Security quote of the week [LWN.net]

I began my investigation with a strong presumption of chicanery. I was unable to imagine the project kickoff meeting in which Wacom decided to bundle Google Analytics with their device, which - remember - is essentially a mouse, but managed to restrain themselves from also grabbing some deliciously intrusive information while they were at it. I Googled “wacom google analytics”. There were a couple of Tweets and Reddit posts made by people who had also read Wacom’s privacy policy and been unhappy about its contents, but no one had yet tried to find out exactly what data Wacom were grabbing. No one had investigated Wacom’s understanding of the phrase “aggregate usage data” or whether it was anywhere near that of a reasonable person.

[...]

Some of the events that Wacom were recording were arguably within their purview, such as “driver started” and “driver shutdown”. I still don’t want them to take this information because there’s nothing in it for me, but their attempt to do so feels broadly justifiable. What requires more explanation is why Wacom think it’s acceptable to record every time I open a new application, including the time, a string that presumably uniquely identifies me, and the application’s name.

— Robert Heaton (worth reading in full)

to post comments

Security quote of the week

Posted Feb 6, 2020 21:52 UTC (Thu) by flussence (guest, #85566) [Link] (3 responses)

Has anyone considered making a Windows driver framework that just… passes the entire device to a Linux VM, handles it with actual-good code, and returns the result to the host OS?

If that could be made to work, it'd make *a lot* of Wacom users trapped on that OS very happy. Their driver's widely regarded as an unmitigated trainwreck at the best of times.

Security quote of the week

Posted Feb 7, 2020 0:06 UTC (Fri) by mirabilos (subscriber, #84359) [Link]

That… is a unique great idea!

Security quote of the week

Posted Feb 7, 2020 12:57 UTC (Fri) by thumperward (guest, #34368) [Link] (1 responses)

This work was already done for WinKVM. https://github.com/ddk50/winkvm

Of course this article didn't even concern Windows drivers, but who reads articles before commenting on them.

Security quote of the week

Posted Feb 7, 2020 21:40 UTC (Fri) by flussence (guest, #85566) [Link]

If a company built out this kind of spying infrastructure on OS X and weren't inflicting it on their Windows customers already, *that* would be newsworthy.

The idea isn't applicable to Mac users because nobody's allowed to write kernel drivers for that OS without approval from the cathedral any more.

Security quote of the week

Posted Feb 7, 2020 23:25 UTC (Fri) by edeloget (subscriber, #88392) [Link] (2 responses)

I can't imagine how it can fit within the GDPR - which requires you to says what data you're grabbing (ok, most companies do not even try to do it right).

And the (now documented) kill switch... Wow. They'll have a hard time prentending that "this was a bug in our software, nothing we really wanted to do" if they intentionnally created a kill switch to stop the harvesting...

Security quote of the week

Posted Apr 17, 2020 12:50 UTC (Fri) by gdiffey (guest, #65017) [Link] (1 responses)

I'm a cynic I think the kill switch is to avoid detection during apple's validation.

Security quote of the week

Posted Apr 17, 2020 14:35 UTC (Fri) by anselm (subscriber, #2796) [Link]

It might be used to desist from spying in places where legal restrictions such as the GDPR are in force. They could presumably tell that from the IP address of the killswitch HEAD request.

Security quote of the week

Posted Feb 10, 2020 5:05 UTC (Mon) by ghane (guest, #1805) [Link] (3 responses)

Wacom goofed up.

"Wireshark also picks up DNS requests, which are used to look up the IP address that corresponds to a domain. I saw that my computer was making DNS requests to look up the IP address of www.google-analytics.com. "

If only Wacom had used the ULTRA-new DOH[1], or DOT[2], Robert Heaton would never have realised where they were shipping data to.

Note to evil minions: Protecting our users' DNS requests from their ISP's snooping helps us snoop on them. Wins all round, we can now sell their data back to the ISPs.

[1] https://en.wikipedia.org/wiki/DNS_over_HTTPS
[2] https://en.wikipedia.org/wiki/DNS_over_TLS
--
Sanjeev Gupta

Security quote of the week

Posted Feb 10, 2020 5:59 UTC (Mon) by Cyberax (✭ supporter ✭, #52523) [Link]

> If only Wacom had used the ULTRA-new DOH[1], or DOT[2], Robert Heaton would never have realised where they were shipping data to.
Wacom could have just used hard-coded IPs.

Security quote of the week

Posted Feb 10, 2020 6:13 UTC (Mon) by zdzichu (subscriber, #17118) [Link]

Well, he had to run Burp proxy to look into HTTPS traffic, anyway. He would see content of DoH requests if there were any.

Security quote of the week

Posted Feb 11, 2020 14:33 UTC (Tue) by robbe (guest, #16131) [Link]

Sure, you can connect to hardcoded IP addresses. If you want to be smart, you can ask the server there for the address of the final server to connect to (either with a standard protocol like DNS, DoH, DoT, or a bespoke protocol). And of course you could refuse to talk TLS to partners that cannot present a proper certificate (like the MitM proxy used).

So… you can make your software indistinguishable from malware. Why not make the product a few percent cheaper, and mine *coin on the side?

Security quote of the week

Posted Apr 17, 2020 13:43 UTC (Fri) by halla (subscriber, #14185) [Link] (2 responses)

Well, there is a "legitimate" reason for tracking which applications the user is running. Windows tablet drivers aren't written to a specification or something sensible like that, even if there are specifications, like Wintab. (Which started out in the 16 bits windows days.)

They are written to work with certain applications, tested with certain versions of those applications, and that makes it important to know which applications get popular, put those in the hands of your driver "developers", feed them copious quantities of baijiu or shōchū, and tell them, make it work.

Complaints about Krita being broken from Wacom users dropped a lot after we arrived at the million distinct Windows users/month mark.

And Wacom's drivers are good, compared to those from xp-pen, uc-logic, trust, genius and their ilk.

Security quote of the week

Posted Apr 21, 2020 1:29 UTC (Tue) by flussence (guest, #85566) [Link] (1 responses)

I've heard (and witnessed) the exact opposite - Wacom's windows drivers are a flaky, productivity-slaughtering nightmare for quite a few people. Devices disconnecting, pressure inputs mysteriously going missing, having to reboot to get it back into a sane state. And forget about having two different devices connected.

Compared to that, libinput seems like an absolute luxury. (At least when the toolkit isn't broken for months on end…)

Security quote of the week

Posted Apr 21, 2020 4:58 UTC (Tue) by Cyberax (✭ supporter ✭, #52523) [Link]

The most recent Wacom tablets on Windows are crap. Especially the ones with a built-in display. On the other hand, my Intuos Draw tablet is rock-solid.