Category Archives: Security

Shoo trackers and advertisements away

I started this series of blog with my concerns at the amount of data that exist today. You can read the blog here.

After this blog i took the hat of an astrologer and started prediction…😀. My prediction one can be read as a blog here.

My second prediction can be read here. This is where i was stating that incognito mode of browser will/should be made default.

My third prediction can be read here.

Recently i was just going through some blogs in regards to Web 3.0, yes… another topic is slowly gaining more and more traction… slowly many sites would start advertising themselves as being Web 3.0 compliant.. 😀

Coming to the point…

In prediction two, i was mentioning that it is just matter of time when someone creates extensions for browsers (existing), using which you will be able to have more control on advertisements (even Chrome has already started features whereby advertisements can be stopped), trackers (where the hell are you, what are you doing, what are the data you like to share and so on..).

Yes, seems many are thinking of same and now i see a browser namely Brave (i am not advertising you to start using this browser right away), in which they pitch exactly the same aspects and brings in control on privacy, what data is transferred and so on…

If you go through their site, they say things which are quite intriguing to give it a try..

They say…

  • We as users have full control on privacy (privacy by default).
  • Blocks various trackers (control over what data is transferred) by default. They even say that, by doing this, you reduce data consumption. If you have unlimited data package, this is not for you, but for a guy like me who doesn’t want to have data, apart from very specific requirements (yes, i need for maps and i read blogs, nothing else, everything else is avoided from my data plan), this is quite handy because when reading over internet it can avoid data consumption (by the way, in my blog i am using Google ads…. 🤓).
  • By the way if you feel that you need to give some helping hand to some free blogs/sites, you have power to do so (or at least what i read) and you can also get rewarded if you are ready to see the ads these blogs/sites serve. Now, that is something i wrote in my blog while predicting.

So, all in all, you now have a brand new browser which gives us more control. Please note, i haven’t used Brave, nor i have plan at this stage. But the point is that, its coming and we don’t have to wait a great deal for having some control on this.

Its unfair that, these advertisement providers (Google Adsense) use our data package and show these to us and we as end users are not getting a cut… 😀. Also, they track us like anything with our data and then use our data for/against to their advantage. In this due course, more than us, all the other parties are gaining with our private data…😀.

Customer is king, but in this case, seems we are cheated… what do you say?

Share/like the post to spread the word and if you believe in what is written down… Thanks folks…

Disclaimer: I use Google Adsense which gives me money to run this site… contradicting, isn’t…😁

My so called innocent blogging (wordpress backed) site, when run using Brave is showing as below… 🤣… be careful folks…just to be sure… i am just shows ads from Google and i use that to run my site (i have to spend close to 100$ an year to run this site with my own registred domain).

Page Visitors: 275

Data, data everywhere… Prediction Four

I started this series of blog with my concerns at the amount of data that exist today. You can read the blog here.

After this blog i took the hat of an astrologer and started prediction…😀. My prediction one can be read as a blog here.

My second prediction can be read here.

My third prediction can be read here.

You have a variety of mobile covers available today…

Have you seen a mobile cover which allows you to cover the cameras in your mobile phone at will?

I don’t think so… i predict mobile covers allowing users to close these cameras or cover these camera at will (in their control)…

You would have heard of mobile signal jammer (without your knowledge it distorts mobile signals so that your mobile phone just cannot be connected to make calls or SMS)… something similar will come to make sure that we can either distort the camera pictures when not in use or have a mobile cover (not from phone manufacturer but someone else… or might be from phone manufacturer themselves) which can be used to completely cover the mobile phone cameras (front and back camera)…

You might think that… what does this has to do with data…

Again, this is because today you allow apps to take pictures and records video without knowing when they will do it by themselves… who knows that at a particular time of day, they just wake up and start recording videos or take pictures…

I have already seen many colleagues in my workplace already started putting stickers on the laptop camera… what they don’t realize is that, in their pocket or in their hand they have mobile phones which has dual camera having high density clear lenses capable of taking HD quality photos and videos….

I am not against collecting these data and letting companies deciphering these images or videos… but i am against vendors doing this without our permission… now you will say, these companies ask for our permission and we have already agreed to this, but my view is we did this only once and after that, just because you have allowed them to do this, they can misuse this under that license agreement…

In this series, i have one more prediction, thats in regards to voice command being used to control apps… i had this in my head for long… but now i have seen multiple bloggers started to write this as another intrusion into our private life… again we know this and we have agreed to it… but my issue is we don’t have any control on when these devices need to listen and when not…

So my last prediction is soon coming and i would conclude my series on this with that last one…

Thanks for reading… share it if you like/agree… 😀

Page Visitors: 206

Data, data everywhere… Prediction Three

I started this series of blog with my concerns at the amount of data that exist today. You can read the blog here.

After this blog i took the hat of an astrologer and started prediction…😀. My prediction one can be read as a blog here.

My second prediction can be read here.

My next prediction is in the area of mobile apps. Again, this is also very much inline with what i have been raising throughout this blog series.

Mobile apps today asks for various permission to use a number of device features. Once you allow, you don’t even know what all you allowed at a later stage. You have to dig hard (going through various taps and screens) to find these permissions and then disable it if you don’t want them to be used by these apps.

My prediction is that similar to browser, everything would be disabled by default. While installing also, these app vendors cannot ask to accept these permissions. Rather, when they start using that particular feature, app need to ask permission, each and every-time. What i mean by that is, whenever app tries to use a feature, it asks explicitly for what permission and then have to exactly say how this permission will be used. In addition, soon after its use, it again goes back into disabled mode.

As mentioned in my previous blogs, this is going to be tedious for customers/users. But, this is something which OS can take care and if due to any reason user feels tapping on these permission dialogs every-time tedious, they have a provision of enabling it for a period of time (say a weeks time, or a months time). After allowed period expires, again it goes back to disabled mode.

“Remember me” functionality in many websites, nowadays does have a provision of remembering username/password for a period, other than having it never for rest of the life (for a particular allowed browser).

Assume you allowed a particular app access to read gallery (pictures, videos etc..). You really don’t have any clue how and when these apps would be reading these files from your phone. Nowadays, every company in this world is trying to be so intelligent that they are ready to decipher an image, content of a video and so on, quite easily. Some pictures in your gallery would be very personal in nature and you don’t have any clue what these apps are deciphering meanings from these pictures. Also, these could be read and then stored in their digital asset library forever (for various purposes).

I am not saying that these apps would be using these gallery items in a bad way but if someone gets access to these content and then start using these in an unethical manner, its going to be really troubling for you and me.

Recently i did read (somewhere, i don’t remember) that a popular company gave their employees (mainly in support area) access to huge amount of personal data along with real-time information as to where their customers travel (where they start a journey, where they end the journey, what time of day journey took place and so on.) and then they used this information in an unethical manner for their own benefits.

The above is just one such incident and i am sure there are so many such instances out there. With more and more data available about you (with these app vendors), such misuse are bound to be a common problem going forward. Also, you have voluntarily given access to these data without much thought process and because of this you cannot raise any complaints but i am sure this will have huge repercussions on you going forward, which you are not aware off.

Think of such negative scenarios as well when you go ahead and click on “Allow” button on your phones going forward. I am sure there are so many positive aspects to share these data but over period of time, there will be so many negative aspects which could haunt you.

Mind you, its very hard to wipe your digital signature. If you think you have clicked on a particular picture and clicked delete. This in no way mean that the vendor will actually delete that picture. They could just make that picture as “ready for delete” and just leave it.

With AI (Artificial Intelligence) and ML (Machine Learning) becoming strong day by day, i am sure these big names in technology would want to find out as to why you deleted that particular image and would try to put some intelligence and then can use that as a way to haunt you with something down the line.

These are just my thoughts. Yes, i might be thinking too much here…🤓

Page Visitors: 184

Data, data everywhere… Prediction Two

I started this series of blog with my concerns at the amount of data that exist today. You can read the blog here.

After this blog i took the hat of an astrologer and started prediction…😀. My prediction one can be read as a blog here.

Continuing my prediction, in this blog i am predicting second thing which will become a norm going forward.

Incognito mode in browser as we call today would become the default mode…

Or Everything will be disabled by default and customer decides when to turn it own

Again it is not a one time business, rather have to be done every-time when something is happening and soon after that it goes again into disabled mode

Very soon someone would write a cool browser extension (i haven’t searched, whether is already one such extension) and whenever a website is trying to do A/B test on you (client side using a known vendor which the extension knows), the extension would recognize this and would gives a smily face indicating the customer that, this website is trying to test you… beware and here are the A/B versions.. website owners now feel that they are smart… this extension would make them feel otherwise by actually tweaking the A/B test which the owners of the website is looking at in anticipation…

Even if you are a male aged 50.. tell the website owner you are female aged 20 and see what is coming on the site… 😀

If browsers doesn’t make incognito a default… customer would be educated enough to always use incognito mode and they will make that aspect of a browser as default..😬

This will take out many security/privacy problems away from the end user and over the period of time such capabilities to understand the customer would be of no use. All these tests make sense if they collect right data… if crap data goes in… crap analysis would take place… better don’t use this crap data to entice customer anymore…

Also many of the analytics gathering scripts also be intercepted and adequate amount of details given to the customer to see what exactly is happening on the client side and what exactly the website owner wants to know about you…

Just imagine someone selling something to you looking at your color, religion, looks etc. In real world if a customer is looked in these aspects and then goods sold, they can file a case against you in court and i am sure they will surely win it in front of law..

Today without you knowing, this exact thing is happening by bucketing certain users in certain category ad then giving them offers.. enticing them to buy more…

I don’t like this aspect and i feel this would prompt customers to use browsers incognito mode by default… by the way many have realized this and already are doing this…😬

I have my next prediction coming soon… so stay tuned and subscribe to my blog…🤓

Note: Today there are extensions which look at a particular site and lists down all the technologies which is being used. If thats the case, finding whether an A/B testing script is injected and what are the variations will be a piece of cake. Similarly, this extension also lists down all cool analytics script and can also decipher what exactly is being send…so, things are already available to some extent…

Page Visitors: 234

Data, data everywhere – Prediction One

This blog is a continuation of my previous blog which can be read here.

In this blog, similar to the first one, I continue my rant and more importantly I predict some aspects which will become a norm going forward.

I am sure I am not the only one thinking this way…but being a blogger myself I thought I will just offload what I have in my mind…for my own reading when I become old and be proud that I once predicted and now it’s all happening 😀.

In regards to browser applications/websites, below is my prediction number one.

At the moment, many sites asks for your permission or rather display an attention message which says that they are using cookies to store information. This will and should be extended to other storage mechanisms like local storage, session storage, indexed db and so on.

Most importantly, this will not be a one time affair. What I mean by that is, today it just displays once and when you say yes (granted permission), they (websites) keep using that as an excuse and keeping storing things in it. Today it (websites) doesn’t state clearly as to what they are storing. Going forward I expect this will be a rule enforced which should convey to the user what is getting stored and this message need to pop up every-time when there is change to any of the properties being stored in these storage mechanisms.
I am sure, it might turn into a big nuisance but some people might not mind in doing this. If the website wants you to say yes to everything and permanently allow this, they will use the tactics of flooding you with such information till you say…don’t ask me for next 1 year…also it’s important to note… every-time there is a change it need to specifically say what is getting changed and what is new and old value along with reason for storing it. There should also be an option to not allow certain data if the user doesn’t give website owners permission.

That’s too much isn’t…wait this will be something which will be useful going forward. People are indeed realizing the value of privacy policies and they wouldn’t mind (according to me).

I already have my second prediction lined up in my head. Soon, i will try to offload that as well in another follow-up blog post.

Thanks for reading. Keep sending your views.

Note: I am in no way disregarding the importance of data lake for an enterprise, in which enterprise data is aggregated and collected in one place to do various analysis real-time as well as in batch mode. My book namely “Data Lake for Enterprises” in fact advocates that. But, i am against collecting huge amount of data from your customers and then using it for their own gain with properly educating the customer (customer rights in my view). If they willingly accept for transferring their data (so called privacy related data), i am all in for that.

Page Visitors: 217

Data, data everywhere…feeling a bit uncomfortable

Recently one of my colleagues came to me and said that he searched something on a popular search engine and after that everything that he did online (browsing other sites, social media etc.) seems to know this and started showing similar content what he was searching for earlier.

Even though the site domain varied, other sites knew what he searched for and started showing very personalized content (yes, i do know that if you are using Adsense, Google would have already figured out what to show so that user actually clicks on these advertisements). How is this possible? Do these sites having different domains share data between each other. Isn’t that, a domain don’t share anything with other domain holds good here. Isn’t that a very basic browser security?

One of my other colleague also once told me a similar incident in which she was looking for a piece of furniture. She had clear picture in mind on what she wants. She used image search in one of the popular search engine. But unfortunately she couldn’t get what she was looking for and gave up.

Few hours later she was browsing through some of the famous social media sites and BOOM. These sites starts showing exactly the image she was looking for. The exact furniture piece that she was looking for.

Do these sites sell personal data between each other and earn money..😀.
In both incidents it can be thought of in positive sense whereby they indeed were getting more relevant data that they are looking for.

BUT…they were both skeptical and was being fearful of how much each of those sites know about you as a person.
Most of these sites capture so much data from you without your knowledge. The so called behavioral data (what did you browse, when did you browse, what areas of the sites your clicked, touched even looked) and most of the data in regards to your machine (which operating system, system details etc.), browser (which browser, version, which features are available and so on) along with data which you have given full access to without knowing much about those privacy issues like location.

In near future I am sure that these big sites can be consulted to get a person’s good conduct certificate (which sites you are visiting, at what time of day you browse, while browsing at different times what are your browsing traits and so on). Also, looking at such data these big sites can predict in advance whether he/she has a criminal tendency or any other such traits which is very hard to get looking at someone on their face. For example, recently this person has started looking at some undesirable sites and also has been searching for content showing certain negative traits of a person.

These data collected never get erased even after you die and can still be even used and linked to your children’s account and even predict their behaviour and other personal characteristics. If though i laugh while i write, but they could link parent and children’s account and can state some characteristics of a kid much in advance. If father showing criminal traits, the child could also show a similar traits in the future.. :). Sorry i am taking this too far.

Have I started to make you think…if so, my post is a success. Let me know your views.

I am going to write few more posts in the same topic and also going to predict certain things which will become a norm going forward.

You would have already known about cookie policy…😀. Don’t laugh…

It’s just one storage mechanism in the browser…heard of local storage…session storage…indexed db….?

No one asks for permission when they want to write on these storage mechanisms…you yourself has already given permission for them to write onto your disk…the so called data which they will use it later on…I am not really saying it’s bad…but what’s the point of cookie policy…these aspects also should be regulated…I guess. Just a thought…

If you would like to read some of the predictions made, please follow below links:

For Prediction One click here.

For Prediction Two click here.

For Prediction Three click here.

For Prediction Four click here.

A thought on browser and its tracking can be read here.

Page Visitors: 283

Application Security – SSO and FID

This post in no way is a comparison between SSO and FID. Theoretically both does have some similarities but there are some core differences because of which a comparison should be deemed unfair and unethical. Having said that, while I was posed with a question on OAuth, i did research a bit on this in the internet and this blog is a by-product of it. The blog post doesn’t go into detail on any of these but just gives some important links and relations with respect to it. They can use this as a very high level starting point in the quest to become proficient in this regard. I am still amateur and everything with regards to this post by the readers will be taken in positive sense and looked upon. If very good points are shared by the readers, it will be incorporated into the blog.

SSO (Single Sign-On) allows users to access multiple services using a single login credentials. In a true SSO, the user only has to provide credentials a single time per session, and then gains access to multiple services without having to sign in again during that session. But the term SSO, is being used at different place where it exactly doesn’t mean what i just said and can be bit confusing. You can have your our mechanisms of singing on to different application without user having to sign-on explicitly providing the credentials. This also application developers call as SSO. In true definition we cannot say that they are wrong but for a developer at times the term SSO can be bit ambiguous because of this. Some of the commonly used configurations are (detailed in wikipedia):

  • Kerberos based
  • Smart Card based
  • OTP token based
  • Integrated Windows Authentication
  • SAML (Security Assertion Markup Language) – an XML-based open standard using which authentication and authorization details can be passed between two parties, in particular between identity provider (IdP) and a service provider (SP). These terms will become more clear when we explain Federated Identity (FID) in detail. Just to give you some base details, here are their definitions from wikipedia:
    • Identity Provider (IdP), also known as Identity Assertion Provider, is responsible for issuing user identification to all the service provider on a need basis, establishing the credibility of the user interacting with their services.
    • Service Provider (SP) is a company/organization which provides various services to their customers.

Federated Identity (FID) is a place where the user stores their credentials. It can also be thought as a means by which to connect the various identity management systems together. In FID, the user stores the credentials with the home organization/service, called as “identity provider”. When a user accesses a service, the service ideally asks for a credential. Instead, the service provider trusts the identity provider and authenticates against it. Because of this, the user is not being prompted with supplying a valid credential. Google, Yahoo etc. are some of the platforms which allows users to login to third party web sites, application etc. using FID.

Now, is it right to interchangeably use SSO and FID. Theoretically its not wise to do so. Having said that both does provide a means of authentication with user entering credentials each time when accessing different services hosted separately. As wikipedia states, SSO is technically a subset of FID using which authentication aspect of security is taken care off.

I took in the direction of research and this blog post, to learn more on OAuth and what it is. To explain OAuth, i had to explain you what SSO and FID is. Now since we have a background of SSO and FID, lets come back to the main topic what I was after.

There are various technologies which are used as part of implementing FID. Along with some proprietary standards being employed, there are some well known standards like SAML, OAuth and OpenID. Now lets dive into each one in some detail. I could see many blogs/forums in internet which compares SAML and OAuth. As pointed out in this stackoverflow answer section, there isn’t any similarity between the two.

    • SAML (Security Assertion Markup Language) – the base details was covered earlier. Here, we will try to expand on this in more detail. As detailed earlier, three main parties are the principal (user), Identity Provider (IdP) and the Service Provider (SP). This is how it all works, the user requests for a service from the SP. The SP requests and obtains and identity assertion from the IdP. On the basis of this, the SP makes an access control decision which allows/denies the user from accessing the service which it requested.The below image is from a blog with gives a comparison between these various FID technologies which can be used.

A sample SAML use case

    • OAuth is an open-standard for authorization. It provides a method by which clients access the server resource on behalf of the resource owner. This can be used by end-users to authorize third party applications/services on behalf of them and without supplying credentials in the form of username/password. Now i think for a reader it is becoming more clear as to how relevant these technologies are with respect to FID.The below image is from a blog with gives a comparison between these various FID technologies which can be used.

A Sample OAuth use case

    • OpenID is an open-standard again which can be used for both authentication and authorization purposes. The user in this case registers himself with their preferred OpenID identity providers and use this account as a basis for signing into other applications supporting the OpenID authentication. The below image is from a blog with gives a comparison between these various FID technologies which can be used.

A Sample OpenID use case


Page Visitors: 697