "linkedin1970" as password will give a hint that they can try at other sites replacing the "linkedin" portion
  3. For big organizations, it is hundreds if not thousands of email addresses from real employees that can now be targeted for phishing
  4. Passwords are intimate, often reveal what is on the mind of the user. Some passwords are too revealing (e.g. sexual orientation, religion, romantic partners) and this information can be used against them (blackmail, defamation)
  5. Revealing identities, you have people belonging to a company or organization that do not want this information to be public
  6. Email patterns, learn the pattern under which the emails are created such as "", "", "" or some other combination that helps attackers to guess the email address of another person inside the same company that they want to target
  7. Discovering your nationality or real name, based on the country portion of the domains where your accounts are using
  8. Discovering previous companies where a person has worked
  9. Get direct email access to the CEO/CTO of smaller companies
  10. Passwords hint your security knowledge. Looking at the same organisation, a person using special characters will look more knowledgeable than another using only simple words. This helps attackers to pick users likely to fall for social engineering traps  

The potential for misuse and abuse is there.

Passed a good part of last week looking at the data, cleaning up the records and verifying their authenticity. This data is real, even my mom had her password listed there.

Some cases were just weird. While looking up for the name of a known criminal as test, the first match indicates that he had an email account with a very small email provider in Switzerland.  In other cases such as the accounts from domains belonging to football clubs, the large majority of these passwords included the name of the football club inside them (e.g. "benfica1"). One of these clubs had recently passed through problems as their emails got leaked to public. After looking at their password practices, I can really understand why it wasn't that difficult to guess them.

What seems more troubling is the amount of people using their company emails for registration in external sites. Certainly in many cases it is a necessary action, can't stress enough that this type of thing should be avoided as much as possible.

Change your passwords and use two-step authentication when available. Over the next two weeks we will see so many people losing their privacy, so please change your own passwords without delay.

Want to help your friends? Make sure they read this page so they can also learn. That's good karma being built on 2018 right from the start.

Stay safe out there.