@UAL, Congratulations on END:VEVENT!

Wednesday, December 23, 2015 

Life’s little victories.

Starting in 2006, when UAL.com got an upgrade, they started having problems exporting events in vcal format.  They had some issues with time zone declarations that we eventually got sorted out (so many people have problems with time zones):

Ual.com now gives broken "calendar" appointments for flights.  The 
times are wrong, which seems worse than no calendar function at all.

Below is a .vcf file for a flight I will be on tomorrow.
BEGIN:VCALENDAR
PERIOD:Microsoft CDO for Microsoft Exchange
VERSION:1.0
BEGIN:VEVENT
DTSTART:20061214T001000Z
DTEND:20061214T034500Z
CATEGORIES;ENCODING=QUOTED-PRINTABLE:TRAVEL
DESCRIPTION;ENCODING=QUOTED-PRINTABLE:UA 0179=0D=0ABOS to 
SFO=0D=0ADepart: December 13 2006 at 18:10 PM (local time) 
=0D=0AArrive: December 13 2006 at 21:45 PM (local time) 
=0D=0ASeat(s): =0D=0AAPOLLO Record Locator: xxxxx
SUMMARY;ENCODING=QUOTED-PRINTABLE:Flight From BOS To SFO
PRIORITY:3
CLASS:PRIVATE
END:VEVENT
END:VCALENDAR

It is wrong.

Decoding the DTSTART: field (for example) it says:
20061214 start date, Dec 14, 2006 (correct)
T Time
001000 the "start time" (incorrect)
Z UTC (GMT time zone).

Compare with the description field, literally:
"UA 0179=0D=0ABOS to SFO=0D=0ADepart: December 13 2006 at 18:10 PM 
(local time) =0D=0AArrive: December 13 2006 at 21:45 PM (local time) 
=0D=0ASeat(s): =0D=0AAPOLLO Record Locator: xxxxx"

Aside from being formatted for minimum comprehensibility, it says the 
departure is 18:10 PM [sic, 18:10 is actually 6:10 PM, or 18:10, but 
not 18:10 PM] which is actually 02:10 GMT.  That is the start time 
_should_ read

DTSTART:20061214T021000Z

The end time is also wrong.

Also consider reformatting the description field using text/plain

Content-Type:text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

or just remove the encoding MIME types and take out the carriage 
return/line feeds.

 

That got fixed shortly after I reported it.  But then there was the continental merger and Continental’s software had a different .VCS formatting bug, they closed with “End:VEVENT End:VCALENDAR” rather than “END:VEVENT END:VCALENDAR”  – it seems like a minor issue, but it breaks importing into gcal and a lot of other calendar apps.  Outlook is so messed up it doesn’t seem to care if things are formatted correctly or not.  I first reported this in almost 2 years ago and periodically after that, finally reporting it to bugbounty@united.com at the end of October and only two months later, it is fixed!

Old way (wrong!):
 DESCRIPTION;ENCODING=QUOTED-PRINTABLE:Flight number: UAxx=0DAircraft: Boeing 747-400=0DFare class: xxxxxxxxxx (R)=0DMeal: Lunch=0DConfirmation number: xxxxx =0D=0D This information is subject to change. Sign in to your MileagePlus(r) account at united.com to view your up-to-date itinerary.=0D=0D------------------------------------------------------------=0D=0DCheck in with United beginning 24 hours before your flight:=0Dwww.united.com/travel/checkin/quickstart.aspx?irPNR=xxxxxxxx=0D=0DChoose your seats, select Economy Plus seating, view your receipt and more:=0Dwww.united.com/managereservations=0D=0DCheck flight status:=0Dwww.united.com/flightstatus=0D------------------------------------------------------------=0DFind a hotel or car for your trip...=0DSearch for a Hotel:=0Dwww.united.com/hotels=0D=0DSearch for a Car:=0Dwww.united.com/cars=0D------------------------------------------------------------=0DThank you for choosing United.=0Dwww.united.com
End:VEVENT
End:VCALENDAR

New way (correct! – even with proper indenting now):

 DESCRIPTION;ENCODING=QUOTED-PRINTABLE:Flight number: UAxx=0DAircraft: Boeing 747-400=0DFare class: United xxxxxxx (R)=0DMeal: Lunch=0DConfirmation number: xxxxxx =0D=0D This information is subject to change. Sign in to your MileagePlus® account at united.com to view your up-to-date itinerary.=0D=0D------------------------------------------------------------=0D=0DCheck in with United beginning 24 hours before your flight:=0Dwww.united.com/travel/checkin/quickstart.aspx?irPNR=xxxxxxxx=0D=0DChoose your seats, select Economy Plus seating, view your receipt and more:=0Dwww.united.com/managereservations=0D=0DCheck flight status:=0Dwww.united.com/flightstatus=0D------------------------------------------------------------=0DFind a hotel or car for your trip...=0DSearch for a Hotel:=0Dwww.united.com/hotels=0D=0DSearch for a Car:=0Dwww.united.com/cars=0D------------------------------------------------------------=0DThank you for choosing United.=0Dwww.united.com
 END:VEVENT
END:VCALENDAR
Posted at 04:05:32 GMT-0700

Category: TechnologyTravel

Signal Desktop: Probably a good thing

Tuesday, December 8, 2015 

Signal is an easy to use chat tool that competes (effectively) with What’sApp or Viber. They’ve just released a desktop version which is being “preview released/buzz generating released.”  It is developed by a guy with some cred in the open source and crypto movement, Moxie Marlinspike.  I use it, but do not entirely trust it.

I’m not completely on board with Signal.  It is open source, and so in theory we can verify the code.  But there’s some history I find disquieting.  So while I recommend it as the best, easiest to use, (probably) most secure messaging tool available, I do so with some reservations.

  • It originally handled encrypted SMS messages.  There is a long argument about why they broke SMS support on the mailing lists.  I find all of the arguments Whisper Systems made specious and unconvincing and cannot ignore the fact that the SMS tool sent messages through the local carrier (Asiacell, Korek, or Zain here).  Breaking that meant secure messages only go through Whisper Systems’ Google-managed servers where all metadata is captured and accessible to the USG. Since it was open source, that version has been forked and is still developed, I use the SMSSecure fork myself
  • Signal has captured all the USG funding for messaging systems.  Alternatives are not getting funds.  This may make sense from a purely managerial point of view, but also creates a single point of infiltration.  It is far easier to compromise a single project if there aren’t competing projects.   Part of the strength of Open Source is only achieved when competing development teams are trying to one up each other and expose each other’s flaws (FreeBSD and OpenBSD for example).  In a monoculture, the checks and balances are weaker.
  • Signal has grown more intimate with Google over time.  The desktop version sign up uses your “google ID” to get you in the queue.  Google is the largest commercial spy agency in the world, collecting more data on more people than any other organization except probably the NSA.  They’re currently an advertising company and make their money selling your data to advertisers, something they’re quite disingenuous about, but the data trove they’ve built is regularly mined by organizations with more nefarious aims than merely fleecing you.

What to do?  Well, I use signal.  I’m pretty confident the encryption is good, or at least as good as anything else available.  I know my metadata is being collected and shared, but until Jake convinces Moxie to use anonymous identifiers for accounts and message through Tor hidden nodes, you have to be very tech savvy to get around that and there’s no Civil Society grants going to any other messaging services using, for example, an open standard like a Jabber server on a hidden node with OTR.

For now, take a half step up the security ladder and stop using commercial faux security (or unverifiable security, which is the same thing) and give Signal a try.

Maybe at some later date I’ll write up an easy to follow guide on setting up your own jabber server as a tor hidden service and federating it so you can message securely, anonymously, and keep your data (meta and otherwise) on your own hardware in your own house, where it still has at least a little legal protection.

 

Posted at 10:21:22 GMT-0700

Category: PositivePrivacyReviewsSecurityTechnology