Dear Slim, or — Why You Should Give 1000 More Fucks About Online Security than You Currently Do

It's Not so Bad, It's Not so Bad…

Every time — and it's probably annoyingly frequent — I bail my close friends up about online privacy/security, I'm usually rebuffed with a variant of these two responses (albeit very gently; they're lovely friends):

  1. I just don't feel like I have that much to hide
  2. Security and privacy are furphies, it's the 21st century baby!

And like, that's cool. I get it. It's awesome to be nonchalant. I don't even care how short some of these sentences are. Problem is, consumer demands are almost sole drivers for where corporations expend their energy (see: "it's the 21st century!"), and so companies will give **not a single shit** about things that don't cross customers' minds. So if the customer base of Utilitarian Corp is a bunch of sociopaths and Utilitarian Corp is in the t-shirt manufacturing business, you can bet your absolute scungiest, bottomest dollar that any t-shirts in question will have seen their fair share of perspiration-based labour before they see they light of day. So it is with privacy.

He Wants to Be Just Like You, Man

The issues around "online privacy" are multitudinous and nebulous, so I just want to focus on one particularly relatable example: video streaming.

A few services have launched lately in Australia, and it's exciting to finally have a way to access a large variety of TV shows and movies, for a reasonable price, in a relatively straightforward way. But perhaps, I thought, the haste with which a) the various companies might have deployed these services, attempting to get a jump-start on each other, and b) consumers may have signed up to these services, might bear out some examples for why privacy is so often and unjustly neglected in favour of most other, more obviously aspects.

So I signed up to Stan, as it was the first service to come to mind (and I really wanted to watch Better Call Saul). And, apart from it not working with Google Chrome, it was great! Except this caught my eye:Unsecured page

Notice the lack of a 'padlock' icon (as you should see at the top of this page, for example). This means that all information coming to and from the page is sent unencrypted. As a result, anyone on the same network — at home, the coffee shop, at work, in the airport; you get the idea — can see what I'm sending and receiving. For example, here is one such transmission:

Google search plaintext transmission

Anyone on the same wifi network can see that I'm googling "google" (and can probably infer that I'm one of those "baby boomers on the internet" we've all come to love in Facebook threads). To combat this, most companies (such as Google) employ encryption, so that nosey housemates/workmates/fellow travellers can't see that you're certifiable based on your online search queries. So, if the video streaming service Stan is passing plain text around, what's available?

When you log in to Stan (thankfully, this is done over secure HTTP,  like with your bank), the website issues your computer you a 'user id' and a 'user token'. This is for your browser to continually reassure Stan that it it, in fact, a legitimate user end-point for its service. Problem is…

Plaintext transmission redacted…these credentials are sent 'in the clear' (I've blacked out a large portion of mine for obvious reasons). That is to say, everything's sent along the same network where anyone with a computer and the mildest of determination can see what's happening.

So what? So this.

I Got a Room Full of Your Posters and Your Pictures, Man

The obvious first: anyone with these credentials can impersonate you on this service. Simply by adding two cookies in Firefox, I'm "me", without ever typing my password. From this:

Stan homepage

Via this:Cookie spoofingTo this:

Stan homepage (logged in)

I Left My Cell, My Pager, and My Home Phone at the Bottom

The thing is, all of these services ask for information from the customer — and the user, ever keen to sign up to New Shiny Service, is usually all too eager to provide this. Customers probably rarely wonder why exactly a video streaming service needs their date of birth, despite never needing to provide that level of personal information if you purchase something like a computer, car, or even a house (sans finance). It strikes me as an odd mentality that we've somehow all grown accustomed to, presumably under the conditioning environment of implicitly trusting a computer.

So, once the guy at the internet cafe has checked out the latest Better Call Saul on your behalf, he can obviously cruise on over to see what other TV you're into. *YAWN*,  21st century. Okay. The following is also visible:

Personal info (redacted)


Your email address, date of birth, first and last name, and postcode. Enough for anyone to entirely ruin your day with any utility company. Also, I'm not going to show a picture, but the last four digits of your credit card are shown which can have some suboptimal consequences. Also, the names of your family if you've set up profiles

Stan profilesas well as the kinds of devices you own

Device list

I Do Want You as a Fan, I Just Don't Want You to Do Some Crazy Shit

So, what's a humble consumer to do? Firstly, complain loudly when you see a service you sign up for without a lock in the URL bar; it's a sure-fire way for them to be leaking a whole bunch of stuff about you that you shouldn't be okay with, to basically anyone who has 5 free minutes to ruin your day/life. It's unprofessional and wrong.

Secondly, and this is a much more broad deterrent: use a password manager; something like 1Password (it is very good). Using this, you can create whole identities for each company you interact with (sparing you from the DOB-leakage problem); it syncs to all of your devices, and you only need your thumb-print to unlock it if you use iOS. So, even if someone does jump into your Stan queue (and currently, there is no sure-fire way to prevent this it seems), your profile won't contain any valuable information, but you can still use this information to verify the account should it be compromised.

I Ain't Mad - I Just Think It's Fucked-Up You Don't Answer Fans

I let know about this vulnerability before publishing this post. Their response was lacklustre. They've since moved everything over to HTTPS (that a media company in the 21st century had to be told to do this, though…), although it took them about 3 or 4 days to do so. I was promised a response from their CTO more than 5 days ago, and a follow-up email since has received even less attention. So, I guess the moral of the story is: be careful what web services you use, be just as careful about what you tell them, and if you happen to come across a vulnerability, don't expect much in the way of a response.